Secure Private Cloud Administration and Operations Guide
Secure Private Cloud Administration and Operations Guide
Secure Private Cloud Administration and Operations Guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Secure</strong><strong>Private</strong><strong>Cloud</strong><br />
<strong>Administration</strong><strong>and</strong><strong>Operations</strong><strong>Guide</strong><br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> 2.2 <strong>and</strong> Higher<br />
July 2012 3850 6804–007<br />
unisys
NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information<br />
described herein is only furnished pursuant <strong>and</strong> subject to the terms <strong>and</strong> conditions of a duly executed agreement to<br />
purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the<br />
products described in this document are set forth in such agreement. Unisys cannot accept any financial or other<br />
responsibility that may be the result of your use of the information in this document or software material, including<br />
direct, special, or consequential damages.<br />
You should be very careful to ensure that the use of this information <strong>and</strong>/or software material complies with the laws,<br />
rules, <strong>and</strong> regulations of the jurisdictions with respect to which it is used.<br />
The information contained herein is subject to change without notice. Revisions may be issued to advise of such<br />
changes <strong>and</strong>/or additions.<br />
Notice to U.S. Government End Users: This is commercial computer software or hardware documentation developed at<br />
private expense. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys st<strong>and</strong>ard<br />
commercial license for the products, <strong>and</strong> where applicable, the restricted/limited rights provisions of the contract data<br />
rights clauses.<br />
Unisys is a registered trademark of Unisys Corporation in the United States <strong>and</strong> other countries.<br />
Linux is a registered trademark of Linus Torvalds.<br />
SUSE is a registered trademark of SUSE LINUX AG, a Novell business.<br />
Red Hat is a trademark or registered trademark of Red Hat, Inc. in the U.S. <strong>and</strong> other countries.<br />
VMware is a registered trademark of VMware, Inc. in the U.S. <strong>and</strong> other countries.<br />
All other br<strong>and</strong>s <strong>and</strong> products referenced in this document are acknowledged to be the trademarks or registered<br />
trademarks of their respective holders.
Contents<br />
Section 1. Installation <strong>and</strong> Configuration Data<br />
Section 2. Introduction<br />
1.1. Completing Worksheets for Installation <strong>and</strong> Configuration. . . 1–1<br />
1.1.1. Workbook Organization. . . . . . . . . . . . . . . . . . . . . . . . 1–1<br />
1.1.2. Implementing the Workbook . . . . . . . . . . . . . . . . . . . . 1–2<br />
1.1.3. Exp<strong>and</strong>ing the Workbook to Include Tenants . . . . . . . . 1–3<br />
1.1.4. Adding Tenant Blueprints <strong>and</strong> Projects . . . . . . . . . . . . . 1–3<br />
1.1.5. Validating the Workbook . . . . . . . . . . . . . . . . . . . . . . . 1–4<br />
1.1.6. Exporting the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5<br />
1.1.7. Preserving Configuration Data . . . . . . . . . . . . . . . . . . . 1–6<br />
1.2. <strong>Cloud</strong> Provider Data Worksheet. . . . . . . . . . . . . . . . . . . . . . 1–6<br />
1.2.1. <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network<br />
Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />
1.2.2. Management VM Infrastructure. . . . . . . . . . . . . . . . . . 1–7<br />
1.2.3. VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />
1.2.4. Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1.2.5. High Availability Cluster. . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1.2.6. Virtual Office as a Service . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1.2.7. Virtual LAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1.2.8. vCenter Supplied by the <strong>Cloud</strong> Provider . . . . . . . . . . . . 1–9<br />
1.3. Tenant Data Worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1.3.1. Tenant Information . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1.3.2. Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1.3.3. RBADB Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1.3.4. Stealth Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1.3.5. Tenant Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1.3.6. Tenant Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12<br />
1.3.7. Virtual Office as a Service Session Manager . . . . . . . . 1–12<br />
2.1. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1<br />
2.2. Accessing Architecture <strong>and</strong> Networking Information. . . . . . . 2–2<br />
2.3. Administrator <strong>and</strong> Operator Responsibilities . . . . . . . . . . . . . 2–3<br />
2.4. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3<br />
2.5. Default <strong>and</strong> Updated Environment Credentials . . . . . . . . . . . 2–5<br />
2.6. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . 2–7<br />
2.7. Completing <strong>and</strong> Exporting Tenant Worksheets . . . . . . . . . . . 2–8<br />
3850 6804–007 iii
Contents<br />
2.8. Underst<strong>and</strong>ing Tenants Accounts <strong>and</strong> <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8<br />
2.8.1. XYZ Company Example (Single Tenant) . . . . . . . . . . . . 2–9<br />
2.8.2. Acme Company Example (Multi-tenant) . . . . . . . . . . . . 2–9<br />
2.8.3. Projects, Departments, Accounts, <strong>and</strong> SubAccounts. . 2–10<br />
2.8.4. Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong><br />
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12<br />
Section 3. Initial Configuration Tasks<br />
3.1. Configuring a Workstation to Configure the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1<br />
3.2. Inserting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Terms of Use. . . . . 3–4<br />
Section 4. Creating VMware Template Gold Images<br />
4.1. Using Unisys Provided VMware Templates for Windows. . . . 4–1<br />
4.1.1. Importing Unisys Provided Templates into vCenter . . . . 4–2<br />
4.1.2. Preinstalling Required Applications . . . . . . . . . . . . . . . 4–4<br />
4.1.3. Converting to a Template . . . . . . . . . . . . . . . . . . . . . . 4–4<br />
4.2. Creating Custom Windows VMware Templates <strong>and</strong><br />
Creating Linux VMware Templates. . . . . . . . . . . . . . . . . . 4–4<br />
4.2.1. Moving Template Configuration Images Folder . . . . . . . 4–5<br />
4.2.2. Configuring a Windows Target Template . . . . . . . . . . . 4–5<br />
Setting Firewall Exceptions for Windows Server<br />
2003 <strong>and</strong> Windows XP . . . . . . . . . . . . . . . . . . . . 4–7<br />
Setting Firewall Exceptions for Windows Server<br />
2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–7<br />
Verifying the Remote Desktop Connection . . . . . . . . 4–8<br />
Preinstalling Required Applications . . . . . . . . . . . . . 4–8<br />
Making a Windows Template Stealth Ready . . . . . . . 4–8<br />
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 4–9<br />
Converting to a Template . . . . . . . . . . . . . . . . . . . . 4–9<br />
Testing the Windows Target Template . . . . . . . . . . . 4–9<br />
4.2.3. Configuring a Red Hat Enterprise Linux Target<br />
Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–10<br />
Making a Red Hat Enterprise Linux Template<br />
Stealth Ready . . . . . . . . . . . . . . . . . . . . . . . . . . 4–12<br />
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–13<br />
Preinstalling Required Applications. . . . . . . . . . . . . 4–13<br />
Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–14<br />
Testing the Red Hat Enterprise Linux Target<br />
Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–14<br />
4.2.4. Configuring a SUSE Linux Target Template . . . . . . . . . 4–15<br />
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–17<br />
Preinstalling Required Applications. . . . . . . . . . . . . 4–18<br />
iv 3850 6804–007
Deleting MAC Addresses . . . . . . . . . . . . . . . . . . . 4–18<br />
Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–19<br />
Testing a SUSE Linux Target Template . . . . . . . . . . 4–19<br />
4.3. Preparing an Existing Virtual Machine or Template for a<br />
Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20<br />
4.3.1. VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20<br />
4.3.2. Preparing a Windows Virtual Machine or Template<br />
for a Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . 4–20<br />
4.3.3. Preparing a Red Hat Enterprise Linux Virtual<br />
Machine or Template for a Stealth-Enabled VLAN . . 4–23<br />
4.4. Importing Tenant VLAN Network Appliance <strong>and</strong> Load<br />
Balancer Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–25<br />
4.5. Installing VMware Tools 5.0 in the Tenant VLAN Network<br />
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–26<br />
4.6. Preparing the vCenter Server to Sysprep the Target<br />
Template (Windows Server 2003 <strong>and</strong> Windows XP<br />
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–28<br />
Section 5. Implementing a New Tenant VLAN<br />
Contents<br />
5.1. Configuring a DNS or Alternative for the Tenant . . . . . . . . . . 5–2<br />
5.1.1. Configuring the Tenant DNS . . . . . . . . . . . . . . . . . . . . 5–3<br />
5.1.2. Configuring the uChargeback Management VM if<br />
Tenants Do Not Have a DNS . . . . . . . . . . . . . . . . . . 5–3<br />
5.2. Configuring Workload Servers for VLAN Networking. . . . . . . 5–5<br />
5.2.1. Underst<strong>and</strong>ing Workload Server Networking<br />
Connection Options . . . . . . . . . . . . . . . . . . . . . . . . 5–6<br />
5.2.2. Configuring Access to Tenant VLAN Networks <strong>and</strong><br />
Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . . . 5–6<br />
Option 1: Using a Dedicated Physical NIC to<br />
Access a Tenant VLAN Network or Tenant<br />
Interconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–7<br />
Option 2: Using a Distributed Switch to Access a<br />
Tenant VLAN Network or Tenant Interconnect . . . 5–8<br />
Option 3: Creating vSwitch Virtual Machine Port<br />
Groups to Access a Tenant VLAN Network or<br />
Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . 5–9<br />
5.3. Deploying a New Tenant VLAN Using a New or Existing<br />
Tenant VLAN Network Appliance . . . . . . . . . . . . . . . . . . 5–11<br />
5.3.1. Deploying a New Tenant VLAN Network Appliance<br />
<strong>and</strong> VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–11<br />
5.3.2. Adding a New VLAN to an Existing Tenant VLAN<br />
Network Appliance . . . . . . . . . . . . . . . . . . . . . . . . 5–18<br />
5.4. Configuring the Management Network Appliance for a<br />
New Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–19<br />
5.4.1. Configuring the Virtual Management Network<br />
Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–19<br />
3850 6804–007 v
Contents<br />
5.4.2. Configuring a Physical Management Network<br />
Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–20<br />
5.5. Configuring the <strong>Cloud</strong> Orchestrator <strong>and</strong> uChargeback<br />
Management VMs to Communicate with Tenant VLAN. . 5–23<br />
5.6. Configuring the Tenant VLAN Network Appliance to be<br />
Monitored by the Nagios Collector. . . . . . . . . . . . . . . . . 5–24<br />
5.7. Additional Nagios Collector Configuration Information . . . . . 5–24<br />
5.8. Configuring External Servers to Communicate with<br />
Tenant VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–25<br />
Section 6. Creating <strong>and</strong> Managing Tenant Configurations<br />
6.1. Updating <strong>Cloud</strong> Provider or Adding Tenant Information in<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment . . . . . . . . . . . . . . . 6–1<br />
6.2. Configuring Stealth-Enabled VLANs . . . . . . . . . . . . . . . . . . . 6–3<br />
6.3. Underst<strong>and</strong>ing Blueprints <strong>and</strong> General Blueprint<br />
<strong>Guide</strong>lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–6<br />
6.4. Creating Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–9<br />
6.5. Virtual Machine Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . 6–11<br />
6.5.1. Virtual Machine General Configuration . . . . . . . . . . . . 6–11<br />
6.5.2. Virtual Machine Resource Balancer . . . . . . . . . . . . . . 6–14<br />
6.5.3. Virtual Machine Operating System Customization. . . . 6–15<br />
6.5.4. Virtual Machine Additional Instructions. . . . . . . . . . . . 6–20<br />
6.6. Virtual Desktop Attributes <strong>and</strong> Values. . . . . . . . . . . . . . . . . 6–21<br />
6.6.1. Virtual Desktop General Configuration . . . . . . . . . . . . 6–22<br />
6.6.2. Virtual Desktop Additional Instructions . . . . . . . . . . . . 6–23<br />
Section 7. Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
7.1. Underst<strong>and</strong>ing User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . 7–1<br />
7.2. Adding Tenants, Projects, <strong>and</strong> User Roles to the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–3<br />
7.2.1. Tenant Onboarding Overview . . . . . . . . . . . . . . . . . . . 7–3<br />
7.2.2. Onboarding a New Tenant. . . . . . . . . . . . . . . . . . . . . . 7–3<br />
7.3. Creating <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Users in Active Directory . . . . 7–4<br />
7.4. Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to Roles, <strong>and</strong><br />
Assigning Tenant Users to Projects . . . . . . . . . . . . . . . . . 7–5<br />
7.5. Checkpoint: Commissioning a Resource . . . . . . . . . . . . . . . 7–7<br />
Section 8. Additional Networking Configuration<br />
8.1. Enabling Stealth for an Existing Tenant VLAN . . . . . . . . . . . . 8–1<br />
8.2. Configuring Network Appliances for Inbound Internet<br />
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–2<br />
8.2.1. Disabling Internet Access for Tenant Virtual<br />
Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–3<br />
vi 3850 6804–007
8.2.2. Underst<strong>and</strong>ing Inbound Connection Limitations . . . . . . 8–3<br />
8.2.3. Providing a Public Source IP Address in Outbound<br />
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–4<br />
8.2.4. Enabling Inbound Internet Connections . . . . . . . . . . . . 8–5<br />
Shared Public IP Address Example. . . . . . . . . . . . . . 8–6<br />
Unique Public IP Address Example . . . . . . . . . . . . . 8–8<br />
8.3. Configuring an HAProxy Load Balancer for Web<br />
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–10<br />
8.3.1. Deploying a New HAProxy Virtual Machine. . . . . . . . . 8–10<br />
8.3.2. Configuring the HAProxy Configuration File . . . . . . . . 8–12<br />
8.4. Configuring Tenant VLAN Firewall Exceptions. . . . . . . . . . . 8–15<br />
8.4.1. Enabling Selected Tenant VLANs to Communicate . . . 8–15<br />
8.4.2. Enabling All Tenant VLANs to Communicate . . . . . . . . 8–17<br />
8.5. Changing the Predefined IP Address on the Intercom<br />
Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–18<br />
8.5.1. Configuring the Jump Box, SQL Server, Portal,<br />
WSUS, Active Directory, <strong>and</strong> vCenter Server<br />
Management VMs to Use a New Intercom<br />
Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–18<br />
8.5.2. Configuring the uAdapt Controller Management VM<br />
to Use a New Intercom Network IP Address . . . . . 8–19<br />
8.5.3. Configuring the uChargeback Management VM to<br />
Use a New Intercom Network IP Address . . . . . . . 8–20<br />
8.5.4. Configuring the <strong>Cloud</strong> Orchestrator Management<br />
VM to Use a New Intercom Network IP Address . . 8–21<br />
8.5.5. Configuring the Management Network Appliance to<br />
Use a New Intercom Network IP Address . . . . . . . 8–23<br />
8.5.6. Configuring a Tenant VLAN Network Appliance to<br />
Use a New Intercom Network IP Address . . . . . . . 8–25<br />
8.5.7. Configuring the Stealth Components to Use a New<br />
Intercom Network IP Address . . . . . . . . . . . . . . . . 8–25<br />
8.5.8. Updating RBADB to Use the New Intercom<br />
Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–27<br />
8.5.9. Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–28<br />
Section 9. Changing Credentials <strong>and</strong> Performing Final Installation<br />
Tasks<br />
Contents<br />
9.1. Recording Updated Credentials . . . . . . . . . . . . . . . . . . . . . . 9–1<br />
9.2. Prerequisites to Changing Credentials . . . . . . . . . . . . . . . . . 9–1<br />
9.3. Procedures for Changing Credentials . . . . . . . . . . . . . . . . . . 9–2<br />
9.3.1. VMware ESXi Management Interface . . . . . . . . . . . . . 9–3<br />
9.3.2. uAdapt Controller Management VM. . . . . . . . . . . . . . . 9–3<br />
9.3.3. Windows Management VMs Administrator<br />
Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–3<br />
9.3.4. uAdapt Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–4<br />
3850 6804–007 vii
Contents<br />
9.3.5. SQL Server Database Administrator. . . . . . . . . . . . . . . 9–7<br />
9.3.6. RBADB Database Passwords . . . . . . . . . . . . . . . . . . . 9–7<br />
9.3.7. vCenter Database Administrator . . . . . . . . . . . . . . . . . 9–8<br />
9.3.8. <strong>Cloud</strong> Orchestrator Database Administrator . . . . . . . . . 9–9<br />
9.3.9. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Database Administrator . . 9–10<br />
9.3.10. Tomcat Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–11<br />
9.3.11. RBADB Administrator Interface . . . . . . . . . . . . . . . . . 9–11<br />
9.3.12. Unisys-Supplied Domain Controllers. . . . . . . . . . . . . . 9–12<br />
9.3.13. uChargeback Services Domain Account . . . . . . . . . . . 9–13<br />
9.3.14. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay Administrator. . . . . . . . . 9–15<br />
9.3.15. Virtual Management Network Appliance<br />
Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–15<br />
9.3.16. Tenant VLAN Network Appliance Administrator . . . . . 9–16<br />
9.3.17. uChargeback vCenter User . . . . . . . . . . . . . . . . . . . . 9–16<br />
9.3.18. <strong>Cloud</strong> Orchestrator vCenter User . . . . . . . . . . . . . . . . 9–18<br />
9.3.19. Changing VMware Update Manager Database User<br />
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–19<br />
9.3.20. HAProxy Load Balancer for Web Applications . . . . . . . 9–20<br />
9.3.21. Stealth Infrastructure VMs, <strong>Administration</strong><br />
Application, <strong>and</strong> Dynamic Licensing Web<br />
Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–21<br />
Stealth Configuration Machine, Stealth Transfer<br />
Machine, Stealth Proxy Server, <strong>and</strong> Stealth<br />
Relay Server Infrastructure VMs . . . . . . . . . . . . 9–21<br />
Virtual Stealth Gateway Infrastructure VM . . . . . . . 9–22<br />
Dynamic Licensing Web Interface . . . . . . . . . . . . . 9–23<br />
9.4. Restoring Users’ Connection to the Portal After<br />
Credentials Have Been Changed . . . . . . . . . . . . . . . . . . 9–24<br />
9.5. Performing a Final Commissioning Checkpoint . . . . . . . . . . 9–24<br />
9.6. Installing Virtual Office as a Service . . . . . . . . . . . . . . . . . . 9–24<br />
Section 10. <strong>Cloud</strong> Portal <strong>Operations</strong><br />
10.1. Underst<strong>and</strong>ing How Requests are Processed . . . . . . . . . . . 10–1<br />
10.2. Responding to Virtual Machine Requests . . . . . . . . . . . . . . 10–1<br />
10.3. Managing Expired Virtual Machines . . . . . . . . . . . . . . . . . . 10–3<br />
10.4. Responding to Physical Server Requests . . . . . . . . . . . . . . 10–3<br />
10.4.1. Commissioning New Physical Servers . . . . . . . . . . . . 10–3<br />
10.4.2. Starting or Stopping Physical Servers . . . . . . . . . . . . . 10–6<br />
10.4.3. Decommissioning Physical Servers (Releasing<br />
Physical Server Resources) . . . . . . . . . . . . . . . . . . 10–7<br />
Stopping the Persona . . . . . . . . . . . . . . . . . . . . . . 10–8<br />
Managing the Storage LUN . . . . . . . . . . . . . . . . . . 10–8<br />
Moving the Persona to the Inactive Server Pool . . . 10–8<br />
10.5. Responding to Virtual Desktop Requests . . . . . . . . . . . . . . 10–9<br />
viii 3850 6804–007
Contents<br />
10.5.1. Commissioning New Virtual Desktops . . . . . . . . . . . . 10–9<br />
10.5.2. Starting, Stopping, <strong>and</strong> Deleting Virtual Desktops . . . . 10–9<br />
10.6. Responding to Requests Using the Operator Prompts<br />
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–10<br />
10.7. Managing Tenant Users. . . . . . . . . . . . . . . . . . . . . . . . . . 10–11<br />
10.7.1. Updating a Tenant User’s E-mail Address . . . . . . . . . 10–11<br />
10.7.2. Moving a User from One Tenant Organization to<br />
Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–11<br />
10.7.3. Deactivating or Reactivating Tenant Users . . . . . . . . 10–12<br />
10.7.4. Deleting Tenant Users <strong>and</strong> User Roles . . . . . . . . . . . 10–13<br />
10.8. Editing Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14<br />
10.9. Deleting Blueprints or Projects from the <strong>Cloud</strong><br />
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14<br />
10.9.1. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–15<br />
10.9.2. Deleting Projects or Blueprints from RBADB . . . . . . 10–15<br />
Restrictions When Deleting Items in RBADB . . . . 10–15<br />
Verifying that Commissioned Resources Are Not<br />
Associated with Tenants, Projects, or<br />
Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–16<br />
Removing a Blueprint from a Contract <strong>and</strong><br />
Deleting a Blueprint. . . . . . . . . . . . . . . . . . . . . 10–17<br />
Deleting a Project . . . . . . . . . . . . . . . . . . . . . . . . 10–17<br />
10.9.3. Removing Projects from uOrchestrate . . . . . . . . . . . 10–18<br />
10.9.4. Archiving Projects in uChargeback . . . . . . . . . . . . . . 10–18<br />
10.10. Configuring Snapshot Limits <strong>and</strong> Managing Snapshots . . . 10–19<br />
10.10.1. Configuring Snapshot Limits . . . . . . . . . . . . . . . . . . 10–19<br />
10.10.2. Managing Snapshots. . . . . . . . . . . . . . . . . . . . . . . . 10–20<br />
Creating New Snapshots . . . . . . . . . . . . . . . . . . . 10–20<br />
Reverting to a Different Snapshot . . . . . . . . . . . . 10–20<br />
Deleting a Snapshot . . . . . . . . . . . . . . . . . . . . . . 10–21<br />
10.11. Using the Resource Utilization Dashboard . . . . . . . . . . . . 10–21<br />
10.12. Configuring Resource Utilization Ranges . . . . . . . . . . . . . 10–23<br />
10.13. Managing the Lifecycle Database. . . . . . . . . . . . . . . . . . . 10–24<br />
10.14. Creating uChargeback Criteria Specifications . . . . . . . . . . 10–25<br />
10.15. Importing Existing Virtual Machines . . . . . . . . . . . . . . . . . 10–26<br />
10.15.1. Prerequisites for Importing Virtual Machines. . . . . . . 10–27<br />
10.15.2. Utility Components <strong>and</strong> Layout . . . . . . . . . . . . . . . . 10–27<br />
10.15.3. Using the Import Utility . . . . . . . . . . . . . . . . . . . . . . 10–29<br />
10.15.4. Operational Considerations . . . . . . . . . . . . . . . . . . . 10–31<br />
10.15.5. Inspecting Logs <strong>and</strong> Troubleshooting . . . . . . . . . . . . 10–32<br />
10.16. Configuring Tenant-Dedicated Workload Servers Manually. 10–34<br />
10.16.1. Creating Workload Server Clusters with HA <strong>and</strong><br />
DRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–34<br />
10.16.2. Completing Additional HA Tasks. . . . . . . . . . . . . . . . 10–35<br />
3850 6804–007 ix
Contents<br />
10.16.3. Configuring a vMotion Interface for each Workload<br />
Server in each Cluster . . . . . . . . . . . . . . . . . . . . . 10–35<br />
10.16.4. Adding Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36<br />
10.16.5. Configuring Resource Groups <strong>and</strong> Datastores. . . . . . 10–36<br />
10.16.6. Best Practices for Datastore <strong>and</strong> Resource Pool<br />
Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36<br />
10.16.7. Moving Workload Servers Between Clusters . . . . . . 10–38<br />
10.17. Updating the <strong>Cloud</strong> Name in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–39<br />
10.18. Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> <strong>Operations</strong> . . . . . . . . . . . 10–40<br />
10.18.1. Adding COI Sets <strong>and</strong> Modifying COI Set Members . . 10–40<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–40<br />
Required Files for Adding or Modifying COI Sets. . 10–41<br />
Using Dia to Add <strong>and</strong> Modify COI Sets . . . . . . . . . 10–42<br />
Finalizing COI Set Changes . . . . . . . . . . . . . . . . . 10–44<br />
Updating the Workbook <strong>and</strong> Deleting Unneeded<br />
Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . 10–46<br />
10.18.2. Viewing Stealth Licenses in the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–46<br />
10.18.3. Accessing Logs <strong>and</strong> Monitoring Tunnels Using the<br />
<strong>Administration</strong> Application . . . . . . . . . . . . . . . . . . 10–47<br />
10.18.4. Viewing <strong>and</strong> Configuring Stealth Licensing Options. . 10–47<br />
10.18.5. Increasing the License Count for Stealth for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–52<br />
10.18.6. Enabling Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> After<br />
Initial Implementation . . . . . . . . . . . . . . . . . . . . . 10–53<br />
10.19. Important Operational Restrictions. . . . . . . . . . . . . . . . . . 10–53<br />
Section 11. Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong><br />
Environment<br />
11.1. Stopping <strong>and</strong> Decommissioning Virtual Machines . . . . . . . . 11–1<br />
11.2. Stopping <strong>and</strong> Decommissioning Physical Machines . . . . . . 11–2<br />
11.3. Removing the Tenant Virtual Components in vCenter . . . . . 11–3<br />
11.4. Removing Management-Side Tenant Infrastructure in<br />
vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–5<br />
11.5. Deleting Tenant Account Entities . . . . . . . . . . . . . . . . . . . . 11–8<br />
11.5.1. Deleting Tenant Users <strong>and</strong> User Roles . . . . . . . . . . . . 11–8<br />
11.5.2. Removing a Tenant User Group from the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal. . . . . . . . . . . . . . . . . . . . . . . . 11–9<br />
11.5.3. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–9<br />
11.5.4. Deleting a Tenant Organization. . . . . . . . . . . . . . . . . 11–10<br />
11.6. Removing a Tenant Contract <strong>and</strong> Tenant from RBADB. . . . 11–10<br />
11.7. Removing Tenants from uOrchestrate . . . . . . . . . . . . . . . 11–11<br />
x 3850 6804–007
11.8. Removing Tenant Resources <strong>and</strong> Departments from<br />
uChargeback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–11<br />
11.9. Removing a Stealth-Enabled VLAN from the Tenant<br />
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–12<br />
Section 12. Troubleshooting<br />
Contents<br />
12.1. Troubleshooting Errors When Using a <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Workbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–1<br />
12.2. Troubleshooting Signing In to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–3<br />
12.3. H<strong>and</strong>ling Suspended, Failed, <strong>and</strong> Aborted Jobs. . . . . . . . . . 12–3<br />
12.4. Troubleshooting Machine Names. . . . . . . . . . . . . . . . . . . . 12–4<br />
12.5. Troubleshooting Physical Server Resources . . . . . . . . . . . . 12–4<br />
12.6. Configuring the Virtual Management Network Appliance<br />
with a VMware License Restriction . . . . . . . . . . . . . . . . 12–5<br />
12.6.1. Configuring the Virtual Management Network<br />
Appliance for a New VLAN (with a VMware<br />
License Restriction) . . . . . . . . . . . . . . . . . . . . . . . 12–5<br />
12.6.2. Configuring the Virtual Management Network<br />
Appliance to Use a New Intercom Network IP<br />
Address (with a VMware License Restriction). . . . . 12–6<br />
12.7. Troubleshooting Onboarding Tenants <strong>and</strong> Users . . . . . . . . . 12–7<br />
12.7.1. Troubleshooting Sign In Problems Due to an<br />
Unknown E-mail Suffix . . . . . . . . . . . . . . . . . . . . . 12–7<br />
12.7.2. Verifying <strong>and</strong> Updating the E-mail Suffixes for an<br />
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8<br />
12.7.3. Verifying <strong>and</strong> Updating the Default Role for an<br />
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8<br />
12.7.4. Updating the Default Project for a Tenant . . . . . . . . . . 12–9<br />
12.7.5. Troubleshooting Tenant Permissions in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal. . . . . . . . . . . . . . . . . . . . . . . 12–10<br />
12.8. Resolving <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Messages . . . . . . . 12–13<br />
12.9. Restoring a Closed Pane in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17<br />
12.10. Log Files Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17<br />
12.11. Reporting Problems to Unisys . . . . . . . . . . . . . . . . . . . . . 12–18<br />
12.12. Troubleshooting Datastore Filter <strong>and</strong> ResourcePoolFilter<br />
Constants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–18<br />
12.13. Disconnecting Users from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal <strong>and</strong> Enabling Maintenance Mode . . . . . . . . . . . . 12–18<br />
12.14. Troubleshooting Configuring Stealth-Enabled VLANs . . . . . 12–18<br />
12.15. Identifying the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Software Version . . . 12–21<br />
12.16. Troubleshooting Articles on the Unisys Product Support<br />
Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–22<br />
3850 6804–007 xi
Contents<br />
Appendix A. Incorporating an External Server into the <strong>Cloud</strong><br />
Management Environment<br />
A.1. Requirements for Incorporating an External Server. . . . . . . . A–1<br />
A.2. Configuring the Management Server Intercom Network<br />
Connection to Communicate with External Servers . . . . . A–1<br />
A.2.1. Using a Dedicated Network Adapter . . . . . . . . . . . . . . A–2<br />
A.2.2. Using a Shared Network Adapter . . . . . . . . . . . . . . . . A–2<br />
A.3. Updating the Hosts File on All Management VMs <strong>and</strong><br />
External Servers Running Windows. . . . . . . . . . . . . . . . . A–3<br />
A.4. Updating the Hosts File on uAdapt Management VM <strong>and</strong><br />
External Servers Running Linux. . . . . . . . . . . . . . . . . . . . A–4<br />
A.5. Configuring External Servers. . . . . . . . . . . . . . . . . . . . . . . . A–4<br />
xii 3850 6804–007
Figures<br />
2–1. Projects, Departments, Accounts, <strong>and</strong> SubAccounts . . . . . . . . . . . . . . . . . . 2–11<br />
2–2. Comparison of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback, <strong>and</strong> RBADB Entities . . . . 2–12<br />
5–1. Logical VLAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2<br />
6–1. <strong>Operations</strong> Console Populator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–2<br />
10–1. Unisys <strong>Cloud</strong> Import Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–28<br />
3850 6804–007 xiii
Figures<br />
xiv 3850 6804–007
Tables<br />
1–1. <strong>Cloud</strong> Provider Site Environment Information. . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />
1–2. <strong>Cloud</strong> Provider License Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />
1–3. General Networking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />
1–4. <strong>Cloud</strong> Management Environment Network Addresses . . . . . . . . . . . . . . . . . . 1–7<br />
1–5. Networking for Management VMs <strong>and</strong> Management Server. . . . . . . . . . . . . . 1–7<br />
1–6. LDAP Values for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />
1–7. <strong>Cloud</strong> Management Environment Certificate Details. . . . . . . . . . . . . . . . . . . . 1–7<br />
1–8. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Community Information. . . . . . . . . . . . . . . . . . . . 1–7<br />
1–9. Runbook Automation Database (RBADB) <strong>Cloud</strong> Properties . . . . . . . . . . . . . . . 1–7<br />
1–10. uChargeback Domain Account <strong>and</strong> Configuration Information . . . . . . . . . . . . 1–7<br />
1–11. Datacenter Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />
1–12. VMware Sysprep Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1–13. VMware Resource Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1–14. E-mail Notification Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1–15. BMC Remedy/ITSM Adapter Notification Information. . . . . . . . . . . . . . . . . . 1–8<br />
1–16. High Availability (HA) Management Server Information . . . . . . . . . . . . . . . . . 1–8<br />
1–17. Clustered Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1–18. Virtual Office Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />
1–19. Virtual Office Server Failover Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1–20. Management Server VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1–21. Switchport Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1–22. Distributed Virtual Network Switch Properties . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1–23. <strong>Cloud</strong> Provider-supplied vCenter Configuration. . . . . . . . . . . . . . . . . . . . . . . 1–9<br />
1–24. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Tenant Organization <strong>and</strong> Global Roles. . . . . . . . 1–10<br />
1–25. Tenant VLAN Network Appliance Information. . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1–26. Tenant VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1–27. Tenant Internal Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1–28. Account Contract Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1–29. Runbook Automation Database (RBADB) Account Properties . . . . . . . . . . . 1–10<br />
1–30. RBADB Account VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />
1–31. Stealth Infrastructure Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–32. Stealth Tenant Infrastructure Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–33. COI Sets <strong>and</strong> Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–34. Virtual Machine Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–35. Virtual Machine Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–36. Physical Server Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–37. Physical Server Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–11<br />
3850 6804–007 xv
Tables<br />
1–38. Virtual Desktop Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />
1–39. Virtual Desktop Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–12<br />
1–40. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Information for Tenant Projects . . . . . . . . . . . . 1–12<br />
1–41. Project Contract Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12<br />
1–42. Virtual Office as a Service Session Manager Configuration . . . . . . . . . . . . . 1–12<br />
2–1. Default <strong>and</strong> Updated Environment Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2–5<br />
2–2. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8<br />
6–1. Virtual Machine Basic Attributes <strong>and</strong> Values. . . . . . . . . . . . . . . . . . . . . . . . . 6–11<br />
6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values. . . . . . . . . . . . . 6–11<br />
6–3. Virtual Machine Resource Balancer Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . 6–14<br />
6–4. Virtual Machine Operating System Customization Attribute <strong>and</strong> Values . . . . . 6–15<br />
6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . 6–15<br />
6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–18<br />
6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values . . . . . . . . . . . . . 6–20<br />
6–8. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–21<br />
6–9. Virtual Desktop Basic Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . . . . . 6–22<br />
6–10. Virtual Desktop General Configuration Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–22<br />
6–11. Virtual Desktop Additional Instruction Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–23<br />
6–12. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–24<br />
10–1. Example Criteria Specification, Page 1 Data . . . . . . . . . . . . . . . . . . . . . . . 10–25<br />
10–2. Example Criteria Specification, Page 2 Data . . . . . . . . . . . . . . . . . . . . . . . 10–26<br />
12–1. Tenant Role Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–11<br />
xvi 3850 6804–007
Section 1<br />
Installation <strong>and</strong> Configuration Data<br />
The procedures in this guide assume a configuration in which the Unisys service<br />
consultant configures a cloud datacenter at a cloud provider site, <strong>and</strong> the cloud provider<br />
then supplies virtual machine, physical server, or virtual desktop usage to its tenants (the<br />
cloud provider’s customers).<br />
A tenant is an individual entity for whom you supply virtual machine, physical server, or<br />
virtual desktop usage from the cloud datacenter. Tenants are your customers or your<br />
subsidiaries or departments. If the cloud datacenter is intended to be used only by your<br />
own personnel, the environment can be treated as a single-tenant environment, or each<br />
organizational tier can be treated as a tenant (a multi-tenant environment).<br />
For information on networking <strong>and</strong> environment architecture, see 2.2 Accessing<br />
Architecture <strong>and</strong> Networking Information.<br />
1.1. Completing Worksheets for Installation <strong>and</strong><br />
Configuration<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook (a Microsoft Excel workbook) contains the data that<br />
describes your environment <strong>and</strong> that of any tenants (internal <strong>and</strong> external customers). One<br />
set of tables contains data for the infrastructure. Separate sets of tables contain data for<br />
the tenants, one set for each tenant account. After the solution is implemented at your<br />
site, obtain the completed workbook from the Unisys service consultant <strong>and</strong> use it to add<br />
tenants to your environment.<br />
Note: Microsoft Excel 2007 or 2010 is required to use the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
workbook.<br />
1.1.1. Workbook Organization<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook has the following worksheets:<br />
• Table of contents, which shows the overall organization <strong>and</strong> contains the following:<br />
- Links to cloud provider tables<br />
- Structure of tenant tables<br />
- Links to credentials <strong>and</strong> URLs tables<br />
- Buttons perform actions: Add Tenant, Validate, Export, Import<br />
3850 6804–007 1–1
Installation <strong>and</strong> Configuration Data<br />
Note: These actions are discussed in the following subsections.<br />
• Credentials <strong>and</strong> URLs worksheet, which contains the following:<br />
- Table 2–1<br />
- Table 2–2<br />
Note: In the workbook, these tables are numbered Table 3-1, “Default <strong>and</strong> Updated<br />
Environment Credentials” <strong>and</strong> Table 5-1, “URLs for Web-Based UIs.”<br />
• <strong>Cloud</strong> provider worksheet, in 1.2 <strong>Cloud</strong> Provider Data Worksheet, which is organized<br />
as follows:<br />
- 1.2.1 <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network Information<br />
- 1.2.2 Management VM Infrastructure<br />
- 1.2.3 VMware<br />
- 1.2.4 Notification<br />
- 1.2.5 High Availability Cluster<br />
- 1.2.6 Virtual Office as a Service<br />
- 1.2.7 Virtual LAN<br />
- 1.2.8 vCenter Supplied by the <strong>Cloud</strong> Provider<br />
• Tenant template worksheet, in 1.3 Tenant Data Worksheet, which is organized as<br />
follows:<br />
- 1.3.1 Tenant Information<br />
- 1.3.2 Tenant VLAN<br />
- 1.3.3 RBADB Accounts<br />
- 1.3.4 Stealth Onboarding<br />
- 1.3.5 Tenant Blueprints<br />
- 1.3.6 Tenant Projects<br />
- 1.3.7 Virtual Office as a Service Session Manager<br />
1.1.2. Implementing the Workbook<br />
Edit the tables in the cloud provider worksheet to describe the provider’s site<br />
configuration. Create a tenant worksheet for each tenant environment <strong>and</strong> edit the tables<br />
to describe each tenant environment. Refer to 1.1.3 Exp<strong>and</strong>ing the Workbook to Include<br />
Tenants <strong>and</strong> 1.1.4 Adding Tenant Blueprints <strong>and</strong> Projects.<br />
The workbook automatically validates much of the data you enter <strong>and</strong> fills some cells,<br />
using values in other cells. Refer to 1.1.5 Validating the Workbook.<br />
In some tables, IP address ranges are defined using Classless Inter-Domain Routing<br />
(CIDR) notation, which includes a base network IP address <strong>and</strong> a network mask. For<br />
example, the CIDR notation ″192.68.100.0/24″ refers to the address range from<br />
192.68.100.1 through 192.68.100.255.<br />
1–2 3850 6804–007
The table headings in 1.2 <strong>Cloud</strong> Provider Data Worksheet <strong>and</strong> 1.3 Tenant Data Worksheet<br />
reflect the same hierarchy as the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook. They are included in this<br />
document to resolve references in the procedures. When you see a reference to a table,<br />
refer to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook for the data.<br />
Note: Refer to 12.1 Troubleshooting Errors When Using a <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Workbook for help if you receive error messages when using the workbook.<br />
1.1.3. Exp<strong>and</strong>ing the Workbook to Include Tenants<br />
A tenant is an individual entity for whom you supply virtual machine, physical server, or<br />
virtual desktop usage from the cloud datacenter. Tenants are your customers or your<br />
subsidiaries or departments. If the cloud datacenter is intended to be used only by your<br />
own personnel, the environment can be treated as a single-tenant environment, or each<br />
organizational tier can be treated as a tenant (a multi-tenant environment).<br />
Create a tenant worksheet in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook for each tenant account,<br />
as follows:<br />
1. Open the workbook <strong>and</strong> select the Table of Contents tab.<br />
The Installation <strong>and</strong> Configuration Worksheets Table of Contents<br />
worksheet is displayed.<br />
Note: The organization is the same as 1.1.1 Workbook Organization.<br />
2. Click Add Tenant.<br />
The Add Tenant dialog box opens.<br />
3. Enter a name for the new tenant in the box, <strong>and</strong> click OK.<br />
Note: This name is configured as the folder in the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal hierarchy in a later procedure in this guide.<br />
A new tenant worksheet is created in the workbook from the template.<br />
Repeat this procedure to create a separate worksheet for each tenant.<br />
1.1.4. Adding Tenant Blueprints <strong>and</strong> Projects<br />
Adding Tenant Blueprints<br />
Installation <strong>and</strong> Configuration Data<br />
Enter tenant blueprint data in Table 1–34, Table 1–36, or Table 1–38. For each blueprint<br />
name that you enter, the blueprint attributes <strong>and</strong> default values are initialized in<br />
Table 1–35, Table 1–37, or Table 1–39, <strong>and</strong> an Edit link is made available in the<br />
Properties column of the names table. Double-click the Edit link to jump to the column<br />
for that blueprint in the attributes <strong>and</strong> values table, <strong>and</strong> then update the attributes <strong>and</strong><br />
values for that blueprint.<br />
If you need to enter more blueprints for a tenant than Table 1–34, Table 1–36, or<br />
Table 1–38 allows, click Add Blueprints to insert a group of six blank rows at the bottom<br />
of the table. You can insert as many groups of blank rows as needed.<br />
3850 6804–007 1–3
Installation <strong>and</strong> Configuration Data<br />
To delete a blueprint, clear its name in the names table. You are asked if you also want to<br />
clear the attributes <strong>and</strong> values for the blueprint. Click Yes to clear its values in the<br />
attributes <strong>and</strong> values table.<br />
Adding Tenant Projects<br />
Enter tenant project data in Table 1–40.<br />
In the Contract Limits column, double-click Edit to open an interface that enables you<br />
to edit the contract limits of the blueprints associated with the project.<br />
If you need to enter more projects for a tenant than Table 1–40 allows, click Add Project<br />
to insert a blank row at the bottom of the table. You can insert as many blank rows as<br />
needed.<br />
To delete a project, select the Project Name <strong>and</strong> click Delete Project.<br />
1.1.5. Validating the Workbook<br />
Data in individual cells is validated as much as possible while you enter the data. However,<br />
more extensive validation is needed after you complete all the cloud provider <strong>and</strong> tenant<br />
worksheets to make sure that the overall configuration is consistent. Perform this<br />
validation <strong>and</strong> correct any errors before exporting the data.<br />
Caution<br />
Invalid data can cause unexpected <strong>and</strong> critical errors when you are configuring<br />
the cloud environment.<br />
Validate the worksheets, as follows:<br />
1. Open the workbook <strong>and</strong> select the Table of Contents tab.<br />
2. If prompted, enable macros <strong>and</strong> set the macro security level to medium or higher.<br />
3. Click Validate.<br />
The Worksheet Selection dialog box opens with the following validation options:<br />
• Only the cloud provider worksheet<br />
• All worksheets in the workbook<br />
• One tenant worksheet<br />
4. Select the worksheets that you want to validate, <strong>and</strong> then click OK.<br />
The Validation Results dialog box opens <strong>and</strong> lists each error <strong>and</strong> location. Click<br />
Open Log to view the validation results in a log file, if desired.<br />
1–4 3850 6804–007
Repeat the following steps as often as necessary to correct all errors:<br />
a. Navigate to the cells that contain errors, using the links in the results list, <strong>and</strong><br />
correct the errors.<br />
b. Click Revalidate after correcting one or more cells to update the error list.<br />
Click OK to close the Validation Results dialog box when you are finished reviewing<br />
the results.<br />
1.1.6. Exporting the Data<br />
The automated procedures in this guide are initiated from the jump box management VM<br />
to the other management VMs that are configured (refer to the In Use column in<br />
Table 1–5). The automated procedures require certain data in XML format as input. After<br />
entering all data in all worksheets in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook, you can create<br />
the necessary XML files, as follows.<br />
Note: For security reasons, the exported data does not include the values of any updated<br />
credentials in Table 3-1, ″Default <strong>and</strong> Updated Environment Credentials.″<br />
1. Open a copy of the workbook that contains all the data, <strong>and</strong> select the Table of<br />
Contents tab.<br />
2. If prompted, enable macros <strong>and</strong> set the macro security level to medium or higher.<br />
3. Click Export.<br />
A Worksheet Selection dialog box opens with the following export options:<br />
• Only the cloud provider worksheet<br />
• All worksheets in the workbook<br />
• One tenant worksheet<br />
4. Select the worksheets that you want to export, <strong>and</strong> then click OK.<br />
The data is validated first.<br />
• If no validation errors are detected, the Chose a folder to export to dialog box<br />
appears. Navigate to the folder where you want to save the XML files <strong>and</strong> click<br />
OK. When the export process completes, you see a message that the export was<br />
successful. Click OK.<br />
The cloud provider file is named<br />
<strong>Cloud</strong>Provider.xml<br />
Each tenant has its own tenant XML file named<br />
Tenant-.xml<br />
Installation <strong>and</strong> Configuration Data<br />
• If validation errors are detected, a Continue Export? dialog box is displayed<br />
advising you to correct the errors. Click Cancel.<br />
The Export Cancelled message box appears, <strong>and</strong> XML files are not created.<br />
You can correct errors <strong>and</strong> try exporting again. Refer to 1.1.5 Validating the<br />
Workbook.<br />
3850 6804–007 1–5
Installation <strong>and</strong> Configuration Data<br />
Note: If the data contains errors but you still want to export the files, click OK on<br />
the Continue Export? dialog box. The XML files are created, but errors can occur<br />
when configuring your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
5. Copy all XML files that you created to the following folder on the jump box<br />
management VM:<br />
C:\ProgramData\Unisys\SPC-Automation\xml<br />
1.1.7. Preserving Configuration Data<br />
The cloud provider worksheet in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook must be kept up-todate<br />
with configuration data changes. Store the workbook <strong>and</strong> XML files in a secure<br />
location for future use when updating the cloud configuration or onboarding tenants.<br />
Snapshots of management VMs that were taken during the configuration process <strong>and</strong> are<br />
no longer needed should be deleted.<br />
1.2. <strong>Cloud</strong> Provider Data Worksheet<br />
Use Table 1–1 through Table 1–23 to gather data that applies to the cloud provider in this<br />
environment.<br />
Only the categories, table headers, <strong>and</strong> a short description from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
workbook are included to provide references throughout this document. The details of<br />
each table are in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook.<br />
1.2.1. <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network<br />
Information<br />
Table 1–1. <strong>Cloud</strong> Provider Site Environment Information<br />
Contains site environment information, including default values that cannot be changed, default<br />
values that can be changed, <strong>and</strong> values that apply to the cloud provider’s specific environment.<br />
Table 1–2. <strong>Cloud</strong> Provider License Information<br />
Contains information about the cloud provider’s licenses.<br />
Table 1–3. General Networking Information<br />
Contains information about the cloud provider’s network, including DNS servers <strong>and</strong> domains,<br />
as it applies to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> implementation.<br />
1–6 3850 6804–007
Table 1–4. <strong>Cloud</strong> Management Environment Network Addresses<br />
Contains information about the networks that are used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
management environment.<br />
Table 1–5. Networking for Management VMs <strong>and</strong> Management Server<br />
Contains networking values for the management VMs <strong>and</strong> management server.<br />
1.2.2. Management VM Infrastructure<br />
Table 1–6. LDAP Values for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />
Contains information that is needed if you are using LDAP to validate credentials using a domain<br />
or to integrate with a cloud provider-supplied Active Directory.<br />
Table 1–7. <strong>Cloud</strong> Management Environment Certificate Details<br />
Contains information about the certificates that are used to secure certain management VMs.<br />
Table 1–8. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Community Information<br />
Contains information that is needed for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal user community.<br />
Table 1–9. Runbook Automation Database (RBADB) <strong>Cloud</strong> Properties<br />
Contains information about the Runbook Automation Database (RBADB) cloud properties.<br />
Table 1–10. uChargeback Domain Account <strong>and</strong> Configuration Information<br />
Contains information about at least one domain user who is the uChargeback administrator.<br />
1.2.3. VMware<br />
Installation <strong>and</strong> Configuration Data<br />
Table 1–11. Datacenter Workload Server Information<br />
Contains information about the datacenter workload server, which supports virtual machines for<br />
users.<br />
3850 6804–007 1–7
Installation <strong>and</strong> Configuration Data<br />
Table 1–12. VMware Sysprep Configuration<br />
Contains information that is needed for VMware Sysprep configuration.<br />
Table 1–13. VMware Resource Balancer<br />
Contains information that is needed for VMware resource balancer configuration.<br />
1.2.4. Notification<br />
Table 1–14. E-mail Notification Information<br />
Contains information that is needed to send notifications using e-mail messages.<br />
Table 1–15. BMC Remedy/ITSM Adapter Notification Information<br />
Contains information that is needed to send notifications using BMC Remedy tickets.<br />
1.2.5. High Availability Cluster<br />
Table 1–16. High Availability (HA) Management Server Information<br />
Contains information that is needed to enable the management server High Availability (HA)<br />
capability.<br />
Table 1–17. Clustered Workload Server Information<br />
Contains information that is needed to define clusters for the workload servers, such as<br />
enabling DRS or High Availability capabilities for the workload servers.<br />
1.2.6. Virtual Office as a Service<br />
Table 1–18. Virtual Office Server Network Addresses<br />
Contains network address information that is needed to configure the Virtual Office as a Service<br />
capability.<br />
1–8 3850 6804–007
Table 1–19. Virtual Office Server Failover Cluster<br />
Contains network information that is needed to configure Virtual Office servers as a failover<br />
cluster.<br />
1.2.7. Virtual LAN<br />
Table 1–20. Management Server VLAN Configuration<br />
Contains information that is needed in a multi-tenant environment to implement virtual LANs<br />
(VLAN) to isolate the network traffic for each tenant from all other tenants.<br />
Table 1–21. Switchport Configuration<br />
Contains information that is needed to support workload servers, either clustered or st<strong>and</strong>alone.<br />
Table 1–22. Distributed Virtual Network Switch Properties<br />
Contains information that is needed to support the distributed virtual network switches in the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Virtual Center server datacenter.<br />
1.2.8. vCenter Supplied by the <strong>Cloud</strong> Provider<br />
Table 1–23. <strong>Cloud</strong> Provider-supplied vCenter Configuration<br />
Contains information that is needed if the vCenter in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is<br />
supplied by the cloud provider.<br />
1.3. Tenant Data Worksheet<br />
Installation <strong>and</strong> Configuration Data<br />
Use Table 1–24 through Table 1–42 to gather data that applies to each tenant in this<br />
environment.<br />
Only the categories, table headers, <strong>and</strong> a short description from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
workbook are included to provide references throughout this document. The details are in<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook.<br />
3850 6804–007 1–9
Installation <strong>and</strong> Configuration Data<br />
1.3.1. Tenant Information<br />
Table 1–24. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Tenant Organization <strong>and</strong> Global<br />
Roles<br />
Contains the global data for defining the tenant in the provider’s cloud.<br />
1.3.2. Tenant VLAN<br />
Table 1–25. Tenant VLAN Network Appliance Information<br />
Contains information about the virtual LAN (VLAN) in a multi-tenant environment that isolates<br />
the network traffic for each tenant from all other tenants.<br />
Table 1–26. Tenant VLAN Configuration<br />
Contains data for configuring the tenant VLAN network appliance for the tenant.<br />
Table 1–27. Tenant Internal Configuration<br />
Contains data for configuring this tenant.<br />
1.3.3. RBADB Accounts<br />
Table 1–28. Account Contract Details<br />
Contains data for configuring RBADB with information about the tenant <strong>and</strong> the tenant’s<br />
blueprints.<br />
Table 1–29. Runbook Automation Database (RBADB) Account Properties<br />
Contains data for configuring RBADB with information about the tenant.<br />
Table 1–30. RBADB Account VLAN Configuration<br />
Contains data for configuring RBADB with information about the tenant’s VLAN.<br />
1–10 3850 6804–007
1.3.4. Stealth Onboarding<br />
Table 1–31. Stealth Infrastructure Virtual Machines<br />
Contains information about the Stealth infrastructure virtual machines that are created for each<br />
tenant Stealth-enabled VLAN.<br />
Table 1–32. Stealth Tenant Infrastructure Configuration<br />
Contains the global data for configuring the infrastructure for the tenant Stealth environment.<br />
Table 1–33. COI Sets <strong>and</strong> Access<br />
Contains information for defining groups of virtual machines that can communicate with one<br />
another, with other components in the cloud, <strong>and</strong> with the Public Network, also known as<br />
Communities of Interest (COI).<br />
1.3.5. Tenant Blueprints<br />
Table 1–34. Virtual Machine Blueprints<br />
Contains information about the tenant’s virtual machine blueprints.<br />
Table 1–35. Virtual Machine Blueprint Attributes <strong>and</strong> Values<br />
Contains information about the attributes <strong>and</strong> values for the tenant’s virtual machine blueprints.<br />
Table 1–36. Physical Server Blueprints<br />
Contains information about the tenant’s physical server blueprints.<br />
Table 1–37. Physical Server Blueprint Attributes <strong>and</strong> Values<br />
Contains information about the attributes <strong>and</strong> values for the tenant’s physical server blueprints.<br />
Table 1–38. Virtual Desktop Blueprints<br />
Contains information about the tenant’s virtual desktop blueprints.<br />
Installation <strong>and</strong> Configuration Data<br />
3850 6804–007 1–11
Installation <strong>and</strong> Configuration Data<br />
Table 1–39. Virtual Desktop Blueprint Attributes <strong>and</strong> Values<br />
Contains information about the attributes <strong>and</strong> values for the tenant’s virtual desktop blueprints.<br />
1.3.6. Tenant Projects<br />
Table 1–40. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Information for Tenant Projects<br />
Contains information about the tenant’s projects.<br />
Table 1–41. Project Contract Limits<br />
Contains optional limits for the number of virtual machines that can be commissioned from<br />
each blueprint in a tenant project.<br />
1.3.7. Virtual Office as a Service Session Manager<br />
Table 1–42. Virtual Office as a Service Session Manager Configuration<br />
Contains information that is needed to configure Session Manager to support the Virtual Office<br />
as a Service capability for the tenant.<br />
1–12 3850 6804–007
Section 2<br />
Introduction<br />
This document is intended for Unisys service consultants initially implementing the Unisys<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution as well as the administrators <strong>and</strong> operators who maintain<br />
the solution.<br />
In this library, a tenant is defined as an individual entity with whom the cloud provider has a<br />
contract to provide virtual machine, virtual desktop, or physical server usage from the<br />
cloud datacenter. These tenants might be the cloud provider’s customers, or they might<br />
be the provider’s subsidiaries or departments that should be treated as separate entities.<br />
Depending on the cloud provider’s needs, you can configure a single-tenant or a multitenant<br />
environment.<br />
This document describes the processes required to administer <strong>and</strong> operate a cloud<br />
environment, including how to add new VMware templates to create new blueprints for<br />
tenants, how to h<strong>and</strong>le user requests for new virtual machines, virtual desktops, <strong>and</strong><br />
physical servers, <strong>and</strong> how to troubleshoot issues with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
Note: This document does not describe the procedures performed to initially configure<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment; those procedures are described in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong> (3850 6846), which is available only to Unisys<br />
service consultants.<br />
2.1. Documentation Updates<br />
This document contains all the information that was available at the time of publication.<br />
Changes identified after release of this document are included in problem list entry (PLE)<br />
18886286. To obtain a copy of the PLE, contact your service representative or access the<br />
current PLE from the product support Web site:<br />
http://www.support.unisys.com/all/ple/18886286<br />
Note: If you are not logged into the product support site, you will be asked to do so.<br />
3850 6804–007 2–1
Introduction<br />
2.2. Accessing Architecture <strong>and</strong> Networking<br />
Information<br />
Detailed architectural <strong>and</strong> networking information is available in Section 2 of the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong> Planning <strong>Guide</strong>. If you have a current connection to the<br />
Internet, you can access this information directly from the following link:<br />
http://www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture<br />
Section 2 of the Overview <strong>and</strong> Planning <strong>Guide</strong> includes the following:<br />
• A detailed description of the following <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution hardware:<br />
- <strong>Cloud</strong> Management Environment<br />
One or more management virtualization servers, which run VMware ESXi <strong>and</strong> are<br />
part of the <strong>Cloud</strong> Management Environment. These servers are called<br />
management servers in this document. Each management server hosts multiple<br />
management VMs. A management VM is a specialized virtual machine that<br />
performs management functions for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />
The Overview <strong>and</strong> Planning <strong>Guide</strong> describes the required <strong>and</strong> optional<br />
management VMs <strong>and</strong> the infrastructure VMs (which provide infrastructure<br />
services for each tenant).<br />
- Workload environment<br />
One or more workload servers that host your data <strong>and</strong> your tenants’ data, as well<br />
as tenant-commissioned virtual machines, virtual desktops, <strong>and</strong> physical servers.<br />
VMware ESX or ESXi workload virtualization servers are known simply as<br />
virtualization servers <strong>and</strong> host virtual machines running Windows server operating<br />
systems or Linux operating systems.<br />
If your environment includes the Virtual Office as a Service, Virtual Office servers<br />
run Windows Server 2008 R2 with the Hyper-V role enabled. If your environment<br />
includes uAdapt, physical servers host uAdapt personas.<br />
• Overview of the <strong>Cloud</strong> Management domain <strong>and</strong> configuring domain controllers<br />
• Overview of logical network configurations<br />
• Requirements for configuring a highly available (HA) environment<br />
• Detailed networking considerations for isolating tenant networks using virtual LANs<br />
(VLANs), including example VLAN architecture,<br />
• Directions for including the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> feature in one or more<br />
tenant environments<br />
• Requirements for designing domain name system (DNS)<br />
• Overview of network connections <strong>and</strong> communication paths (single tenancy or multitenancy<br />
<strong>and</strong> non-highly available, or high availability configurations)<br />
• <strong>Guide</strong>lines for combining physical networks (non-highly available or high availability<br />
configurations)<br />
• Examples of using physical switches versus virtual network appliances<br />
2–2 3850 6804–007
• Details on using hybrid configurations (a combination of physical <strong>and</strong> virtual<br />
components, such as a physical switch in the <strong>Cloud</strong> Management Environment <strong>and</strong><br />
virtual network appliances in the workload environment), including configuring high<br />
network isolation, high routing, <strong>and</strong> configuring an enterprise private cloud<br />
• Instructions for incorporating an external server into the <strong>Cloud</strong> Management<br />
Environment<br />
• An overview of multi-tenant networking considerations, including tenant VLAN swich<br />
requirements, managing overlapping tenant IP address <strong>and</strong> domain names, <strong>and</strong><br />
Network Address Translation (NAT) overview<br />
2.3. Administrator <strong>and</strong> Operator Responsibilities<br />
Personnel in the cloud provider’s organization are designated as administrators <strong>and</strong><br />
operators of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>. If there are a small number of users, one person<br />
might be designated to complete both administration <strong>and</strong> operation tasks; if there are a<br />
large number of users, groups of administrators <strong>and</strong> operators might be designated to<br />
perform specific procedures.<br />
Administrators <strong>and</strong> operators generally have the following responsibilities:<br />
• Add new tenants <strong>and</strong> users to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
• Perform any required manual operations, including responding to end user requests<br />
sent through e-mail, through Remedy tickets, or through both.<br />
• Use the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to authorize commissioning requests when any<br />
required manual operations are complete.<br />
• Operate the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the uChargeback interface, <strong>and</strong> other user<br />
interfaces, as required.<br />
• Perform routine database maintenance on the SQL Server database.<br />
• Work with Unisys service consultants to exp<strong>and</strong>, change, or troubleshoot the<br />
environment, as required<br />
2.4. Before You Begin<br />
Before you begin administering <strong>and</strong> operating the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution, you<br />
should review the following documents:<br />
• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong> Planning <strong>Guide</strong> (3850 6796)<br />
This document provides an overview of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment <strong>and</strong> its<br />
features.<br />
• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help (8207 3115)<br />
Introduction<br />
This document describes how end users sign in <strong>and</strong> navigate the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal. It also describes how end users request, start, stop, <strong>and</strong> decommission (delete)<br />
virtual machines, virtual desktops, <strong>and</strong> physical servers.<br />
3850 6804–007 2–3
Introduction<br />
Most administrative <strong>and</strong> operational tasks involve reacting to user requests <strong>and</strong><br />
problems, <strong>and</strong> so you should review this document carefully to ensure that you<br />
underst<strong>and</strong> your end users’ experience.<br />
• uChargeback Installation, Configuration, <strong>and</strong> <strong>Operations</strong> <strong>Guide</strong> (3843 3801)<br />
uChargeback is a set of tools that help you collect <strong>and</strong> manage resource usage data for<br />
both consolidated application servers <strong>and</strong> virtual machines. uChargeback determines<br />
the IT resources that each application uses. Review this document to familiarize<br />
yourself with the uChargeback functionality.<br />
• uAdapt User’s <strong>Guide</strong> <strong>and</strong> Reference<br />
uAdapt enables physical server commissioning; in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
environment, administrators <strong>and</strong> operators must perform manual actions when end<br />
users request physical servers. Review this document to familiarize yourself with the<br />
uAdapt interface. uAdapt provides important functionality for the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong>.<br />
First, determine which version of uAdapt is supported with your version of the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong>. To do so<br />
1. On the Unisys Product Support Web site www.support.unisys.com, exp<strong>and</strong><br />
Infrastructure Management, <strong>and</strong> then click <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />
2. On the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Support Site, click Releases.<br />
3. On the System Release Information page, click your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> release.<br />
4. In the Supported System Releases table, locate the supported uAdapt level.<br />
The uAdapt documentation is available from the following locations:<br />
- On the Unisys Product Support Web site (www.support.unisys.com).<br />
Click Documentation in the left menu, <strong>and</strong> then agree to the terms of use. In<br />
the documentation libraries list, under Infrastructure Management, exp<strong>and</strong><br />
Infrastructure Management, exp<strong>and</strong> uAdapt, <strong>and</strong> then click the appropriate<br />
uAdapt release.<br />
- On the uAdapt installation media.<br />
ISO images of these media are available on your Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Management System, on the Datastore1 datastore, in the uAdapt Images<br />
folder. In the ISO image, the documentation is located in the getting_started<br />
folder.<br />
- From the uAdapt Console.<br />
After the uAdapt Controller is installed <strong>and</strong> configured, use Internet Explorer to<br />
access the uAdapt Console URL. After you log in, click Help, <strong>and</strong> then click<br />
Documentation.<br />
Note: Your licenses for the uAdapt software, uOrchestrate software, <strong>and</strong> uChargeback<br />
software (which are all installed on the management server) are for use within the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> environment only. These products contain many features <strong>and</strong> capabilities<br />
that can simplify the operation of other areas of your datacenter as well. Contact your<br />
Unisys sales representative if you want to purchase these products for use with servers<br />
that are not part of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />
2–4 3850 6804–007
2.5. Default <strong>and</strong> Updated Environment Credentials<br />
Software is configured using the default credentials in Table 2–1. Use these credentials as<br />
necessary during the integration process.<br />
After you complete the initial implementation <strong>and</strong> update the credentials, use the new<br />
credentials instead.<br />
This table is Table 3-1 in the online Excel version. Refer to 1.1 Completing Worksheets for<br />
Installation <strong>and</strong> Configuration.<br />
Note: For some components, you can only update the password. If the user name<br />
cannot be updated, it is listed in the far-right column.<br />
Table 2–1. Default <strong>and</strong> Updated Environment Credentials<br />
Product Description<br />
Management server Credentials for the server hosting<br />
the management VMs.<br />
Linux<br />
(operating system<br />
for uAdapt<br />
management VM)<br />
Windows<br />
(operating system<br />
for other<br />
management VMs)<br />
Management<br />
Network Appliance<br />
Tenant VLAN<br />
network appliances<br />
Administrator account credentials<br />
for the uAdapt Controller.<br />
Non-administrator account<br />
credentials for the uAdapt<br />
Controller. This is a user on the<br />
Linux system, but this account is<br />
not used.<br />
Local administrator account<br />
credentials.<br />
Local administrator account<br />
credentials that enable you to<br />
configure the Management<br />
Network Appliance management<br />
VM.<br />
Local administrator account<br />
credentials that enable you to<br />
configure the tenant VLAN<br />
network appliances.<br />
uAdapt Console Credentials that enable you to log<br />
on to the uAdapt Console.<br />
Default User Name<br />
Default Password<br />
root<br />
U*spc2341<br />
root<br />
U*spc2341<br />
user1<br />
User4Me<br />
Administrator<br />
U*spc2341<br />
vyatta<br />
U*spc2341<br />
vyatta<br />
U*spc2341<br />
admin<br />
admin<br />
Updated User Name<br />
Updated Password<br />
root<br />
root<br />
root<br />
vyatta<br />
vyatta<br />
admin<br />
Introduction<br />
3850 6804–007 2–5
Introduction<br />
Table 2–1. Default <strong>and</strong> Updated Environment Credentials (cont.)<br />
Product Description<br />
SQL Server<br />
Database<br />
Administrator<br />
Credentials for SQL Server<br />
authentication.<br />
Default User Name<br />
sa<br />
Default Password<br />
U*spc2341<br />
vCenter Database Credentials for vCenter database. vpxuser<br />
vCenter<br />
Administrator<br />
Stealth for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong><br />
Dynamic Licensing<br />
Web interface<br />
Credentials for the vCenter user in<br />
the vCenter Administrator role.<br />
Note: If you are using the<br />
vCenter server supplied by Unisys<br />
(the management VM), use these<br />
credentials to initially log on. If you<br />
are using a provider-supplied<br />
vCenter server, use the providersupplied<br />
credentials from<br />
Table 1–23.<br />
Credentials for the Dynamic<br />
Licensing Web interface for Stealth<br />
for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, if Stealth<br />
is included in your environment.<br />
Tomcat Manager Credentials for the Web server on<br />
uChargeback management VM.<br />
RBADB Credentials for Runbook<br />
Automation Database<br />
administration.<br />
uOrchestrate<br />
<strong>Operations</strong> Console<br />
Credentials for the uOrchestrate<br />
<strong>Operations</strong> Console.<br />
Liferay administrator Credentials for the Liferay<br />
administrator user in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal that is allowed<br />
to access the Control Panel.<br />
SSL certificate The certificate password for the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, <strong>Cloud</strong><br />
Orchestrator, <strong>and</strong> uChargeback<br />
management VMs.<br />
<strong>Cloud</strong> Orchestrator<br />
vCenter user<br />
Credentials for a user who is<br />
assigned to the <strong>Cloud</strong> Orchestrator<br />
role in vCenter for runbook usage.<br />
U*spc2341<br />
Administrator<br />
U*spc2341<br />
admin<br />
U*spc2341<br />
admin<br />
U*spc2341<br />
admin<br />
U*spc2341<br />
uco@example.com<br />
(no password)<br />
uco@example.com<br />
U*spc2341<br />
(no user name)<br />
U*spc2341<br />
UCOUser<br />
U*spc2341<br />
Updated User Name<br />
sa<br />
Updated Password<br />
vpxuser<br />
Administrator<br />
admin<br />
admin<br />
admin<br />
uco@example.com<br />
(no password)<br />
uco@example.com<br />
2–6 3850 6804–007
uChargeback<br />
vCenter user<br />
Table 2–1. Default <strong>and</strong> Updated Environment Credentials (cont.)<br />
Product Description<br />
Virtual Office as a<br />
Service<br />
administrator<br />
VMware Update<br />
Manager Database<br />
(VUMDB)<br />
<strong>Cloud</strong> Orchestrator<br />
Lifecycle database<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal database<br />
Credentials for a user who is<br />
assigned a read-only role in<br />
vCenter. If you are using a domain<br />
account, specify the domain name,<br />
followed by a backslash, followed<br />
by the user name. For example,<br />
enter<br />
mydomain\myuser<br />
Credentials for a Virtual Office as a<br />
Service administrator.<br />
Credentials that enable you to log<br />
on to the VUMDB.<br />
Credentials for <strong>Cloud</strong> Orchestrator<br />
Lifecycle database<br />
(uorch_lifecycle).<br />
Credentials for the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal database (PortalDB).<br />
Default User Name<br />
Default Password<br />
uChrgUser<br />
U*spc2341<br />
Administrator<br />
U*spc2341<br />
vumuser<br />
U*spc2341<br />
lifecycle-dbadmin<br />
U*spc2341<br />
Portal-dbadmin<br />
U*spc2341<br />
Updated User Name<br />
Updated Password<br />
vumuser<br />
lifecycle-dbadmin<br />
Portal-dbadmin<br />
Note: During the implementation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you are<br />
required to create new domain accounts (for example, for the uChargeback administrator)<br />
or use existing domain accounts (for example, for the Active Directory management VM).<br />
These credentials are not listed in Table 2–1, because there are no default values, but they<br />
are listed in the cloud provider workbook tables. You create <strong>and</strong> update these values using<br />
the st<strong>and</strong>ard domain credential management process for your environment. See the<br />
workbook for more information about these required domain administrator accounts.<br />
2.6. URLs for Web-Based UIs<br />
Configuration instructions often reference the URLs in Table 2–2.<br />
Note: This table is Table 5-1 in the online Excel version.<br />
Introduction<br />
3850 6804–007 2–7
Introduction<br />
Table 2–2. URLs for Web-Based UIs<br />
User Interface URL<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal https://user-facing-fully-qualified-name-of-<strong>Secure</strong>-<strong>Private</strong>-<strong>Cloud</strong>-portal<br />
Note: This is the FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Web page, not<br />
the FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />
RBADB https://current-fully-qualified-name-of-uChargeback-mgmt-VM<br />
:8443/RBADB<br />
Note: “RBADB” must be uppercase in the URL.<br />
uAdapt Console http://IP-address-of-uAdapt-Console<br />
uOrchestrate <strong>Operations</strong><br />
Console<br />
uChargeback License Activation<br />
Web site<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Troubleshooting<br />
Session Manager virtual<br />
machine<br />
Note: This is applicable only for<br />
tenants that have virtual<br />
desktops enabled through the<br />
Virtual Office as a Service<br />
solution.<br />
https://localhost:8443<br />
Note: You must be logged in to the <strong>Cloud</strong> Orchestrator management<br />
VM to access the <strong>Operations</strong> Console.<br />
https://www.support.unisys.com/public/licenseActivator/login.aspx<br />
http://www.support.unisys.com/common/search/FaqSearch.aspx?<br />
pla=SPC&nav=SPC&dt=kb&action=doit&key=trouble-shooting&<br />
title=<strong>Secure</strong>+<strong>Private</strong>+<strong>Cloud</strong>+Trouble+Shooting<br />
http://localhost:1780<br />
or, if accessing remotely<br />
http://current-fully-qualified-domain-name-of-session-mgr-VM:1780<br />
2.7. Completing <strong>and</strong> Exporting Tenant Worksheets<br />
Before performing the procedures in this book for a new implementation or a new tenant,<br />
you should complete <strong>and</strong> export the <strong>Cloud</strong> Provider worksheet <strong>and</strong> complete <strong>and</strong> export<br />
the worksheets for any tenants. See 1.1 Completing Worksheets for Installation <strong>and</strong><br />
Configuration.<br />
2.8. Underst<strong>and</strong>ing Tenants Accounts <strong>and</strong> <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Interfaces<br />
You can configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the following types of access:<br />
2–8 3850 6804–007
• Single tenant<br />
One tenant exists in the environment.<br />
• Multi-tenant<br />
One or more tenants coexist in the same environment. Each tenant is configured its<br />
own set of administrators, users, projects, <strong>and</strong> blueprints. A multi-tenant environment<br />
in which only one tenant is defined is a single-tenant environment.<br />
Tenants can have one or more projects. Projects are used to further subdivide the tenant<br />
organization. You can configure projects based on the needs of a tenant environment. For<br />
example, you could configure one project for each tenant department or each<br />
subdepartment, or you could configure projects based on user responsibilities in the<br />
organization.<br />
Each project folder can contain one or more blueprints. A blueprint defines the resource<br />
type—virtual machine, physical server, or virtual desktop—that users can commission <strong>and</strong><br />
its associated attributes, such as operating system type <strong>and</strong> memory allocation. If you<br />
want users of multiple projects to commission resources using one blueprint, you can<br />
save the same blueprint in multiple projects. Alternatively, you can isolate one blueprint in<br />
one project, so that only users assigned to a certain project can access specific blueprints.<br />
2.8.1. XYZ Company Example (Single Tenant)<br />
The XYZ Company is a hypothetical company that serves as an example of a single tenant<br />
environment. The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for the XYZ Company has the following structure:<br />
• For billing purposes, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal tracks the following projects:<br />
- Billing<br />
- Inventory<br />
- Sales<br />
• All blueprints are available to the users, <strong>and</strong> the name of each blueprint helps to<br />
describe the blueprint. For example, W2K3x64–VM is a Windows Server 2003 x64<br />
operating system for a virtual machine. The following are examples of blueprints:<br />
- W2K3x64–VM<br />
- W2K3x86–P<br />
- W2K8x64–VM<br />
- W2K8x86–P<br />
2.8.2. Acme Company Example (Multi-tenant)<br />
Introduction<br />
The Acme Company, a hypothetical company, is an example of a multi-tenant<br />
environment. The Acme Company hosts a cloud in which other tenants (TPA tenant <strong>and</strong><br />
Widget tenant) coexist in the environment.<br />
Note: In the following examples, TPA <strong>and</strong> Widget are tenants in the same multi-tenant<br />
system.<br />
3850 6804–007 2–9
Introduction<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for the Acme Company has the following structure:<br />
• TPA<br />
- Billing<br />
- Inventory<br />
- Sales<br />
• Widget<br />
- Billing<br />
- Manufacturing<br />
- Human Resources<br />
All blueprints are grouped by tenant, <strong>and</strong> all blueprint names must be unique, as follows:<br />
• TPA<br />
- TPA_W2K3x64–VM<br />
- W2K3x86–Phys<br />
• Widget<br />
- Widg_W2K8x64–VM<br />
- W2K8x86–Phys<br />
2.8.3. Projects, Departments, Accounts, <strong>and</strong> SubAccounts<br />
The user interfaces associated with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution include the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal, uChargeback, <strong>and</strong> the Runbook Automation Database (RBADB).<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is your interface for refining new blueprints <strong>and</strong> your<br />
tenants’ interface for deploying new virtual machines, physical servers, <strong>and</strong> virtual<br />
desktops. uChargeback includes a set of tools that help you collect <strong>and</strong> manage resource<br />
usage data for both physical servers <strong>and</strong> virtual machines. RBADB stores the tenant- <strong>and</strong><br />
account-based information that supports various functions in the cloud environment,<br />
including the following:<br />
• Equating values between the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> uChargeback, enabling<br />
these interfaces to be coordinated.<br />
• Enforcing contract limits<br />
• Enforcing snapshot limits<br />
• Mapping tenant-side machine names <strong>and</strong> IP addresses to their management-side<br />
machine name <strong>and</strong> IP address equivalents.<br />
These interfaces use slightly different terms for tenants <strong>and</strong> projects, as shown in<br />
Figure 2–1.<br />
2–10 3850 6804–007
Figure 2–1. Projects, Departments, Accounts, <strong>and</strong> SubAccounts<br />
Introduction<br />
Tenant (Account) names must be unique across your entire cloud environment. (Tenants<br />
cannot share a name with another tenant or with any project.)<br />
Configuration data is added to the RBADB database, uChargeback, <strong>and</strong> the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal when you execute the Populator addTenant effector. This data is retrieved<br />
from the tenant data worksheet. When you make changes, such as adding blueprints,<br />
accounts, or projects, you must update the appropriate worksheet <strong>and</strong> run the Populator<br />
updateTenant effector. Refer to Section 6, Creating <strong>and</strong> Managing Tenant Configurations,<br />
for more information.<br />
In the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, two tenants can use the same Project (SubAccount)<br />
name, but uChargeback requires that all names be unique. RBADB serves as a link<br />
between the portal <strong>and</strong> uChargeback. As shown in the previous example, when two or<br />
more tenant Projects (SubAccounts) share the same name, the Populator automatically<br />
adds a numerical suffix to the end of each duplicate project name. The version of the<br />
Project name that includes the numerical suffix appears only in RBADB <strong>and</strong> uChargeback.<br />
(In the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the numerical suffix does not appear.) For example,<br />
TenantA has a project named Accounting, while TenantB has a project named<br />
Accounting01, <strong>and</strong> TenantC has a project named Accounting02.<br />
Figure 2–2 illustrates the relationships between the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback,<br />
<strong>and</strong> RBADB in more detail.<br />
3850 6804–007 2–11
Introduction<br />
Figure 2–2. Comparison of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback, <strong>and</strong> RBADB<br />
Entities<br />
2.8.4. Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong><br />
Environment<br />
Components in the cloud environment—including tenant, project, blueprint, <strong>and</strong> snapshot<br />
names, as well as blueprint attributes for template names <strong>and</strong> OS type names—can<br />
contain only the following characters.<br />
Note: Host names for management VMs <strong>and</strong> physical servers <strong>and</strong> user names (including<br />
COI Set names, if Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment) are<br />
more restrictive. Follow the guidelines in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook when<br />
creating host names, COI Set names, <strong>and</strong> user names.<br />
• Alpha-numeric characters<br />
• The following special characters:<br />
- Space<br />
- Hyphen (-)<br />
- Underscore (_)<br />
- Period (.)<br />
2–12 3850 6804–007
- Ampers<strong>and</strong> (&)<br />
- At sign (@)<br />
Names can be no longer than 128 characters in length.<br />
Introduction<br />
3850 6804–007 2–13
Introduction<br />
2–14 3850 6804–007
Section 3<br />
Initial Configuration Tasks<br />
Perform the procedures in this section to initially configure workstations to access the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> also to configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Virtual<br />
Host value.<br />
3.1. Configuring a Workstation to Configure the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />
To configure a workstation that can access <strong>and</strong> configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />
you must<br />
• Configure the network connections<br />
• Install the vSphere Client<br />
• Install or configure a supported Web browser<br />
• Optimizing the screen resolution<br />
In addition, you might need to configure Windows File Explorer to view hidden files <strong>and</strong><br />
protected operating system files.<br />
Configuring the Network Connections<br />
To access <strong>and</strong> configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the workstation must have direct<br />
or indirect access to the Public Network. Additionally, the workstation must be able to<br />
resolve the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to the Public Network IP<br />
address of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. For example, the workstation could be<br />
configured to use a DNS where the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal has<br />
been registered. This is described in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong>.<br />
Note: You must ensure that any workstation that end users use to access the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal must have direct or indirect access to the Public Network <strong>and</strong> be able<br />
to resolve the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
To be able to connect to the management server <strong>and</strong> the vCenter server, the configuration<br />
workstation must have direct or indirect access to the VMware Management Network.<br />
For an overview of the networks in the <strong>Cloud</strong> Management Environment, see the<br />
architectural <strong>and</strong> networking discussion in the Overview <strong>and</strong> Planning <strong>Guide</strong> (http://<br />
www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture).<br />
3850 6804–007 3–1
Initial Configuration Tasks<br />
Installing the vSphere Client<br />
To configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must install the VMware vSphere Client<br />
on the workstation so that you can connect to the management server <strong>and</strong> the vCenter<br />
server to perform configuration tasks. To install this software, do the following:<br />
1. Open a browser window <strong>and</strong> connect to the management server.<br />
You see a Security Warning indicating that the certificate is untrusted.<br />
2. Do one of the following:<br />
• Ignore this warning <strong>and</strong> continue to the Web page.<br />
• View the certificate.<br />
• Install the certificate.<br />
3. On the VMware ESXi Server Welcome page, click the link to download the vSphere<br />
Client.<br />
Installing or Configuring a Supported Web Browser<br />
Ensure that one of the following browsers is installed on any workstation that accesses<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal:<br />
• Internet Explorer 8.0 or 9.0<br />
• Mozilla Firefox 3.6 or higher<br />
If you are using Internet Explorer 8.0 or 9.0, configure the following settings:<br />
Note: Mozilla Firefox does not require additional configuration.<br />
1. Ensure that Compatibility View is not selected on the Tools menu. (That is,<br />
ensure that a check mark does not appear next to Compatibility View.) If Compatibility<br />
View is selected, clear it.<br />
2. Click Compatibility View Settings on the Tools menu. Do the following on the<br />
Compatibility View Settings dialog box:<br />
a. Verify that the URL of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal does not appear in the<br />
″Websites you’ve added to Compatibility View″ box.<br />
b. Clear all of the check boxes on the dialog box.<br />
c. Click Close.<br />
3. Add the URL for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to your Trusted Sites list, as follows:<br />
a. Click Internet Options on the Tools menu.<br />
The Internet Options dialog box opens.<br />
b. Select the Security tab, select Trusted sites, <strong>and</strong> click Sites.<br />
The Trusted sites dialog box opens.<br />
c. Enter the fully qualified name of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal (without the<br />
protocol HTTP or HTTPs) from Table 2–2, <strong>and</strong> then click Add.<br />
3–2 3850 6804–007
For example, enter SPC-Portal.Example.com, <strong>and</strong> then click Add.<br />
d. Click Close.<br />
4. Enable custom settings, as follows:<br />
a. On the Security tab, select Trusted sites, <strong>and</strong> then click Custom level.<br />
b. Scroll to the ActiveX controls <strong>and</strong> plug-ins category.<br />
c. Ensure that the Enable check box for the following settings is selected:<br />
• Binary <strong>and</strong> script behaviors<br />
• Run ActiveX controls <strong>and</strong> plug-ins<br />
• Script ActiveX controls marked safe for scripting<br />
d. Scroll to the Scripting category.<br />
e. Ensure that the Enable check box for Active scripting is selected.<br />
f. Click OK.<br />
5. If you are using Internet Explorer 8, close all open Internet Explorer windows to save<br />
your changes.<br />
If you are using Internet Explorer 9.0, configure the following additional settings:<br />
a. Select Developer Tools on the Tools menu.<br />
The Developer Tools page opens.<br />
b. Clear the Script option in the Disable list.<br />
c. Verify that the Browser Mode is set to IE9.<br />
If it is not, select Internet Explorer 9 from the Browser Mode list.<br />
Note: Do not select Internet Explorer 9 Compatibility View.<br />
d. Verify that the Document Mode is set to IE9 st<strong>and</strong>ards.<br />
If it is not, select Internet Explorer 9 st<strong>and</strong>ards from the Document Mode<br />
list.<br />
e. Clear Developer Tools on the Tools menu.<br />
The Developer Tools page closes.<br />
f. Close all open Internet Explorer windows to save your changes.<br />
Optimizing the Screen Resolution<br />
Initial Configuration Tasks<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is optimized to work with the workstation screen<br />
resolution set to 1024 × 768.<br />
3850 6804–007 3–3
Initial Configuration Tasks<br />
3.2. Inserting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Terms<br />
of Use<br />
A Terms of use link appears on the lower right of each <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal page.<br />
This link should direct portal users to a document, which is issued by the Portal<br />
Administrator entity, that outlines the acceptable usage <strong>and</strong> conduct on the portal.<br />
To insert a Terms of Use document, do the following:<br />
1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, <strong>and</strong> log in using<br />
administrator credentials.<br />
2. Using Windows Explorer, navigate to the following directory: C:\Unisys\liferay-portal-<br />
6.0.6\tomcat-6.0.29\webapps\unisys-spg-portlet\WebHelp.<br />
3. Map a network drive to the location of your TermsAndCondition.htm file.<br />
4. Copy the file to the C:\Unisys\liferay-portal-6.0.6\tomcat-6.0.29\webapps\unisysspgportlet\WebHelp<br />
folder.<br />
5. Disconnect the network drive that you mapped<br />
6. Log off the management VM.<br />
For any workstation that you used to access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal previously,<br />
you must clear your browser history, cache, cookies, <strong>and</strong> all other browser records.<br />
CHECKPOINT:<br />
1. From your workstation, sign in to the portal using cloud administrator credentials.<br />
2. Click the Terms of Use link at the bottom right of the page, <strong>and</strong> verify that you see<br />
the new terms of use.<br />
3–4 3850 6804–007
Section 4<br />
Creating VMware Template Gold Images<br />
VMware template gold images are used by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal blueprints to<br />
instantiate virtual machines for end users. This section describes how to use the VMware<br />
templates provided by Unisys or how to create your own custom templates based on<br />
various operating systems (Windows, Red Hat Enterprise Linux, or SUSE Linux).<br />
The VMware templates you use must contain the required components <strong>and</strong> initial<br />
configuration settings to enable blueprints to be successfully clone, customized, <strong>and</strong><br />
commissioned in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
To complete the procedures in this section, you must be familiar with the vSphere Client<br />
virtual machine creation wizard. See the help provided with VMware vCenter for more<br />
information. You should also be knowledgeable about the following:<br />
• Assigning the number of virtual CPUs<br />
• Designating memory size<br />
• Assigning Vdisk capacity<br />
• Attaching a VNIC to the appropriate VLAN<br />
Note: Each virtual machine template must include only one VNIC.<br />
• Creating an Administrator account<br />
• Installing <strong>and</strong> configuring any additional software that is required for this template<br />
4.1. Using Unisys Provided VMware Templates for<br />
Windows<br />
The Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution provides a set of Windows VMware templates<br />
that can be used as a base for creating gold images. On these templates, the operating<br />
system is installed <strong>and</strong> the firewall is configured.<br />
Notes:<br />
• Two templates are provided: one for Windows Server 2003 <strong>and</strong> one for Windows<br />
Server 2008. If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, two<br />
additional Stealth-enabled templates are provided for Windows Servers 2003 <strong>and</strong><br />
Windows Server 2008. These Stealth-enabled templates are deployed during initial<br />
implemenation by the Unisys service consultant.<br />
• Unisys does not provide templates for Linux. You can create Red Hat Enterprise Linux<br />
3850 6804–007 4–1
Creating VMware Template Gold Images<br />
or SUSE Linux templates by performing the procedures in 4.2 Creating Custom<br />
Windows VMware Templates <strong>and</strong> Creating Linux VMware Templates.<br />
Perform the procedures in this topic to use the Unisys provided VMware templates.<br />
4.1.1. Importing Unisys Provided Templates into vCenter<br />
Perform the following procedure to import the Unisys provided VMware templates into<br />
vCenter:<br />
1. From the Management Server datastore, navigate to the Recovery Images folder.<br />
2. Download the Target Templates folder to the workstation.<br />
Wait until the download is complete before proceeding, <strong>and</strong> then close the datastore<br />
window.<br />
3. Launch the vSphere Client, connect to the vCenter server using its current host name<br />
or IP address, <strong>and</strong> log in using the administrator user credentials in Table 2–1, for a<br />
Unisys-supplied vCenter server, or Table 1–23, if you are using an existing vCenter<br />
server in your environment that you provide.<br />
4. Point to Deploy OVF Template on the File menu, <strong>and</strong> then click Deploy from<br />
file.<br />
The Deploy OVF Template wizard starts.<br />
a. Click Browse, select one of the OVA files that you downloaded in step 2, <strong>and</strong><br />
then click Next.<br />
b. Complete each page of the wizard, using the following guidelines:<br />
• On the Name <strong>and</strong> Location page, select the inventory location using the<br />
datacenter name from Table 1–11.<br />
• On the Host / Cluster page, select the desired workload server or cluster.<br />
• On the Resource Pool page, select the desired workload server or cluster.<br />
Note: It is recommended that you do not select a resource pool.<br />
• On the Datastore page, select a datastore that is visible to all the workload<br />
servers where the template is intended to be used.<br />
• On the Disk Format page, select Thin provisioned format.<br />
• On the Network Mapping dialog, select the desired network.<br />
c. On the Ready to Complete page, verify the selections, <strong>and</strong> then click Finish to<br />
deploy the template.<br />
5. Repeat the previous step to deploy additional templates or to deploy the templates to<br />
additional workload servers or clusters.<br />
6. If you are using the Windows Server 2003 template, do the following to prepare the<br />
operating system:<br />
a. If required, convert the template to a virtual machine.<br />
b. Select the deployed virtual machine, click Edit Settings, select the Hardware<br />
4–2 3850 6804–007
tab, click Network adapter 1, <strong>and</strong> ensure that the following settings are<br />
accurate:<br />
• Connect at Power on is enabled.<br />
• Public Network is selected in the Network Connection list.<br />
c. Power on the virtual machine, <strong>and</strong> then open a console to it.<br />
The Windows Setup wizard starts.<br />
d. Provide a valid volume license key so that the virtual machine can be used as a<br />
template.<br />
Note: This key should be supplied by the cloud provider <strong>and</strong> the value recorded<br />
in Table 1–35 of the tenant worksheet.<br />
Wait for the Windows Setup wizard to complete <strong>and</strong> Windows to start.<br />
e. Log in to the Windows operating system when prompted.<br />
Note: The password for the local administrator user in the Windows Server 2003<br />
template is blank. Ensure that this password remains blank.<br />
f. Apply all necessary Windows updates <strong>and</strong> patches.<br />
g. Verify that the VMware Tools package is the latest available, <strong>and</strong> update this<br />
package if required.<br />
h. Shut down the virtual machine.<br />
You now can clone the virtual machine for further customization.<br />
7. If Stealth is included in your environment <strong>and</strong> you want to use the Stealth-enabled<br />
Windows Server 2003 template, repeat the previous step to prepare the operating<br />
system for that template.<br />
Note: This template was deployed during initial implementation by the Unisys<br />
service consultant.<br />
8. If you are using the Windows Server 2008 template, prepare the operating system as<br />
follows:<br />
a. If required, convert the template to a virtual machine.<br />
b. Select the deployed virtual machine, click Edit Settings, select the Hardware<br />
tab, click Network adapter 1, <strong>and</strong> ensure that the following settings are<br />
accurate:<br />
• Connect at Power on is enabled.<br />
• Public Network is selected in the Network Connection list.<br />
c. Power on the virtual machine.<br />
The Windows Setup wizard starts.<br />
Creating VMware Template Gold Images<br />
d. Log in to the operating system, using the Windows Administrator user password<br />
from Table 2–1.<br />
e. Apply all necessary Windows updates <strong>and</strong> patches. (You might be prompted to<br />
activate your Windows operating system in order to complete these updates.)<br />
3850 6804–007 4–3
Creating VMware Template Gold Images<br />
f. Verify that the VMware Tools package is the latest available, <strong>and</strong> update this<br />
package if required.<br />
g. Shut down the virtual machine.<br />
You now can clone the virtual machine for further customization.<br />
9. If Stealth is included in your environment <strong>and</strong> you want to use the Stealth-enabled<br />
Windows Server 2008 template, repeat the previous step to prepare the operating<br />
system for that template.<br />
Note: This template was deployed during initial implementation by the Unisys<br />
service consultant.<br />
4.1.2. Preinstalling Required Applications<br />
An important goal is to shorten the amount of time that it takes to provide an operational<br />
commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />
system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />
template. For example, this could be Apache Tomcat or Web services.<br />
However, before installing any application software, you should first clone your existing<br />
template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />
new clone becomes a new template for the specific application. The existing template is<br />
retained in its original form for use with other application clones.<br />
4.1.3. Converting to a Template<br />
Do the following to convert the virtual machine to a template:<br />
1. Shut down the operating system.<br />
2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />
click OK.<br />
3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />
4.2. Creating Custom Windows VMware Templates<br />
<strong>and</strong> Creating Linux VMware Templates<br />
If you want to create custom Windows VMware templates for your environment (rather<br />
than using the Unisys provided VMware templates), or if you want to create Red Hat<br />
Enteprise Linux or SUSE Linux templates, perform the procedures in this topic.<br />
4–4 3850 6804–007
4.2.1. Moving Template Configuration Images Folder<br />
In preparation for creating your own template, do the following to move the configuration<br />
images folders from the cloud management environment to the workload environment:<br />
1. From a vSphere Client connected to the management server, browse to the datastore,<br />
<strong>and</strong> download the Template Configuration Images folder to the workstation.<br />
2. From a vSphere Client connected to the vCenter server, browse to the datastore, <strong>and</strong><br />
upload the Template Configuration Images folder.<br />
Repeat as necessary to ensure that the folder is visible to all workload servers.<br />
4.2.2. Configuring a Windows Target Template<br />
Do the following to configure a new Windows target template using the Windows<br />
installation media:<br />
1. Do the following to create a virtual machine as VMware target template:<br />
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />
b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />
become the template.<br />
The template virtual machine must have a vNIC on your Public Network, which is<br />
labeled the Public Network.<br />
2. On the newly created virtual machine, select Edit Settings.<br />
3. Connect a CD/DVD drive containing the Windows .iso image.<br />
4. Select the Connect at power on check box.<br />
5. Select the network adapter in the Hardware list on the left, ensure that Connect at<br />
Power on is enabled, <strong>and</strong> then select the Public Network from the Network<br />
Connection list on the right.<br />
6. Power on the virtual machine <strong>and</strong> open a console to it.<br />
The Windows Install wizard starts.<br />
7. Complete the installation of the operating system, using the wizard. Note the<br />
following key points.<br />
a. Change the host name to a descriptive name.<br />
b. Create a blank administrator password that will be used in the runbook.<br />
Note: If you are loading Windows Server 2008, you cannot leave the password<br />
blank. You can use any password for Windows Server 2008.<br />
c. Enter a volume license key.<br />
This key should be supplied by the cloud provider <strong>and</strong> the value recorded in<br />
Table 1–35.<br />
d. Leave the template out of a domain.<br />
8. Disconnect the CD drive from the virtual machine.<br />
Creating VMware Template Gold Images<br />
3850 6804–007 4–5
Creating VMware Template Gold Images<br />
9. Restart the virtual machine.<br />
10. Log on to the virtual machine.<br />
Note: The password for Windows Server 2003 virtual machines should be blank.<br />
11. Apply all necessary Windows updates <strong>and</strong> patches.<br />
12. Ensure that the Administrator user does not have the User cannot change<br />
password option selected.<br />
13. Install anti-virus software.<br />
14. Install VMware Tools from Virtual Client. Do a complete installation of the VMware<br />
tools (not a typical installation).<br />
15. For environments in which one or more VLANs are configured <strong>and</strong> enabled, perform<br />
the following depending on your environment:<br />
For Windows Server 2003 <strong>and</strong> Windows XP<br />
Copy the dns-setup.vbs script from the datastore to the root of the C:\ drive.<br />
The dns-setup.vbs script is in the Win_2k3_Config.iso image, which is on the<br />
datastore in the Template Configuration Images folder that was uploaded in<br />
4.2.1 Moving Template Configuration Images Folder.<br />
For Windows Server 2008<br />
a. Edit the network adapter settings for the LAN connection attached to the VLAN<br />
<strong>and</strong> ensure that the following two options are enabled (on the Advanced settings<br />
DNS tab):<br />
Register this connection’s addresses in DNS<br />
Use this connection’s DNS suffix registration<br />
Note: Ensure that the DNS suffix for this connection box is blank<br />
b. Disable IPv6, as follows:<br />
• Edit the network connection <strong>and</strong> ensure that Internet Protocol Version 6<br />
(TCP/IPv6) is not selected.<br />
• Run regedit <strong>and</strong> edit the following registry entry:<br />
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<br />
\TCPIP6\Parameters]<br />
“DisabledComponents”=dword:ffffffff<br />
c. If the optional Key Management Service (KMS) server role is set up in the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, do the following:<br />
• Copy the activate.vbs script from the datastore to the root of the C:\ drive.<br />
The activate.vbs script is in the W2K8_Config.iso image, which is on the<br />
datastore in the Template Configuration Images folder that was uploaded in<br />
4.2.1 Moving Template Configuration Images Folder.<br />
• Edit this script to contain the correct KMS server name.<br />
16. Reboot the virtual machine if necessary.<br />
4–6 3850 6804–007
Setting Firewall Exceptions for Windows Server 2003 <strong>and</strong> Windows XP<br />
To set Firewall Exceptions for Windows Server 2003 or Windows XP, open a comm<strong>and</strong><br />
prompt, <strong>and</strong> enter the following comm<strong>and</strong>s:<br />
• To enable ping comm<strong>and</strong>s:<br />
netsh firewall set icmpsetting type=8<br />
mode=ENABLE profile=ALL<br />
• To enable Remote Desktop:<br />
netsh firewall set service type=REMOTEDESKTOP<br />
mode=ENABLE profile=ALL<br />
Setting Firewall Exceptions for Windows Server 2008<br />
For the Windows Server 2008 template, create <strong>and</strong> enable custom firewall exceptions for<br />
ICMPv4 <strong>and</strong> ICMPv6 Echo Requests, as follows:<br />
1. In the Windows Firewall with Advanced Security snap-in, click Inbound Rules in the<br />
tree, <strong>and</strong> click New Rule in the Actions pane.<br />
2. Click Custom, <strong>and</strong> then click Next.<br />
3. Click All programs, <strong>and</strong> then click Next.<br />
4. For Protocol type, select ICMPv4.<br />
5. Click Customize next to Internet Control Message Protocol (ICMP)<br />
settings.<br />
6. Click Specific ICMP types.<br />
7. Click Echo Request, click OK, <strong>and</strong> then click Next.<br />
8. Under Which local IP address does this rule match? <strong>and</strong> For which remote<br />
IP address does this rule match?, click either of the following:<br />
• Any IP address<br />
• These IP addresses<br />
This value represents a set of IP addresses to which the instantiated virtual<br />
machine will respond, if those IP addresses ping the virtual machine. The virtual<br />
machine does not respond to pings from other IP addresses.<br />
If you click These IP addresses, specify the IP addresses to which the virtual<br />
machine will respond, click Add, <strong>and</strong> then click Next.<br />
9. Verify that Allow the connection is selected, <strong>and</strong> then click Next.<br />
10. Under When does this rule apply?, ensure that Domain, <strong>Private</strong>, <strong>and</strong> Public<br />
are selected, <strong>and</strong> then click Next.<br />
11. In the Name box, type a name for this rule. It is recommended that you create a rule<br />
name that indicates that Echo has been enabled for ICMPv4 networks.<br />
In the Description box, type an optional description.<br />
12. Click Finish.<br />
Creating VMware Template Gold Images<br />
3850 6804–007 4–7
Creating VMware Template Gold Images<br />
13. From the predefined Inbound Rules list, enable Remote Desktop for all profiles.<br />
14. If your tenants require a template that consists of more than just the base operating<br />
system, install <strong>and</strong> configure any additional software at this time.<br />
Verifying the Remote Desktop Connection<br />
Verify that the Remote Desktop Connection is enabled in the template.<br />
Preinstalling Required Applications<br />
An important goal is to shorten the amount of time that it takes to provide an operational<br />
commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />
system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />
template. For example, this could be Apache Tomcat or Web services.<br />
However, before installing any application software, you should first clone your existing<br />
template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />
new clone becomes a new template for the specific application. The existing template is<br />
retained in its original form for use with other application clones.<br />
Making a Windows Template Stealth Ready<br />
Note: This procedure is not required for the Unisys provided Stealth-enabled template.<br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, <strong>and</strong> if you want to<br />
make a custom Windows template Stealth ready, do the following:<br />
1. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, <strong>and</strong> click<br />
Connect to ISO image on a datastore.<br />
The Browse Datastores dialog box appears.<br />
2. Browse to the datastore specified in the “Connection information for Workload<br />
vCenter” section of Table 1–9, select the Stealth-Tenant-Server-Windowstemplate-.iso<br />
file in the Stealth for SPC Configuration Images<br />
folder, <strong>and</strong> then click OK.<br />
Close the Autoplay dialog box, if it appears.<br />
3. Open a comm<strong>and</strong> prompt, <strong>and</strong> enter the following comm<strong>and</strong>s:<br />
D:<br />
Run_SetUpTenantVM.bat<br />
The setup file runs, restarts the template, <strong>and</strong> the login dialog box appears.<br />
4. Enter the appropriate user name <strong>and</strong> password to sign into the virtual machine.<br />
The Windows Activation dialog box appears.<br />
5. Click Cancel.<br />
Note: Do not enter a product key.<br />
The virtual machine desktop appears.<br />
4–8 3850 6804–007
6. Open File Explorer, browse to the C: drive, <strong>and</strong> then open the Results file using<br />
Notepad.<br />
The last line of the file has the following message:<br />
Tenant VM setup complete.<br />
7. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click Disconnect<br />
from datastore image.<br />
The Disconnect Device dialog box opens.<br />
8. Click Yes.<br />
9. Shut down the virtual machine.<br />
VNIC Restrictions<br />
Each virtual machine template must include only one VNIC. This maintains network<br />
security in your environment by preventing bridging across multiple network connections.<br />
Converting to a Template<br />
Do the following to convert the virtual machine to a template:<br />
1. Shut down the operating system.<br />
2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />
click OK.<br />
3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />
Testing the Windows Target Template<br />
Note: Perform the following test if you have a flat network; otherwise, perform this test<br />
after configuring the VLANs.<br />
Do the following to test the template:<br />
1. Unmount any CD image that is in the CD drive.<br />
Creating VMware Template Gold Images<br />
2. Shut down the virtual machine, set the CD/DVD device to Use Client Device, <strong>and</strong><br />
convert it to a template.<br />
3. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />
your preferred values in each page of the wizard using values from Table 1–27, except<br />
that you must fill out the following pages as follows:<br />
• On the Guest Customization page, select Customize Using the<br />
Customization Wizard.<br />
• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />
• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />
3850 6804–007 4–9
Creating VMware Template Gold Images<br />
DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />
Add.<br />
4. After the template deployment completes open a VMware console to the desktop of<br />
the new virtual machine <strong>and</strong> wait until the log-on screen appears (this can take a few<br />
minutes).<br />
5. Log in using the default credentials.<br />
4.2.3. Configuring a Red Hat Enterprise Linux Target Template<br />
Do the following to configure a new Red Hat Enterprise Linux target template using the<br />
installation media:<br />
Note: The startup scripts for the Linux templates perform nonsecure DNS registration. If<br />
the tenant-side DNS server requires secure DNS registration, you must modify the startup<br />
scripts as appropriate for the tenant’s needs.<br />
1. Do the following to create a virtual machine as VMware target template:<br />
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />
b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />
become the template.<br />
c. Assign the following attributes to the new virtual machine:<br />
• A vNIC on your Public Network, which is labeled the Public Network<br />
• At least 5 GB of disk space<br />
• Guest Operating System value of Linux<br />
• Version Red Hat Enterprise Linux 5 (32-bit) or Red Hat Enterprise Linux 5<br />
(64-bit)<br />
• Thin Provisioning enabled<br />
Do not start the virtual machine at this time.<br />
2. Select the deployed virtual machine, click Edit Settings, <strong>and</strong> do the following:<br />
a. Select the network adapter on the Hardware tab, <strong>and</strong> select the desired network<br />
for the virtual machine in the Network Label list.<br />
b. Ensure that Connect at Power on is enabled.<br />
c. Select the CD/DVD drive <strong>and</strong> click Client Device.<br />
d. Click the Options tab, select Boot Options, <strong>and</strong> enter10,000 in the<br />
Power-on Boot Delay box.<br />
e. Click OK.<br />
3. Open a console to the virtual machine, <strong>and</strong> then power on the virtual machine.<br />
4. Click in the black area inside the console window, <strong>and</strong> press Esc to enter the boot<br />
menu.<br />
5. Press Ctrl+Alt to release the cursor.<br />
4–10 3850 6804–007
6. Click the CD icon on the console, <strong>and</strong> select either CD image or ISO image as the<br />
connection to the Red Hat installation media.<br />
7. Click in the black area inside the console window, select CD-ROM Drive using the<br />
down arrow, <strong>and</strong> then press Enter.<br />
The Red Hat installation wizard begins.<br />
8. Follow the wizard instructions to complete the installation of the operating system,<br />
noting the following key points:<br />
• Select Skip Entering Installation Number when prompted for an installation<br />
number.<br />
• Do the following on the Network Devices page:<br />
a. Click Edit.<br />
The Edit Interface dialog box appears.<br />
b. Clear the IPv6 support check box, <strong>and</strong> then click OK.<br />
The Edit Interface dialog box closes.<br />
c. Select Manually under the Hostname label, <strong>and</strong> then enter a descriptive<br />
host name, a period, <strong>and</strong> localdomain, as in the following example:<br />
rh53x64-tmp.localdomain<br />
• Set the root user’s password to the SysPrepVMAdminPwd value in<br />
Table 1–12.<br />
• When the Congratulations, the installation is complete message<br />
appears, click the CD icon on the console, disconnect the CD or ISO image, <strong>and</strong><br />
then click Reboot.<br />
• On the Set Up Software Updates page, select the No, I’d prefer to<br />
register at a later time check box.<br />
A prompt appears, asking Are you sure you don’t want to connect....<br />
Select the No thanks, I’ll connect later check box.<br />
• On the Create User page, leave the boxes blank <strong>and</strong> click Forward.<br />
• When the It is highly recommended that a personal user account be<br />
created warning appears, click Continue.<br />
9. Log on to the virtual machine.<br />
10. Install VMware Tools, as follows:<br />
Creating VMware Template Gold Images<br />
a. In the vSphere Client, right-click the virtual machine, point to Guest, click<br />
Install/Upgrade VMware Tools, <strong>and</strong> then click OK.<br />
The VMware Tools folder appears in the virtual machine desktop.<br />
Note: Newer versions of VMware have automated the installation of the<br />
VMware Tools. The remainder of this step applies only to older versions of<br />
VMware.<br />
b. In the VMware Tools folder, double-click the VMwareTools-.targ.gz file.<br />
The VMwareTools-.tar.gz dialog box appears.<br />
3850 6804–007 4–11
Creating VMware Template Gold Images<br />
c. Click Extract.<br />
The Extract dialog box appears.<br />
d. Select Desktop in the Extract in Folder list, <strong>and</strong> then click Extract.<br />
e. Close the VMwareTools-.targ.gz dialog box.<br />
f. Run the Terminal application <strong>and</strong> enter the following comm<strong>and</strong>:<br />
cd /root/Desktop/vmware-tools-distrib<br />
g. Enter the following comm<strong>and</strong>:<br />
./vmware-install.pl<br />
The VMware Tools installation begins.<br />
h. Accept all installation defaults until you see the prompt for the display size, <strong>and</strong><br />
then select the desired display size for your environment.<br />
i. Delete the vmware-tools-distrib folder from the desktop.<br />
j. Restart the virtual machine.<br />
11. Configure the system to support your desired remote access technology, such as<br />
SSH or VNC.<br />
12. Reboot the virtual machine, if necessary.<br />
13. Use vCenter to mount the RHEL_Config.iso file in the CD drive for the Red Hat<br />
system.<br />
The RHEL_Config.iso file is in the Template Configuration Images folder. Refer to<br />
4.2.1 Moving Template Configuration Images Folder.<br />
14. Copy the rc.local file from the CD to the folder /etc/rc.d, replacing the rc.local file that<br />
already exists.<br />
15. Ensure that the Allow executing file as a program permission is enabled for<br />
the file, as follows:<br />
a. Right-click the file, <strong>and</strong> then click Properties.<br />
b. Select the Execute check box on the Permissions tab, <strong>and</strong> then click Close.<br />
Making a Red Hat Enterprise Linux Template Stealth Ready<br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, <strong>and</strong> if you want to<br />
make a Red Hat Enterprise Linux template Stealth ready, do the following:<br />
1. Click Applications on the task bar, point to Accessories, <strong>and</strong> click Terminal.<br />
The username@host window opens.<br />
2. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive <strong>and</strong><br />
click Connect to ISO image on a datastore.<br />
The Browse Datastores dialog box opens.<br />
3. Browse to the datastore specified in the “Connection information for Workload<br />
vCenter” section of Table 1–9, <strong>and</strong> open the Stealth for SPC Configuration<br />
Images folder.<br />
4–12 3850 6804–007
4. Browse to the following file, <strong>and</strong> click OK:<br />
Stealth-Tenant-Server-RedHat-template-.iso<br />
The CD/DVD drive icon appears on the desktop.<br />
5. Double-click the CD/DVD drive icon.<br />
A dialog box for the .iso file opens, showing the contents of the file.<br />
6. In the Terminal window, enter the following comm<strong>and</strong>:<br />
mount /dev/cdrom /mnt/cdrom<br />
A message appears that the CD-ROM is write-protected <strong>and</strong> mounted as read-only.<br />
Note: If this fails, create a mount directory using the following comm<strong>and</strong>, <strong>and</strong> then<br />
repeat the previous step:<br />
mkdir /mnt/cdrom/SetUpTenantVM.py<br />
7. Enter the following comm<strong>and</strong>:<br />
python /mnt/cdrom/SetUpTenantVM.py<br />
The script runs <strong>and</strong> displays messages.<br />
Wait for the setup process to complete.<br />
8. Enter the following comm<strong>and</strong> to dismount the CD-ROM:<br />
umount /mnt/cdrom<br />
9. Close the CD/DVD drive window <strong>and</strong> close the Terminal window.<br />
10. Right-click the CD/DVD icon on the desktop, <strong>and</strong> select Eject.<br />
11. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click Disconnect<br />
from datastore image.<br />
VNIC Restrictions<br />
Each virtual machine template must include only one VNIC. This maintains network<br />
security in your environment by preventing bridging across multiple network connections.<br />
Preinstalling Required Applications<br />
Creating VMware Template Gold Images<br />
An important goal is to shorten the amount of time that it takes to provide an operational<br />
commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />
system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />
template. For example, this could be Apache Tomcat or Web services.<br />
However, before installing any application software, you should first clone your existing<br />
template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />
new clone becomes a new template for the specific application. The existing template is<br />
retained in its original form for use with other application clones.<br />
3850 6804–007 4–13
Creating VMware Template Gold Images<br />
Converting to a Template<br />
Do the following to convert the virtual machine to a template:<br />
1. Shut down the operating system.<br />
2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />
click OK.<br />
3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />
Testing the Red Hat Enterprise Linux Target Template<br />
Note: Perform the following test if you have a flat network; otherwise, perform this test<br />
after configuring the VLANs.<br />
Do the following to test the template:<br />
1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />
your preferred values in each page of the wizard using values from Table 1–27, except<br />
that you must fill out the following pages as follows:<br />
• On the Guest Customization page, select Customize Using the<br />
Customization Wizard.<br />
• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />
• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />
DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />
Add.<br />
• On the Ready to Complete page, disable the Power on this virtual<br />
machine after creation option.<br />
2. After the template deployment completes<br />
a. Go to Edit Settings for the new virtual machine, <strong>and</strong> set the network adapter to<br />
the tenant VLAN network label in Table 1–26.<br />
b. Power on the new virtual machine.<br />
c. Open a VMware console to the desktop of the new virtual machine <strong>and</strong> wait until<br />
the log-on screen appears (this can take a few minutes), <strong>and</strong> then log in as root<br />
using the SysPrepVMAdminPwd value from Table 1–12.<br />
d. In the /etc/rc.d folder, open the runonce.log file <strong>and</strong> check for error messages. If<br />
the DNS registration was successful, the file should have a line that includes the<br />
following phrase:<br />
status: NOERROR<br />
3. Verify that the system was registered in the tenant-side DNS or in the uChargeback<br />
DNS if the tenant did not supply a DNS.<br />
4–14 3850 6804–007
If the tenant is using a Windows DNS, or if you are using the uChargeback DNS,<br />
then you can verify registration as follows:<br />
a. On the DNS, run DNS on the Administrative Tools menu.<br />
b. In the left pane, exp<strong>and</strong> the DNS host name node, exp<strong>and</strong> the Forward<br />
Lookup Zones node, <strong>and</strong> exp<strong>and</strong> the domain name node.<br />
c. In the right pane, verify that the host name for the Red Hat virtual machine<br />
appears.<br />
Note: If you were already running the DNS administrative tool, you might need<br />
to refresh the computer list by clicking the domain name in the left pane <strong>and</strong> then<br />
clicking Refresh on the Action menu.<br />
4. Power down the virtual machine, <strong>and</strong> delete the virtual machine from the disk.<br />
4.2.4. Configuring a SUSE Linux Target Template<br />
Do the following to configure a new SUSE Linux target template using the installation<br />
media:<br />
Notes:<br />
• The startup scripts for the Linux templates perform nonsecure DNS registration. If the<br />
tenant-side DNS server requires secure DNS registration, you have to modify the<br />
startup scripts as appropriate for the tenant’s needs.<br />
• Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not supported with SUSE Linux. If you want to<br />
create a Stealth-enabled Linux template, you must use Red Hat Enterprise Linux. See<br />
4.2.3 Configuring a Red Hat Enterprise Linux Target Template.<br />
1. Do the following to create a virtual machine as VMware target template:<br />
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />
b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />
become the template.<br />
c. Assign the following attributes to the new virtual machine:<br />
• A vNIC on your Public Network, which is labeled the Public Network<br />
• At least 5 GB of disk space<br />
• Guest Operating System value of Linux<br />
• Version SUSE Linux Enterprise 10 or SUSE Linux Enterprise 11, 32-bit or<br />
64-bit<br />
• Thin Provisioning enabled<br />
Do not start the virtual machine at this time.<br />
2. Select the deployed virtual machine, click Edit Settings, <strong>and</strong> do the following:<br />
a. Select the network adapter on the Hardware tab, <strong>and</strong> select the Public<br />
Network for the virtual machine in the Network Label list.<br />
b. Select the CD/DVD drive <strong>and</strong> click Client Device.<br />
Creating VMware Template Gold Images<br />
3850 6804–007 4–15
Creating VMware Template Gold Images<br />
c. Click the Options tab, select Boot Options, <strong>and</strong> enter10,000 in the<br />
Power-on Boot Delay box.<br />
d. Click OK.<br />
3. Open a console to the virtual machine, <strong>and</strong> then power on the virtual machine.<br />
4. Click in the black area inside the console window, <strong>and</strong> press Esc to enter the boot<br />
menu.<br />
5. Press Ctrl+Alt to release the cursor.<br />
6. Right-click the CD icon on the console, <strong>and</strong> select either CD image or ISO image as<br />
the connection to the SUSE Linux installation media.<br />
7. Click in the black area inside the console window, select CD-ROM Drive using the<br />
down arrow, <strong>and</strong> then press Enter.<br />
The SUSE Linux installation wizard begins.<br />
8. Follow the wizard instructions to complete the installation of the operating system,<br />
noting the following key points:<br />
• On the Password for the System Administrator ″root″ page, set the<br />
password to the value for SysPrepVMAdminPwd in Table 1–12.<br />
• On the Hostname <strong>and</strong> Domain Name page, change the host name to a<br />
descriptive name, but leave the domain name unchanged.<br />
• On the Network Configuration page, clear the IPv6 check box.<br />
• On the Test Internet Connection page, select the No, Skip This Test if the<br />
virtual machine is not currently connected to a network with Internet access.<br />
• On the User Authentication method page, select Local.<br />
• On the New Local User page, leave the boxes blank <strong>and</strong> click Next.<br />
• When the Empty User Login prompt appears, click Yes.<br />
9. Log on to the virtual machine.<br />
10. Install VMware Tools, as follows:<br />
a. In the vSphere Client, right-click the virtual machine, point to Guest <strong>and</strong> then<br />
Install/Upgrade VMware Tools, click Interactive Install, <strong>and</strong> then click<br />
OK.<br />
The VMware_Tools File Browser appears on the virtual machine desktop.<br />
b. In the VMware_Tools folder, double-click the VMwareTools-.targ.gz file.<br />
The VMwareTools-.targ.gz dialog box appears.<br />
c. Click Extract.<br />
The Extract dialog box appears.<br />
d. Select Desktop in the Extract in Folder list, <strong>and</strong> then click Extract.<br />
e. Close the VMwareTools-.tar.gz dialog box.<br />
f. Run the Terminal application <strong>and</strong> enter the following comm<strong>and</strong>:<br />
cd /root/Desktop/vmware-tools-distrib<br />
4–16 3850 6804–007
g. Enter the following comm<strong>and</strong>:<br />
./vmware-install.pl<br />
The VMware Tools installation begins.<br />
h. Accept all installation defaults until you see the prompt for the display size, <strong>and</strong><br />
then select the desired display size for your environment.<br />
i. Delete the vmware-tools-distrib folder from the desktop.<br />
j. Restart the virtual machine.<br />
11. Configure the system to support your desired remote access technology, such as<br />
SSH or VNC.<br />
12. Reboot the virtual machine, if necessary.<br />
13. Use vCenter to mount the SLES_Config.iso file in the CD drive for the SUSE Linux<br />
system.<br />
The SLES_Config.iso file is in the Template Configuration Images folder. Refer to<br />
4.2.1 Moving Template Configuration Images Folder.<br />
14. Copy the example spc_dns file from the CD to the folder /etc/init.d.<br />
15. Run the Gnome Terminal <strong>and</strong> enter the following comm<strong>and</strong>:<br />
cd /etc/init.d<br />
16. Enter the following comm<strong>and</strong> to make the spc_dns script executable:<br />
chmod 755 spc_dns<br />
17. Enter the following comm<strong>and</strong> to cause the spc_dns script to run automatically after<br />
every reboot:<br />
insserv spc_dns<br />
18. If you are using SUSE Linux Enterprise 10, then perform the following workaround<br />
for the name resolution problem with “.local” domains, as follows:<br />
VNIC Restrictions<br />
Note: This is a known problem with Novell SUSE Linux 10. Do not perform this<br />
workaround on SUSE Linux 11. Refer to the following link for more information:<br />
http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC<br />
&docType=kc&externalId=3794674&sliceId=1<br />
a. Using a text editor, open the file /etc/host.conf.<br />
b. Insert a line with the following value:<br />
mdns off<br />
c. Save <strong>and</strong> close the file.<br />
Creating VMware Template Gold Images<br />
Each virtual machine template must include only one VNIC. This maintains network<br />
security in your environment by preventing bridging across multiple network connections.<br />
3850 6804–007 4–17
Creating VMware Template Gold Images<br />
Preinstalling Required Applications<br />
An important goal is to shorten the amount of time that it takes to provide an operational<br />
commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />
system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />
template. For example, this could be Apache Tomcat or Web services.<br />
However, before installing any application software, you should first clone your existing<br />
template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />
new clone becomes a new template for the specific application. The existing template is<br />
retained in its original form for use with other application clones.<br />
Deleting MAC Addresses<br />
Use the following steps to modify the network adapter configuration so that it does not<br />
specify a MAC address. Otherwise, when a virtual machine is cloned from this template,<br />
Linux renames the network adapter <strong>and</strong> the spc_dns script is unable to register in DNS.<br />
To delete MAC addresses<br />
1. In the folder /etc/sysconfig/network, locate a file with the name ifcfg-eth-id-<br />
(such as ifcfg-eth id-00:50:56:8a:09:83) <strong>and</strong> change the filename to<br />
ifcfg-eth0.<br />
2. Edit the ifcfg-eth0 file. If the file includes a DEVICE assignment, change the value to<br />
’eth0’. For example, if the assignment is<br />
DEVICE=’eth2’<br />
Change the assignment to<br />
DEVICE=’eth0’<br />
3. Open the following file for editing, if it exists:<br />
/etc/udev/rules.d/30-net_persistent_names.rules<br />
4. Delete any rules that are present in this file (that is, any statements that are not<br />
preceded by a # comment character).<br />
5. Delete the following file, if it exists:<br />
/etc/udev/rules.d/70-persistent_net.rules<br />
6. Immediately after performing step 5, shut the system down <strong>and</strong> convert it to a<br />
template.<br />
Note: If you mistakenly reboot the system after performing step 5, then you must<br />
perform steps 3 through 5 again, because the rules in 30 net_persistent_names.rules<br />
<strong>and</strong> 70-persistent_net.rules are regenerated automatically after each reboot.<br />
4–18 3850 6804–007
Converting to a Template<br />
Do the following to convert the virtual machine to a template:<br />
1. Shut down the operating system.<br />
2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />
click OK.<br />
3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />
Testing a SUSE Linux Target Template<br />
Note: Perform the following test if you are not using VLANs to isolate tenant resources;<br />
otherwise, perform this test after configuring the VLANs.<br />
Do the following to test the template:<br />
1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />
your preferred values in each page of the wizard using values from Table 1–27, except<br />
that you must fill out the following pages as follows:<br />
• On the Guest Customization page, select Customize Using the<br />
Customization Wizard.<br />
• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />
• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />
DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />
Add.<br />
• On the Ready to Complete page, disable the Power on this virtual<br />
machine after creation option.<br />
2. After the template deployment completes<br />
a. Go to Edit Setting for the new virtual machine, <strong>and</strong> set the network adapter to<br />
the tenant VLAN network label in Table 1–26.<br />
b. Power on the new virtual machine.<br />
c. Open a VMware console to the desktop of the new virtual machine <strong>and</strong> wait until<br />
the log-on screen appears (this can take a few minutes), <strong>and</strong> then log in as root<br />
using the SysPrepVMAdminPwd value from Table 1–12.<br />
d. In the /etc/init.d folder, open the spc_dns.log file <strong>and</strong> check for error messages. If<br />
the DNS registration was successful, the file should have a line that includes the<br />
following phrase:<br />
status: NOERROR<br />
Creating VMware Template Gold Images<br />
3. Verify that the system was registered in the tenant-side DNS.<br />
3850 6804–007 4–19
Creating VMware Template Gold Images<br />
If the tenant is using a Windows DNS, then you can verify registration as follows:<br />
a. On the domain controller, run DNS on the Administrative Tools menu.<br />
b. In the left pane, exp<strong>and</strong> the DNS host name node, exp<strong>and</strong> the Forward<br />
Lookup Zones node, <strong>and</strong> exp<strong>and</strong> the domain name node.<br />
c. In the right pane, verify that the host name for the SUSE Linux virtual machine<br />
appears.<br />
Note: If you were already running the DNS administrative tool, you might need<br />
to refresh the computer list by clicking the domain name in the left pane <strong>and</strong> then<br />
clicking Refresh on the Action menu.<br />
4. Power down the virtual machine, <strong>and</strong> delete the virtual machine from the disk.<br />
4.3. Preparing an Existing Virtual Machine or<br />
Template for a Stealth-Enabled VLAN<br />
Perform the following procedures to prepare an existing Windows or Red Hat Enterprise<br />
Linux virtual machine or virtual machine template to run on a Stealth-enabled VLAN.<br />
Note: Perform this procedure if you have an existing template in your environment that<br />
meets the requirements of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> but that has not yet been Stealthenabled.<br />
(If you are using a Unisys provided template, do not perform this procedure;<br />
instead, use the Unisys provided Stealth-enabled template. If you already performed the<br />
procedure in Making a Windows Template Stealth Ready or Making a Red Hat Enterprise<br />
Linux Template Stealth Ready, do not perform this procedure, since your template is<br />
already Stealth ready.)<br />
4.3.1. VNIC Restrictions<br />
Each virtual machine template must include only one VNIC. This maintains network<br />
security in your environment by preventing bridging across multiple network connections.<br />
4.3.2. Preparing a Windows Virtual Machine or Template for a<br />
Stealth-Enabled VLAN<br />
You can prepare an existing Windows virtual machine or virtual machine template to run on<br />
a Stealth-enabled VLAN (that is, make the template Stealth ready). Before starting the<br />
following procedure, you can make a clone of the virtual machine or template if you want<br />
to preserve it in its original form.<br />
Notes:<br />
• Making a virtual machine or template Stealth ready does not install Stealth for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> software. Instead, the procedure copies the files necessary for Stealth<br />
for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software to be installed <strong>and</strong> configured.<br />
• For Windows Server 2003 operating systems, ensure that the password for the local<br />
administrator account on the virtual machine template is blank.<br />
4–20 3850 6804–007
1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />
2. In the vSphere Client, select the Windows virtual machine or template that you want<br />
to prepare for Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> do the following:<br />
a. Click Convert to a virtual machine in the Basic Tasks list.<br />
The Convert Template to Virtual Machine dialog box opens.<br />
b. Exp<strong>and</strong> Host/Cluster, select the specific host, select the IP address, <strong>and</strong> click<br />
Next.<br />
The Resource Pool page appears.<br />
c. Verify that a “validation succeeded” message appears in the Compatibility box,<br />
<strong>and</strong> then click Next.<br />
The Ready to Complete page appears.<br />
d. Click Finish.<br />
3. In the vSphere Client, select the Windows virtual machine, <strong>and</strong> click Power On the<br />
virtual machine in the Basic Tasks list.<br />
The virtual machine is powered on <strong>and</strong> the task changes to Power Off the virtual<br />
machine.<br />
4. Right-click the Windows virtual machine in the left pane, <strong>and</strong> do the following:<br />
a. Click Open Console.<br />
The Windows Template window opens <strong>and</strong> shows the virtual machine starting.<br />
A progress bar appears <strong>and</strong> shows the startup steps.<br />
When the startup process finishes, a login prompt appears, followed by the login<br />
dialog box.<br />
b. Enter the appropriate user name to sign into the virtual machine.<br />
The Windows Activation dialog box appears.<br />
c. Click Cancel.<br />
Note: Do not enter a product key.<br />
A restart message box appears.<br />
d. Click Restart Later.<br />
5. Set up directories <strong>and</strong> copy files for making the virtual machine or template Stealth<br />
ready, as follows:<br />
a. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, <strong>and</strong> click<br />
Connect to ISO image on a datastore.<br />
The Browse Datastores dialog box appears.<br />
Creating VMware Template Gold Images<br />
b. Browse to the Stealth for SPC Configuration Images folder on the desired<br />
datastore, <strong>and</strong> click the desired template ISO file.<br />
c. If the Autoplay dialog box appears, click Run_SetUpTenantVM.bat.<br />
Note: On some versions of Windows, this .bat file runs automatically.<br />
3850 6804–007 4–21
Creating VMware Template Gold Images<br />
The setup file runs, restarts the template, <strong>and</strong> the log in dialog box appears.<br />
d. Enter the appropriate user name <strong>and</strong> password to sign into the virtual machine.<br />
e. If the Windows Activation dialog box appears, click Cancel.<br />
Note: Do not enter a product key.<br />
The virtual machine desktop appears.<br />
f. CHECKPOINT:<br />
Open Windows Explorer, browse to the C: drive, <strong>and</strong> then open the Result.txt<br />
file using Notepad.<br />
Verify that the last line of the file displays the following message:<br />
Tenant VM setup complete.<br />
Close the Result.txt file.<br />
g. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click<br />
Disconnect from datastore image.<br />
The Disconnect Device dialog box opens.<br />
h. Click Yes.<br />
i. Click the Start menu, point to Log off, <strong>and</strong> click Shut down.<br />
6. Configure the virtual machine, as follows:<br />
a. Click Edit Settings on the VM menu.<br />
The Virtual Machine Properties dialog box opens.<br />
b. Click CD/DVD Drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />
Client Device in the right pane.<br />
CD/DVD Drive 1 appears as edited in the left pane, with Client Device in<br />
the Summary list.<br />
c. Click Floppy drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />
Client Device in the right pane.<br />
Floppy drive 1 appears as edited in the left pane, with Client Device in the<br />
Summary list.<br />
d. Click OK.<br />
7. Close the console to the Windows virtual machine.<br />
8. Right-click the Windows virtual machine in the left pane, point to Template, <strong>and</strong><br />
then click Convert to Template.<br />
The Windows template is ready to be run or used for provisioning virtual machines running<br />
the Windows operating system on a Stealth-enabled VLAN.<br />
4–22 3850 6804–007
4.3.3. Preparing a Red Hat Enterprise Linux Virtual Machine or<br />
Template for a Stealth-Enabled VLAN<br />
You can prepare an existing Red Hat Enterprise Linux virtual machine or virtual machine<br />
template to run on a Stealth-enabled VLAN (that is, make the template Stealth ready).<br />
Before starting the following procedure, you can make a clone of the virtual machine or<br />
template if you want to preserve it in its original form.<br />
Note: Making a virtual machine or template Stealth ready does not install Stealth for<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software. Instead, the procedure copies the files necessary for<br />
Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software to be installed <strong>and</strong> configured.<br />
1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />
2. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine or template<br />
that you want to prepare for Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> do the following:<br />
a. Click Convert to a virtual machine in the Basic Tasks list.<br />
The Convert Template to Virtual Machine dialog box opens.<br />
b. Exp<strong>and</strong> Host/Cluster, select the specific host, select the IP address, <strong>and</strong> click<br />
Next.<br />
The Resource Pool page appears.<br />
c. Verify that a “validation succeeded” message appears in the Compatibility box,<br />
<strong>and</strong> then click Next.<br />
The Ready to Complete page appears.<br />
d. Click Finish.<br />
3. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine, <strong>and</strong> click<br />
Power On the virtual machine in the Basic Tasks list.<br />
The virtual machine is powered on <strong>and</strong> the task changes to Power Off the virtual<br />
machine.<br />
4. Right-click the Red Hat Enterprise Linux virtual machine in the left pane, <strong>and</strong> do the<br />
following:<br />
a. Click Open Console.<br />
The Red Hat Template window opens <strong>and</strong> shows the virtual machine starting.<br />
A progress bar appears <strong>and</strong> shows the startup steps.<br />
Creating VMware Template Gold Images<br />
When the startup process finishes, a login prompt appears, followed by the login<br />
window.<br />
b. Enter the appropriate user name, followed by the appropriate password, to sign<br />
into the virtual machine.<br />
3850 6804–007 4–23
Creating VMware Template Gold Images<br />
5. Set up directories <strong>and</strong> copy files for making the virtual machine or template Stealth<br />
ready, as follows:<br />
a. Click Applications on the task bar, point to Accessories, <strong>and</strong> click Terminal.<br />
The username@host window opens.<br />
b. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive<br />
<strong>and</strong> click Connect to ISO image on a datastore.<br />
The Browse Datastores dialog box opens.<br />
c. Browse to the “Stealth for SPC Configuration Images” folder on the datastore<br />
referenced in the Connection Information for Workload vCenter section of<br />
Table 1–9.<br />
d. Select the Stealth-Tenant-Server-RedHat-template-.iso file,<br />
<strong>and</strong> then click OK<br />
The CD/DVD drive icon appears on the desktop.<br />
e. Double-click the CD/DVD drive icon.<br />
A dialog box for the .iso file opens, showing the contents of the file.<br />
f. Enter the following comm<strong>and</strong>:<br />
mount /dev/cdrom /mnt/cdrom<br />
A message appears that the CD-ROM is write-protected <strong>and</strong> mounted as readonly.<br />
Note: If this fails, create a mount directory using the following comm<strong>and</strong>:<br />
mkdir /mnt/cdrom<br />
g. Enter the following comm<strong>and</strong>:<br />
python /mnt/cdrom/SetUpTenantVM.py<br />
The script runs <strong>and</strong> displays messages.<br />
Wait for the setup process to complete.<br />
h. Enter the following comm<strong>and</strong> to dismount the CD-ROM:<br />
umount /mnt/cdrom<br />
i. Click the Drive icon on the toolbar, point to CD/DVD drive, <strong>and</strong> then click<br />
Disconnect from datastore image.<br />
6. Configure the virtual machine, as follows:<br />
a. Click Edit Settings on the VM menu.<br />
The Virtual Machine Properties dialog box opens.<br />
b. Click CD/DVD Drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />
Client Device in the right pane.<br />
CD/DVD Drive 1 appears as edited in the left pane, with Client Device in<br />
the Summary list.<br />
c. Click Floppy drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />
Client Device in the right pane.<br />
4–24 3850 6804–007
Floppy drive 1 appears as edited in the left pane, with Client Device in the<br />
Summary list.<br />
d. Click OK.<br />
7. Close the Red Hat Template window.<br />
The Virtual Machine Question dialog box appears.<br />
8. Click Yes to disconnect, <strong>and</strong> then click OK.<br />
9. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine in the left<br />
pane, click Shut Down Guest in the Basic Tasks list, <strong>and</strong> then click Yes to<br />
confirm.<br />
The virtual machine is powered off.<br />
10. Select the Red Hat Enterprise Linux template in the left pane, click Convert to a<br />
template in the Basic Tasks list.<br />
The Red Hat Enterprise Linux virtual machine or template is ready to be run or used for<br />
provisioning virtual machines running the Linux operating system on a Stealth-enabled<br />
VLAN.<br />
4.4. Importing Tenant VLAN Network Appliance <strong>and</strong><br />
Load Balancer Templates<br />
Specialized virtual machine templates are provided with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
environment to isolate tenant traffic using VLANs <strong>and</strong> to enable load balancing. You can<br />
import these templates, depending on your cloud environment.<br />
Do the following to import these templates:<br />
Creating VMware Template Gold Images<br />
1. Locate the following templates in the “Recovery Images\Tenant VLAN Appliances”<br />
folder on the management server datastore or the SAN:<br />
• A tenant VLAN network appliance template, which enables you to isolate tenant<br />
network traffic using VLANs (Tenant-VLAN-NetAppliance.ova)<br />
• A template for load balancing Web applications (Tenant-Load-Balancer.ova)<br />
2. Download the .ova file or files to the configuration workstation.<br />
3. Using vSphere, connect to the vCenter server that is managing the workload servers.<br />
4. To deploy the tenant VLAN network appliance template, do the following:<br />
a. On the vSphere File menu, point to Deploy OVF Template.<br />
b. Browse to the Tenant-VLAN-NetAppliance.ova file that you downloaded to the<br />
configuration workstation.<br />
3850 6804–007 4–25
Creating VMware Template Gold Images<br />
c. Complete each page of the wizard, supplying appropriate values when prompted.<br />
• At the prompt for a datastore, select the datastore to which you want to<br />
deploy the appliance.<br />
The best practice is to deploy to a SAN storage datastore. Select a datastore<br />
that can be accessed from all the workload servers.<br />
Note: If there is only one datastore, you are not prompted to select a<br />
datastore.<br />
• At the prompt for a disk format, select Thin Provisioned Format.<br />
• On the Network Mapping dialog box, accept all the default values.<br />
These settings are modified when you deploy a tenant VLAN network<br />
appliance later in the configuration process.<br />
d. Click Next several times, <strong>and</strong> then click Finish.<br />
The import process begins.<br />
5. To deploy the template for load balancing Web applications, do the following:<br />
a. On the vSphere File menu, point to Deploy OVF Template.<br />
b. Browse to the Tenant-Load-Balancer.ova file that you downloaded to the<br />
configuration workstation.<br />
c. Answer any prompts as appropriate for your environment.<br />
6. For each network adapter, use the Edit Settings option to ensure that the network<br />
adapters do not have the “Connect at power on” option enabled.<br />
7. If you are deploying the tenant VLAN network appliance (Tenant-VLAN-<br />
NetAppliance.ova), <strong>and</strong> if your workload servers are running VMware ESXi 5.x, then<br />
you must install the VMware Tools 5.0 in this template. Perform the procedure in<br />
4.5 Installing VMware Tools 5.0 in the Tenant VLAN Network Appliance, <strong>and</strong> then<br />
return to this procedure.<br />
Note: If you are only deploying the Tenant-Load-Balancer.ova, you do not need to<br />
install the VMware Tools 5.0. If your workload servers are running VMware ESX or<br />
ESXi 4.x or earlier, you do not need to install the VMware Tools 5.0. Simply proceed to<br />
the next step.<br />
8. Use vSphere to convert the virtual machines into templates.<br />
You use these templates to deploy a new tenant VLAN network appliance (as described in<br />
Section 5, Implementing a New Tenant VLAN), or to deploy a tenant load balancer (as<br />
described in 8.3 Configuring an HAProxy Load Balancer for Web Applications).<br />
4.5. Installing VMware Tools 5.0 in the Tenant VLAN<br />
Network Appliance<br />
Note: Perform this procedure if the workload servers are running VMware ESXi 5.x.<br />
4–26 3850 6804–007
Do the following to install the VMware Tools 5.0 in the tenant VLAN network appliance:<br />
1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />
2. Open a console to the tenant VLAN network appliance (Tenant-VLAN-NetAppliance),<br />
power it on, <strong>and</strong> log in using the credentials from Table 2–1.<br />
3. Enter the following comm<strong>and</strong> to uninstall the existing version of the VMware Tools:<br />
sudo /home/vyatta/vmware-tools-distrib/bin<br />
/vmware-uninstall-tools.pl<br />
4. Accept the default values for any prompts you receive.<br />
5. Enter the following comm<strong>and</strong> to completely delete the existing version of the<br />
VMware Tools installation software:<br />
sudo rm –rf VMwareTools-8.6.5-621624.tar.gz<br />
vmware-tools-distrib<br />
6. Enter the following comm<strong>and</strong> to reboot the tenant VLAN network appliance:<br />
sudo reboot<br />
7. After the tenant VLAN network appliance reboots, on the VM menu, point to<br />
Guest, <strong>and</strong> then click Install/Upgrade VMware Tools.<br />
8. If the Install/Upgrade Tools dialog box appears, select Interactive Tools<br />
Upgrade, <strong>and</strong> then click OK.<br />
9. Return to the console for the tenant VLAN network appliance, <strong>and</strong> log in again using<br />
the credentials from Table 2–1.<br />
10. Enter the following comm<strong>and</strong> to create a mount point for the ISO image that<br />
VMware has connected to the virtual CD-ROM drive:<br />
sudo mkdir /mnt/tools<br />
11. Enter the following comm<strong>and</strong> to mount the CD-ROM ISO image:<br />
sudo mount /dev/cdrom /mnt/tools<br />
12. Enter the following comm<strong>and</strong> to change the working directory to the Vyatta home<br />
directory:<br />
cd /home/vyatta<br />
13. Enter the following comm<strong>and</strong> to extract the VMware Tools 5.0 installation directory<br />
from the tar.gz file on the CD-ROM ISO image:<br />
tar -xvf /mnt/tools/VMwareTools-*.tar.gz<br />
Note: Entering the wildcard character (*) in the comm<strong>and</strong> simplifies the installation,<br />
because you do not have to enter the exact version of VMware ESXi running on the<br />
workload server.<br />
14. Enter the following comm<strong>and</strong> to change to the VMware Tools installation directory:<br />
cd /home/vyatta/vmware-tools-distrib<br />
15. Enter the following comm<strong>and</strong> to run the VMware Tools installer program:<br />
sudo ./vmware-install.pl<br />
16. Accept the default values for any prompts you receive.<br />
Creating VMware Template Gold Images<br />
3850 6804–007 4–27
Creating VMware Template Gold Images<br />
17. Use the sudo vi text editor to edit the /etc/pam.d/vmtoolsd file, <strong>and</strong> replace the<br />
entire contents of that file with the following three lines:<br />
#%PAM-1.0<br />
auth required /lib/security/pam_unix.so shadow nullok<br />
account required /lib/security/pam_unix.so<br />
18. CHECKPOINT:<br />
Do the following:<br />
a. Return to the vSphere Client.<br />
b. Click Tenant-VLAN-NetAppliance in the left pane, <strong>and</strong> then select the<br />
Summary tab in the right pane.<br />
The value for VMware Tools under General should now be Running<br />
(Current). .<br />
19. Return to the VMware console for the tenant VLAN network appliance, <strong>and</strong> enter the<br />
following comm<strong>and</strong> to copy the saved config.boot file into the Vyatta configuration<br />
folder:<br />
cp /etc/Unisys/config.boot.orig<br />
/opt/vyatta/etc/config/config.boot<br />
20. Enter the following comm<strong>and</strong> to shut down <strong>and</strong> power off the tenant VLAN network<br />
appliance:<br />
sudo shutdown –hP now<br />
21. Edit the virtual machine settings <strong>and</strong> set the CD/DVD device to Client Device.<br />
22. Use vSphere to convert the virtual machine into a template.<br />
4.6. Preparing the vCenter Server to Sysprep the<br />
Target Template (Windows Server 2003 <strong>and</strong><br />
Windows XP Only)<br />
Note: Sysprep tools are included with Windows Server 2008, Windows Vista, <strong>and</strong><br />
Windows 7 operating systems, so you can skip this procedure if you are configuring these<br />
types of virtual machines.<br />
If you are using an existing vCenter server that you provided, you must perform this<br />
procedure from that vCenter server’s desktop. If you are using a Unisys-supplied vCenter<br />
with a vSphere Client connected to the management server, open a console to the<br />
vCenter server management VM. Do the following:<br />
1. Access the VMware knowledge base article ″Sysprep file locations <strong>and</strong> versions″ at<br />
the following URL: http://kb.vmware.com/kb/1005593.<br />
2. Follow the directions in that article to install the Sysprep files for the versions of<br />
Windows Server 2003 or Windows XP that you plan to use on your virtual machines.<br />
4–28 3850 6804–007
Notes:<br />
Creating VMware Template Gold Images<br />
• For Windows XP x64 operating systems, you must use the Windows Server 2003<br />
x64 Sysprep files.<br />
• For Windows Server 2003 operating systems, ensure that the password for the local<br />
administrator account on the virtual machine template is set to blank (″”).<br />
3850 6804–007 4–29
Creating VMware Template Gold Images<br />
4–30 3850 6804–007
Section 5<br />
Implementing a New Tenant VLAN<br />
This topic describes the procedures required to implement a new tenant VLAN, including<br />
the manual configuration that must be performed on the Management Network Appliance<br />
(the network appliance for the management server) <strong>and</strong> on the tenant VLAN network<br />
appliance.<br />
Each tenant can have one or more tenant VLAN network appliances; tenants cannot share<br />
appliances. (All VLANs on a single appliance must belong to the same tenant.) Each tenant<br />
VLAN network appliance can support up to seven different VLANs. Traffic on each VLAN is<br />
isolated from all the other VLANs, even those connected to the same appliance.<br />
When you add a new VLAN for an existing tenant, you have the option of adding a new<br />
tenant VLAN network appliance or adding the new VLAN to one of the tenant’s existing<br />
appliances.<br />
Perform the procedures in this section to create VLANs for new tenants or to create new<br />
VLANs for existing tenants.<br />
3850 6804–007 5–1
Implementing a New Tenant VLAN<br />
Figure 5–1 shows logical VLAN connections <strong>and</strong> IP addresses. Use this example when<br />
configuring a new VLAN.<br />
Figure 5–1. Logical VLAN Connections<br />
5.1. Configuring a DNS or Alternative for the Tenant<br />
A tenant might or might not have a DNS. A DNS in the cloud environment must support<br />
nonsecure dynamic DNS updates. Refer to Table 1–27 to determine whether a particular<br />
tenant has its own DNS, <strong>and</strong> then perform one of the following procedures:<br />
• 5.1.1 Configuring the Tenant DNS<br />
If the tenant has a DNS, refer to this procedure for an example of how to complete this<br />
configuration.<br />
• 5.1.2 Configuring the uChargeback Management VM if Tenants Do Not Have a DNS<br />
If a tenant does not have a DNS, or if the tenant DNS cannot support nonsecure<br />
dynamic DNS updates, perform this procedure to configure the uChargeback<br />
management VM to act as the DNS for the tenant VLAN.<br />
5–2 3850 6804–007
Note: If you previously configured the uChargeback management VM to act as the<br />
DNS for another tenant <strong>and</strong> you want to use the same zone for the new tenant, you<br />
might not have to perform this procedure.<br />
5.1.1. Configuring the Tenant DNS<br />
To enable the target virtual machines to register with the tenant’s internal DNS, the<br />
tenant’s internal DNS must provide a forward lookup zone for the tenant <strong>and</strong> must support<br />
nonsecure dynamic DNS updates.<br />
For example, if the tenant’s internal DNS is a Windows Server 2008 system, then you can<br />
configure it as described in the following procedure. Adapt this procedure for the tenant’s<br />
specific type of DNS.<br />
Do the following:<br />
1. Launch DNS Manager by clicking Start, pointing to Administrative Tools, <strong>and</strong><br />
then clicking DNS.<br />
2. In the left pane, exp<strong>and</strong> the DNS node, exp<strong>and</strong> the node, <strong>and</strong><br />
exp<strong>and</strong> the Forward Lookup Zones node.<br />
3. Under ForwardLookupZones, check to see if the tenant DNS domain name from<br />
Table 1–27 is already listed.<br />
4. If the domain name is not listed, do the following:<br />
a. Right-click ForwardLookupZones <strong>and</strong> add the new zone.<br />
b. In the New Zone Wizard, on the Dynamic Update page, select Allow both<br />
nonsecure <strong>and</strong> secure dynamic updates.<br />
c. Complete the New Zone Wizard.<br />
If the domain name is already listed, then do the following:<br />
a. Right-click the node, <strong>and</strong> click Properties.<br />
b. Click the General tab.<br />
c. Select Nonsecure <strong>and</strong> <strong>Secure</strong> in the Dynamic Updates list.<br />
d. Click OK.<br />
Implementing a New Tenant VLAN<br />
5.1.2. Configuring the uChargeback Management VM if Tenants<br />
Do Not Have a DNS<br />
If the tenant you are configuring does not supply a DNS that can support secure <strong>and</strong><br />
nonsecure dynamic updates, you must configure a tenant-side DNS zone in the<br />
uChargeback management VM to provide this functionality for the tenant commissioned<br />
virtual machines to use. Perform the following procedure for each tenant, or once for all<br />
tenants that do not provide a DNS.<br />
3850 6804–007 5–3
Implementing a New Tenant VLAN<br />
Note: The best practice is to configure one DNS zone per tenant. (This enables easier<br />
debugging <strong>and</strong> tenant offboarding, if necessary.) This zone is not accessible from the<br />
tenant’s home network.<br />
Caution<br />
The tenant-side DNS zone is required. The tenant virtual machines might not<br />
use the DNS zone directly, <strong>and</strong> the management VMs do not use the DNS zone<br />
directly, but it is required for the management-side DNS zone (which enables<br />
communication between management VMs <strong>and</strong> commissioned machines) to<br />
be updated properly.<br />
If any tenants do not have a DNS, or if any tenant DNS cannot support nonsecure dynamic<br />
DNS updates, do the following.<br />
Note: To determine if the tenant has a DNS, see Table 1–27.<br />
1. On the uChargeback management VM, open the DNS manager.<br />
2. Add a new zone to DNS on the uChargeback management VM using values from<br />
Table 1–27, as follows:<br />
a. Right-click Forward Lookup Zones in the left pane, <strong>and</strong> click New Zone. Do<br />
the following:<br />
• Enter a Primary zone, using the tenant DNS domain name.<br />
For example, the primary zone name might be NoDNS.TenantName.Local.<br />
Note: The zone name<br />
- Must match the Tenant DNS Domain name in Table 1–27<br />
- Must contain at least one period character<br />
- Must not be a zone that could be resolved externally<br />
• Select the Allow both nonsecure <strong>and</strong> secure dynamic updates<br />
option.<br />
Wait for the zone to be created <strong>and</strong> appear in the left pane.<br />
b. Select the new zone in the left pane, right-click the zone, <strong>and</strong> click New Host in<br />
the Options list.<br />
The New Host dialog box opens. Do the following:<br />
• Enter the host name of the uChargeback management VM.<br />
• Enter the IP address of the uChargeback management VM on the Intercom<br />
Network, using the value in Table 1–27.<br />
• Do not create an associated PTR record.<br />
c. Click Add Host to create the host record.<br />
5–4 3850 6804–007
d. Click Done to exit the New Host dialog box.<br />
3. Set the properties of the new zone, as follows:<br />
a. Right-click the new zone in the left pane, <strong>and</strong> click Properties.<br />
The Properties dialog box opens.<br />
b. Click the Start of Authority (SOA) tab, click the Primary server box, <strong>and</strong><br />
enter the host name of the uChargeback management VM with the DNS suffix of<br />
the new zone.<br />
For example, enter my-uChrg.NoDNS.TenantName.Local.<br />
c. Click the Name Servers tab, click the name that is displayed, <strong>and</strong> then click<br />
Edit.<br />
d. Click the Server Fully Qualified Domain Name (FQDN) box, <strong>and</strong> enter the<br />
same name as you entered on the Start of Authority (SOA) tab.<br />
e. Click the IP Address box, <strong>and</strong> enter the Intercom IP address of the uChargeback<br />
management VM in Table 1–27, <strong>and</strong> then press Enter.<br />
Note: Enter the same IP address as when you added the uChargeback<br />
management VM to this DNS zone previously.<br />
The address should appear under your entry with a green check mark.<br />
f. Click OK to exit the Properties dialog box.<br />
4. Exit the DNS manager.<br />
The new zone name is<br />
Implementing a New Tenant VLAN<br />
• Added to the tenant properties in RBADB when you perform the procedure in<br />
6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Environment<br />
• Set as the DNS suffix in the virtual machines that are commissioned for this tenant<br />
5.2. Configuring Workload Servers for VLAN<br />
Networking<br />
You must configure each workload server on which the new tenant virtual machines will<br />
run to connect to the new tenant VLAN <strong>and</strong> to the Tenant Interconnect port group. (The<br />
Tenant Interconnect port carries traffic to <strong>and</strong> from each tenant’s own internal network.)<br />
You might do this for all workload servers in the environment or only those servers in a<br />
particular cluster.<br />
Note: If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If<br />
you previously created a Tenant Interconnect for this tenant, you do not have to create<br />
another Tenant Interconnect.<br />
3850 6804–007 5–5
Implementing a New Tenant VLAN<br />
5.2.1. Underst<strong>and</strong>ing Workload Server Networking Connection<br />
Options<br />
There are several ways that you can configure workload servers to access these<br />
networks, as follows:<br />
• By dedicating a physical NIC (or team of NICs) per workload server to a network<br />
• By defining VLANs <strong>and</strong> sharing use of a physical NIC (or team of NICs)<br />
When VLANs are defined, the following are two main ways the VLANs can be<br />
configured using VMware:<br />
- Distributed virtual network switch (formerly known as vNetwork Distributed<br />
Switch)<br />
This procedure is the preferred method, because it enables you to configure the<br />
port groups across multiple workload servers at one time. However, you can<br />
perform this procedure only on workload servers with vSphere 4.0 or higher that<br />
have the license feature “Distributed Virtual Switch.” (This feature requires the<br />
vSphere Enterprise Plus license.)<br />
Note: You can create distributed virtual network switches only for workload<br />
servers with free physical network adapters; that is, network adapters that are not<br />
already used by virtual switches. If the workload server has a hardware limitation<br />
on the number of physical adapters, <strong>and</strong> the same physical adapter is used to<br />
connect to the Management Access Network, the Public Network, tenant VLANs,<br />
<strong>and</strong> the Tenant Interconnect, then you can use the same distributed virtual<br />
network switch to create port groups to access all these networks.<br />
- vSwitch virtual machine port groups<br />
This procedure is an alternate method to create vSwitch virtual machine port<br />
groups. It is not the preferred method, because it requires you to perform the<br />
same procedure on each workload server, which can be time-consuming <strong>and</strong><br />
error-prone.<br />
5.2.2. Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant<br />
Interconnect<br />
Perform one of the following procedures for each tenant VLAN network <strong>and</strong> for the Tenant<br />
Interconnect.<br />
Notes:<br />
• If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If you<br />
previously created a Tenant Interconnect for this tenant, you do not have to create<br />
another Tenant Interconnect.<br />
• If you are using Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> in your environment, then for each<br />
tenant VLAN that is Stealth-enabled, you must create an associated clear text VLAN<br />
using the Stealth clear text VLAN ID <strong>and</strong> Stealth encrypted network label values from<br />
Table 1–26. You are directed to do this in the following procedures.<br />
5–6 3850 6804–007
• For a physical NIC: Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN<br />
Network or Tenant Interconnect<br />
• For a VLAN using a distributed virtual network switch (formerly known as vNetwork<br />
Distributed Switch): Option 2: Using a Distributed Switch to Access a Tenant VLAN<br />
Network or Tenant Interconnect<br />
• For a VLAN using workload server-specific vSwitch virtual machine port groups:<br />
Option 3: Creating vSwitch Virtual Machine Port Groups to Access a Tenant VLAN<br />
Network or Tenant Interconnect<br />
You can use different methods when configuring each network. For example, you can<br />
configure one network with a physical NIC <strong>and</strong> then configure a Distributed Virtual<br />
Network Switch for another network.<br />
Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN<br />
Network or Tenant Interconnect<br />
If you want to use a dedicated physical NIC to configure access to a tenant VLAN network<br />
or the Tenant Interconnect, do the following for each network you want to use a physical<br />
NIC on each workload server in Table 1–26.<br />
Note: If you want to use a Distributed Virtual Network Switch or workload server-specific<br />
vSwitch virtual machine port groups instead, you can skip this procedure.<br />
1. Using vSphere, connect to the vCenter server.<br />
2. Select the workload server in the left pane, <strong>and</strong> select the Configuration tab in the<br />
right pane.<br />
3. Select Networking.<br />
4. Locate the switch that connects to the physical NIC you want to use.<br />
5. Select Properties.<br />
6. Select VM Network <strong>and</strong> click Edit.<br />
7. For a tenant VLAN network, change the Network Label to the tenant VLAN network<br />
label from Table 1–26. For the Tenant Interconnect, change the Network Label to<br />
Interconnect.<br />
8. Click OK <strong>and</strong> then Close.<br />
Implementing a New Tenant VLAN<br />
9. For each Stealth-enabled tenant VLAN, repeat this procedure for the clear text VLAN<br />
associated with this tenant VLAN, which is specified in Table 1–26.<br />
10. Repeat this procedure for the other workload servers that have access to this<br />
network.<br />
3850 6804–007 5–7
Implementing a New Tenant VLAN<br />
Option 2: Using a Distributed Switch to Access a Tenant VLAN<br />
Network or Tenant Interconnect<br />
If you want to use a distributed virtual network switch to configure access to a tenant<br />
VLAN network or the Tenant Interconnect, do the following for each network you want to<br />
use a distributed switch. You can create a new distributed switch or add additional port<br />
groups to an existing distributed switch.<br />
Notes:<br />
• If you already performed the previous procedure to use a physical NIC, or if you want<br />
to use workload server-specific vSwitch virtual machine port groups instead, you can<br />
skip this procedure.<br />
• The distributed virtual network switch was formerly known as vNetwork Distributed<br />
Switch in VMware. In this procedure, it is simply referred to as a distributed switch.<br />
1. Using vSphere, connect to the vCenter Server that is managing the workload servers<br />
for which you want to create a distributed switch or add additional port groups to an<br />
existing switch.<br />
2. If you want to add additional port groups to an existing distributed switch, skip to the<br />
next step.<br />
If you want to create a new distributed switch, do the following:<br />
a. Point to Inventory on the View menu, <strong>and</strong> click Networking.<br />
The Networking Inventory page appears.<br />
b. In the left pane, select the datacenter where the workload servers are located.<br />
c. Point to Datacenter on the Inventory menu, <strong>and</strong> click New vSphere<br />
Distributed Switch.<br />
The Create vSphere Distributed Switch wizard appears.<br />
d. If you are prompted for the distributed switch version, select 4.0, 4.1.0, or<br />
5.0.0.<br />
All these levels are supported.<br />
e. In the Name box, enter a name for the new distributed switch in Table 1–22.<br />
f. In the Number of dvUplink Ports box, select the number of ports in<br />
Table 1–22, <strong>and</strong> then click Next.<br />
Each dvUplink port represents one physical network adapter. Set the value to<br />
represent the number of physical network adapters for all workload servers that<br />
you want to include in the distributed switch.<br />
g. Select Add now, <strong>and</strong> select the check boxes for each workload server <strong>and</strong><br />
physical adapter that you want to add to the distributed switch.<br />
Note: You can add only free physical adapters (that is, network adapters that are<br />
not already used by virtual switches) to a distributed switch.<br />
h. Click Next.<br />
i. Clear the Automatically create a default port group check box.<br />
5–8 3850 6804–007
j. Click Finish.<br />
3. From the vSphere Client connected to the vCenter Server, in the Networking View,<br />
right-click the distributed switch node in the left pane <strong>and</strong> click New Port Group.<br />
The Create Distributed Virtual Port Group dialog box appears.<br />
4. Enter a name for the port group in the Name box, as follows:<br />
• If you are configuring the tenant VLAN, use the Tenant VLAN network label<br />
value in Table 1–26.<br />
Note: It is recommended that you include the VLAN ID as part of the name, so<br />
that you can easily identify the port group with which it is associated.<br />
• If you are configuring the Tenant Interconnect, type <br />
Interconnect.<br />
5. Adjust the value in the Number of ports box to indicate the number of virtual<br />
machines that can connect to this VLAN, according to the tenant’s requirement.<br />
The number of ports is listed in Table 1–26.<br />
For the Tenant Interconnect, set this number to a value at least as large as the number<br />
of tenant VLANs that will be associated with the network appliance multiplied by 7,<br />
plus 2. (For example, for three network appliances, set this number to 23 or higher.)<br />
Note: Each vCenter has a limitation of 30,000 distributed virtual network switch<br />
ports.<br />
6. Select VLAN in the VLAN type list.<br />
7. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant VLAN<br />
ID value in Table 1–26. If you are configuring the Tenant Interconnect, use the Tenant<br />
interconnect VLAN ID value in Table 1–27.<br />
8. Click Next <strong>and</strong> then Finish.<br />
Implementing a New Tenant VLAN<br />
9. For each Stealth-enabled tenant VLAN, repeat Steps 3 through 8 for the clear text<br />
VLAN associated with this tenant VLAN, which is specified in Table 1–26.<br />
Note: The Create Distributed Virtual Port Group dialog box allows you to specify<br />
only limited configuration. You can modify additional configuration after the dvPort group is<br />
created by right clicking the port group in the left pane <strong>and</strong> editing its settings.<br />
Option 3: Creating vSwitch Virtual Machine Port Groups to Access a<br />
Tenant VLAN Network or Tenant Interconnect<br />
If you want to use a vSwitch virtual machine port group to configure access to a tenant<br />
VLAN or the Tenant Interconnect network do the following for each network you want to<br />
use a vSwitch virtual machine port group on each workload server in Table 1–11.<br />
Note: If you already performed the previous procedures to use a physical NIC or<br />
distributed virtual network switch, you can skip this procedure.<br />
3850 6804–007 5–9
Implementing a New Tenant VLAN<br />
1. Do the following to open the Networking configuration view for the workload server:<br />
a. In the vSphere Client, connect to the vCenter server.<br />
b. From the View menu, click Inventory, then click Hosts <strong>and</strong> Clusters.<br />
c. In the left pane, select a workload server.<br />
d. In the right pane, click the Configuration tab.<br />
e. In the Hardware group, click Networking.<br />
2. If the vSwitch you want to use does not exist, do the following to create a new switch<br />
<strong>and</strong> configure it.<br />
Note: If the vSwitch already exists, do not perform this step. Perform the following<br />
step instead.<br />
a. Click Add Networking, which is located near the top right of the right pane.<br />
The Add Network Wizard opens.<br />
b. On the Connection Type page, choose Virtual Machine.<br />
c. On the Virtual Machines – Network Access page, choose Create a<br />
virtual switch, <strong>and</strong> select the check box next to an available virtual machine NIC<br />
(vmnic).<br />
d. On the Virtual Machines – Connection Settings page, enter a name for the<br />
VLAN in the Network Label box, as follows:<br />
• If you are configuring the tenant VLAN, use the Tenant VLAN network<br />
label value in Table 1–26.<br />
Note: It is recommended that you include the VLAN ID as part of the name,<br />
so that you can easily identify the port group with which it is associated.<br />
• If you are configuring the Tenant Interconnect, type <br />
Interconnect.<br />
e. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant<br />
VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use<br />
the Tenant interconnect VLAN ID value in Table 1–27.<br />
f. On the Ready to Complete page, click Finish.<br />
3. If the vSwitch you want to use already exists, on the Networking Configuration tab, do<br />
the following.<br />
Note: If the vSwitch you want to use does not already exist, perform the preceding<br />
step instead to create <strong>and</strong> configure a new switch.<br />
a. Click Properties for the vSwitch.<br />
The vSwitch Properties dialog box appears.<br />
b. Click Add.<br />
The Add Networking Wizard appears.<br />
c. On the Connection Type page, choose Virtual Machine.<br />
5–10 3850 6804–007
d. On the Virtual Machines – Connection Settings page, enter a name for the<br />
VLAN in the Network Label box, as follows:<br />
• If you are configuring the tenant VLAN, use the Tenant VLAN network<br />
label value in Table 1–26.<br />
Note: It is recommended that you include the VLAN ID as part of the name,<br />
so that you can easily identify the port group with which it is associated.<br />
• If you are configuring the Tenant Interconnect, type <br />
Interconnect, using the Tenant Name value from Table 1–24.<br />
e. Enter the VLAN ID. If you are configure the tenant VLAN, use the Tenant<br />
VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use<br />
the Tenant interconnect VLAN ID value in Table 1–27.<br />
f. On the Ready to Complete page, click Finish.<br />
g. Click Close to close the vSwitch Properties dialog box.<br />
Implementing a New Tenant VLAN<br />
h. For each Stealth-enabled tenant VLAN network, repeat this procedure for the clear<br />
text VLAN associated with this tenant VLAN, which is specified in Table 1–26.<br />
4. Repeat this procedure for the other workload servers that have access to this<br />
network.<br />
Note: You must configure the physical switches that connect the workload servers <strong>and</strong><br />
the physical switch that protects the tenant’s private access point to allow this new VLAN.<br />
5.3. Deploying a New Tenant VLAN Using a New or<br />
Existing Tenant VLAN Network Appliance<br />
To deploy a new tenant VLAN, you use a Unisys-supplied tenant VLAN network appliance.<br />
The following procedures describe how to configure a new tenant VLAN using a new or<br />
existing tenant VLAN network appliance, as follows:<br />
• If you are adding a new tenant (<strong>and</strong> a new VLAN), then you must deploy a new tenant<br />
VLAN network appliance for that tenant. Perform the steps in 5.3.1 Deploying a New<br />
Tenant VLAN Network Appliance <strong>and</strong> VLAN.<br />
• If you are adding a new VLAN for an existing tenant, you have the option to configure<br />
the new VLAN on one of the tenant’s existing tenant VLAN network appliances, as<br />
described in 5.3.2 Adding a New VLAN to an Existing Tenant VLAN Network<br />
Appliance. Each tenant VLAN network appliance can support up to seven VLANs.<br />
5.3.1. Deploying a New Tenant VLAN Network Appliance <strong>and</strong><br />
VLAN<br />
Note: Before beginning this procedure, ensure that the cloud provider <strong>and</strong> tenant XML<br />
files on the jump box management VM are up-to-date.<br />
3850 6804–007 5–11
Implementing a New Tenant VLAN<br />
Perform the following procedure to deploy a new tenant VLAN network appliance <strong>and</strong><br />
VLAN:<br />
1. Run the vSphere Client <strong>and</strong> connect to the vCenter server.<br />
2. If you are performing this procedure as directed in 5.3.2 Adding a New VLAN to an<br />
Existing Tenant VLAN Network Appliance or when the tenant VLAN network appliance<br />
virtual machine already exists, skip to the following step.<br />
Otherwise, do the following to deploy a new tenant VLAN network appliance:<br />
a. From the VMs <strong>and</strong> Templates view, select the Tenant VLAN<br />
NetAppliance template that you imported in 4.4 Importing Tenant VLAN<br />
Network Appliance <strong>and</strong> Load Balancer Templates, right-click, <strong>and</strong> then click<br />
Deploy Virtual Machine from this Template to deploy a new virtual<br />
machine to act as the tenant VLAN network appliance in Table 1–26.<br />
b. Name the virtual machine using the host name value from Table 1–25.<br />
This name is case-sensitive.<br />
Caution<br />
You must name this tenant VLAN network appliance using the host name<br />
value, spelling <strong>and</strong> capitalizing the name exactly as it appears in Table 1–25.<br />
c. Select the following options during deployment:<br />
• Ignore any warnings you receive that state that a virtual Ethernet card network<br />
adapter is not supported. You might receive multiple warnings.<br />
• Do not use the same resource pools as the ones that will be used for the end<br />
user virtual machines; these resource pools are specified in Table 1–13. (You<br />
can create a separate resource pool for each tenant’s infrastructure VMs.)<br />
• Select Thin provisioned format for the Disk Format option.<br />
• Select Do not customize for the Guest Customization option.<br />
• Make sure the Power on this virtual machine after creation option is<br />
cleared.<br />
3. Perform this step to configure the virtual machine Network Adapter settings only if all<br />
of the following conditions apply:<br />
• Your vCenter Server is running vCenter Server 5.x.<br />
Note: The Unisys supplied vCenter Server management VM is running vCenter<br />
Server 5.0.<br />
• The workload server—on which the tenant VLAN network appliance is running—is<br />
running VMware ESX or ESXi version 4.1.<br />
• One or more of the port groups—which you want to be assigned as the networks<br />
for the network adapters on the tenant VLAN network appliance—belongs to a<br />
distributed virtual network switch (as opposed to a st<strong>and</strong>ard switch).<br />
5–12 3850 6804–007
If all of these conditions do not apply, proceed to the next step (power on the virtual<br />
machine).<br />
If all of these conditions do apply, do the following:<br />
a. When the new virtual machine is created, right-click the virtual machine, <strong>and</strong> then<br />
click Edit Settings.<br />
b. Configure the virtual machine Network Adapter settings as follows.<br />
Notes:<br />
• The network connection labels must already exist on the workload server.<br />
• The Ethernet Interface column is for reference only to indicate the ethernet<br />
interface that is used by the network appliance software.<br />
Network<br />
Adapter Connected at Power On<br />
1 Enable, if any of the<br />
following properties in<br />
Table 1–25 are set to Yes:<br />
• Internet Access –<br />
Outgoing<br />
• Internet Access –<br />
Incoming<br />
• Able to respond to a<br />
ping comm<strong>and</strong>?<br />
Implementing a New Tenant VLAN<br />
Network Connection Network<br />
Label<br />
Public Network eth0<br />
2 Enable If the VLAN is not Stealth-enabled,<br />
the tenant VLAN network label for<br />
VLAN[1] in Table 1–26.<br />
If the VLAN is Stealth-enabled, the<br />
Stealth clear text network label for<br />
VLAN[1] in Table 1–26.<br />
Ethernet<br />
Interface<br />
eth1<br />
3 Enable Management Access Network eth2<br />
4 Enable Interconnect eth3<br />
3850 6804–007 5–13
Implementing a New Tenant VLAN<br />
Network<br />
Adapter Connected at Power On<br />
5-10 If additional tenant VLANs<br />
are being supported with<br />
this appliance, Enable.<br />
Otherwise, Disable.<br />
Network Connection Network<br />
Label<br />
For network adapters that are in<br />
use by additional tenant VLANs,<br />
choose one of the following, based<br />
on whether the VLAN is Stealthenabled:<br />
• If the VLAN is not<br />
Stealth-enabled, the tenant<br />
VLAN network label for<br />
VLANs[2] to [n-3] in Table 1–26.<br />
• If the VLAN is Stealth-enabled,<br />
the Stealth clear text network<br />
label for VLANs[2] to [n-3] in<br />
Table 1–26.<br />
For network adapters that are not<br />
in use by additional tenant VLANs,<br />
enter <br />
Interconnect.<br />
For example, if you have one<br />
additional tenant VLAN, configure<br />
Network Adapter 5 for that VLAN.<br />
Then, configure Network Adapters<br />
6–10 as <br />
Interconnect.<br />
Ethernet<br />
Interface<br />
eth4 to<br />
ethn-1<br />
Note: The range of available network adapters for extra VLANs begins at<br />
Network Adapter 5. For example, if this Tenant VLAN Network Appliance supports<br />
three tenant VLANs, you must enable two extra network adapters: numbers 5 <strong>and</strong><br />
6.<br />
c. Click OK to save the Network Adapter settings.<br />
4. Power on the virtual machine.<br />
5. Open a console to the tenant VLAN network appliance, <strong>and</strong> wait until the log-on<br />
prompt appears.<br />
6. After the log-on prompt appears, close the console to the tenant VLAN network<br />
appliance.<br />
7. Open a console to the jump box management VM.<br />
8. Enter one of the following comm<strong>and</strong>s in the Windows PowerShell (x86) comm<strong>and</strong><br />
window:<br />
• If you are adding a new tenant VLAN network appliance <strong>and</strong> a new VLAN, enter<br />
the following comm<strong>and</strong>:<br />
.\Config-TVNA.ps1 –tenant -new<br />
Where is the tenant name listed in Table 1–24. If the tenant<br />
name contains spaces, enclose the name in quotation marks in the comm<strong>and</strong>.<br />
5–14 3850 6804–007
If the workload server is running VMware ESX or ESXi 4.x or earlier, <strong>and</strong> the<br />
vCenter Server that is managing the workload servers is running vCenter Server<br />
5.x, you must add the following parameters to this comm<strong>and</strong>.<br />
Note: The Unisys supplied vCenter Server management VM is running vCenter<br />
Server 5.0.<br />
-vCenter <br />
-vCenterUser -vCenteruserPw <br />
Use the information in Table 1–11 for the workload server that hosts the tenant<br />
VLAN network appliance you are configuring.<br />
If you added these three vCenter parameters to the comm<strong>and</strong>, <strong>and</strong> if you<br />
already configured the virtual machine Network Adapter settings (by performing<br />
the step earlier in this topic), then add the following argument to the comm<strong>and</strong>.<br />
(You were instructed to configure the Network Adapter settings if your vCenter<br />
Server is running vCenter Server 5.x, if the tenant VLAN network appliance is<br />
running on a VMware ESX or ESXi 4.1 workload server, <strong>and</strong> if one or more of the<br />
port groups is using a distributed virtual network switch.) Add the following to<br />
the comm<strong>and</strong>:<br />
-skipNICs<br />
• If you are running this comm<strong>and</strong> to add a new VLAN to an existing tenant VLAN<br />
network appliance, enter the following comm<strong>and</strong>:<br />
.\Config-TVNA.ps1 –tenant <br />
Where is the tenant name listed in Table 1–24. If the tenant<br />
name contains spaces, enclose the name in quotation marks in the comm<strong>and</strong>.<br />
If the workload server is running VMware ESX or ESXi 4.x or earlier, <strong>and</strong> the<br />
vCenter Server that is managing the workload servers is running vCenter Server<br />
5.x, you must add the following parameters to this comm<strong>and</strong>.<br />
Note: The Unisys supplied vCenter Server management VM is running vCenter<br />
Server 5.0.<br />
-vCenter <br />
-vCenterUser -vCenteruserPw <br />
Use the information in Table 1–11 for the workload server that hosts the tenant<br />
VLAN network appliance you are configuring.<br />
If you added these three vCenter parameters to the comm<strong>and</strong>, <strong>and</strong> if you<br />
already configured the virtual machine Network Adapter settings (by performing<br />
the step earlier in this topic), then add the following argument to the comm<strong>and</strong>.<br />
(You were instructed to configure the Network Adapter settings if your vCenter<br />
Server is running vCenter Server 5.x, if the tenant VLAN network appliance is<br />
running on a VMware ESX or ESXi 4.1 workload server, <strong>and</strong> if one or more of the<br />
port groups is using a distributed virtual network switch.) Add the following to<br />
the comm<strong>and</strong>:<br />
Notes:<br />
-skipNICs<br />
Implementing a New Tenant VLAN<br />
• In 5.2.2 Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant Interconnect,<br />
you were instructed to create a Tenant Interconnect named <br />
3850 6804–007 5–15
Implementing a New Tenant VLAN<br />
Interconnect. This comm<strong>and</strong> searches for the string <br />
Interconnect <strong>and</strong> Interconnect (no space). If the comm<strong>and</strong><br />
cannot identify the Tenant Interconnect using these strings, a dialog box<br />
appears; enter the Tenant Interconnect name to proceed.<br />
• If a warning is displayed for the server certificate, ignore it.<br />
The script performs the following actions:<br />
• Sets a new password for the vyatta account.<br />
Note: The next time you log onto the tenant VLAN network appliance, you must<br />
use the new password for user vyatta from Table 1–25.<br />
• Sets the host name.<br />
• Configures the first four network adapter interfaces.<br />
• Configures the MAC address information for the remaining six network adapter<br />
interfaces to ensure that the assigned MAC addresses are correct.<br />
• Assigns the uChargeback management VM as the netflow collector, using the<br />
uChargeback IP address on the Intercom Network.<br />
• Configures the DNS server addresses to which all DNS requests will be<br />
forwarded.<br />
• If the Intercom address range is nonst<strong>and</strong>ard, updates that range in the<br />
MGMT_VMS firewall group <strong>and</strong> the static route.<br />
• If the tenant does not have a DNS of their own, then enables access to the DNS<br />
server on the uChargeback management VM.<br />
To enable this access, the script adds the addresses of the uChargeback<br />
management VM on the <strong>Cloud</strong> Management Network <strong>and</strong> the uAdapt Server<br />
Control Network to the MGMT_VMS firewall group, <strong>and</strong> also creates static routes<br />
to ensure that traffic to those addresses is forwarded through the Management<br />
Network Appliance.<br />
• If pings from the Internet are not allowed, then modifies the<br />
ALLOW_ESTABLISHED firewall to prevent such pings.<br />
• If either outgoing or incoming Internet access is allowed, then configures a<br />
system gateway address.<br />
• For each tenant VLAN supported by this Tenant VLAN Network Appliance,<br />
- Configures an IP address on the network adapter interface for that tenant<br />
VLAN.<br />
- Configures DHCP settings for the tenant VLAN, including the start <strong>and</strong> stop<br />
addresses, the address of the default router, the address of the DNS server,<br />
<strong>and</strong> the DNS domain name.<br />
- Adds the tenant VLAN address range to the TENANT_VLAN_NETWORKS<br />
firewall group.<br />
- If outgoing Internet access is allowed, configures a masquerade NAT rule on<br />
eth0 for traffic originating from this tenant VLAN.<br />
5–16 3850 6804–007
- Configures an SNAT rule for traffic from the tenant VLAN to the management<br />
VMs.<br />
This rule translates the source address of any packets from the tenant-side<br />
address to the management-side address.<br />
- Configures a DNAT rule for traffic from the management VMs to the tenant<br />
VLAN.<br />
This rule translates the destination address of any packets from the<br />
management-side address to the tenant-side address.<br />
- Configures a static route for traffic from the tenant VLAN to the Tenant<br />
Internal Network, ensuring that such traffic passes through the Tenant Internal<br />
Router on the Tenant Interconnect.<br />
- If you are using the Active Directory management VMs provided with the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, configures the NTP service to synchronize with the time<br />
servers on the Active Directory management VMs.<br />
- Reboots the tenant VLAN network appliance.<br />
- Assigns the network adapters to the correct external networks. If this is the<br />
initial configuration of the tenant VLAN network appliance, then all ten<br />
network adapters are assigned to the correct networks. If this is a later<br />
configuration (you are adding one or more VLANs to an existing tenant VLAN<br />
network appliance), then only the corresponding network adapters are<br />
reassigned.<br />
9. Wait until the Config-TVNA script stops displaying messages.<br />
10. Verify that the script completed successfully<br />
If the comm<strong>and</strong> was successful, the script does the following:<br />
• Displays the message ″Completed normally,″ along with information about the log<br />
location<br />
• Displays a message indicating that the password for the vyatta user is being<br />
modified.<br />
• Displays one or more messages indicating that network adapters have been<br />
assigned to VMware networks.<br />
• Reboots the tenant VLAN network appliance.<br />
Implementing a New Tenant VLAN<br />
If unsuccessful, the script displays an error message. Typically the message indicates<br />
an error in the data in one of the XML files. For example, the message might indicate<br />
that an invalid subnet mask was specified for a certain address. To correct such a<br />
problem, do the following:<br />
a. Make corrections to the configuration worksheet <strong>and</strong> export the XML files to the<br />
jump box management VM again.<br />
b. Rerun the comm<strong>and</strong> in the PowerShell (x86) comm<strong>and</strong> window.<br />
To correct any other problems, refer to the troubleshooting document for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> on the Unisys Support Web site (www.support.unisys.com).<br />
3850 6804–007 5–17
Implementing a New Tenant VLAN<br />
CHECKPOINT:<br />
1. After the tenant VLAN network appliance has rebooted, open a console to the tenant<br />
VLAN network appliance virtual machine that you just deployed, <strong>and</strong> log in using the<br />
user name vyatta <strong>and</strong> the New password for user vyatta in Table 1–25 of the<br />
tenant’s workbook.<br />
Note: If there is no new password specified, use the Default password for user<br />
vyatta in Table 1–25 instead.<br />
2. Ping the IP address of the Management Network Appliance on the Management<br />
Access Network, as specified in Table 1–5.<br />
3. Verify that the ping is successful.<br />
5.3.2. Adding a New VLAN to an Existing Tenant VLAN Network<br />
Appliance<br />
If you have previously deployed a tenant VLAN network appliance for a certain tenant, you<br />
can configure additional VLAN connections on the same appliance. Each tenant VLAN<br />
network appliance can support seven VLANs.<br />
Perform the following procedure to add a new VLAN to an existing tenant VLAN network<br />
appliance.<br />
Note: Use this procedure only if you are adding a new (<strong>and</strong> previously unplanned) tenant<br />
VLAN to a tenant VLAN network appliance that you already configured.<br />
However, if you had previously planned to have multiple tenant VLANs, then you do not<br />
need to perform this procedure. (The procedure in 5.3.1 Deploying a New Tenant VLAN<br />
Network Appliance <strong>and</strong> VLAN configured multiple tenant VLANs on the tenant VLAN<br />
network appliance.)<br />
1. Revise the worksheet for this tenant by filling out an additional VLAN column in<br />
Table 1–26.<br />
2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the<br />
Data.<br />
3. Perform the previous procedure, 5.3.1 Deploying a New Tenant VLAN Network<br />
Appliance <strong>and</strong> VLAN, except that you must skip step 2 (deploying the tenant VLAN<br />
network appliance from a template) because the virtual machine already exists.<br />
To configure more than seven VLANs for the same tenant, you must configure an<br />
additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN<br />
Network Appliance <strong>and</strong> VLAN.<br />
5–18 3850 6804–007
5.4. Configuring the Management Network<br />
Appliance for a New Tenant VLAN<br />
When you deploy a new tenant VLAN, you must configure the Management Network<br />
Appliance. Use one of the following procedures, depending on whether you are using a<br />
virtual Management Network Appliance or a physical router. If you are using a virtual<br />
Management Network Appliance, refer to the Network Appliance management VM<br />
information in Table 1–5.<br />
5.4.1. Configuring the Virtual Management Network Appliance<br />
for a New VLAN<br />
1. Open a console to the jump box management VM.<br />
2. Ensure that the cloud provider XML file on the jump box management VM is up-to-date.<br />
3. Ensure that a PowerShell (x86) window is open on the jump box management VM.<br />
If it is not already open, from the Start menu, point to All Programs, Accessories,<br />
<strong>and</strong> then Windows PowerShell, <strong>and</strong> click Windows PowerShell (x86).<br />
4. Enter the following comm<strong>and</strong> from the PowerShell (x86) window on the jump box<br />
management VM:<br />
.\Config-TenantOnMNA.ps1<br />
If necessary, include the following parameters in the comm<strong>and</strong>:<br />
• If high availability (HA) is enabled, include the following:<br />
- If the name of the vCenter server administrator user has been updated,<br />
include<br />
-hostUser <br />
- If the password for the vCenter server administrator user has been updated,<br />
include<br />
-hostUserPw <br />
Note: These additional parameters are required regardless of whether the<br />
vCenter Server is provided by Unisys or the cloud provider.<br />
• If HA is not enabled, <strong>and</strong> the root user on the management server is using an<br />
updated password, include<br />
-hostUserPw <br />
• If the vyatta user on the Management Network Appliance is using an updated<br />
password, include<br />
-vmUserPw <br />
You are prompted to browse to the location of the XML file. Be sure to browse<br />
to the appropriate tenant XML file <strong>and</strong> not to the cloud provider XML file.<br />
For example, enter the following comm<strong>and</strong> for a tenant with updated credentials for<br />
the vyatta user on the Management Network Appliance:<br />
.\Config-TenantOnMNA.ps1 -vmUserPw myNewPw<br />
Implementing a New Tenant VLAN<br />
3850 6804–007 5–19
Implementing a New Tenant VLAN<br />
The script performs the following actions:<br />
• Adds static routes to the management-side tenant VLAN ranges by way of the<br />
tenant VLAN network appliance address on the Management Access Network.<br />
• Adds the management-side tenant VLAN ranges to the TARGET_VM firewall<br />
network group.<br />
• If the tenant is not supplying their own DNS, adds NAT rules to enable traffic to<br />
reach the DNS server on the uChargeback management VM.<br />
Wait until the script stops displaying messages.<br />
Note: If you receive a warning message that there are limitations in your VMware<br />
ESX license, this means that the script cannot be completed because the required<br />
VMware license is not installed on the management server. If you receive this<br />
warning, you can either install the required VMware license or perform the steps in<br />
12.6.1 Configuring the Virtual Management Network Appliance for a New VLAN (with<br />
a VMware License Restriction).<br />
CHECKPOINT:<br />
Verify that the script completed successfully.<br />
If successful, the script displays the message ″Completed normally,″ along with some<br />
information about the log location. In this case, open a comm<strong>and</strong> prompt on the <strong>Cloud</strong><br />
Orchestrator management VM, enter the following comm<strong>and</strong>, <strong>and</strong> verify that the<br />
tenant VLAN network appliance responds:<br />
ping <br />
If unsuccessful, the script displays an error message. Typically, the message<br />
indicates an error in the data in one of the XML files. For example, the message<br />
might indicate that an invalid subnet mask was specified for a certain address. To<br />
correct such a problem,<br />
a. Make corrections to the configuration worksheet.<br />
b. Export the <strong>Cloud</strong> Provider XML file to the jump box management VM.<br />
c. Repeat this procedure from the beginning.<br />
To correct any other problems, refer to the troubleshooting document for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> on the Unisys support Web site at http://www.support.unisys.com<br />
5. Close the PowerShell (x86) window.<br />
5.4.2. Configuring a Physical Management Network Appliance<br />
for a New VLAN<br />
Notes:<br />
• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />
another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />
• The following examples assume that the VLAN ID is 402, that it has an IP range<br />
192.168.102.0/24, <strong>and</strong> that the Management Access Network IP address range is<br />
172.31.2.0/24.<br />
5–20 3850 6804–007
1. Log in to the switch in privileged mode by typing enable, <strong>and</strong> then responding to the<br />
password prompt.<br />
The prompt changes to end with #. (For example, it changes from MySwitch> to<br />
MySwitch#.)<br />
2. Type the following comm<strong>and</strong> to enter configuration mode:<br />
configure terminal<br />
The prompt changes to end with (config)#. (For example, it changes from MySwitch#<br />
to MySwitch(config)#.)<br />
3. Declare the VLANs by entering the following comm<strong>and</strong>s.<br />
Note: If you want to use extended VLAN IDs (numbers higher than 1005), you must<br />
set vtp mode to transparent.<br />
vlan <br />
exit<br />
Where VLAN ID list is the list of VLAN IDs that you want to be accessible to the<br />
workload server. (If the workload server is in a cluster, the list should be identical for<br />
every workload server in the cluster.) The VLAN IDs are listed in Table 1–20.<br />
For example, enter<br />
vlan 402<br />
exit<br />
4. Enter the following comm<strong>and</strong>s to create an access list that enables the virtual<br />
machines running on the tenant VLAN to access the management VMs running on<br />
the Management Access Network:<br />
access-list permit <br />
<br />
<br />
For example, enter<br />
access-list 402 permit ip 192.168.102.0 0.0.0.255<br />
172.31.1.0 0.0.0.255<br />
5. Enter the following comm<strong>and</strong>s to create an access list to enable the management<br />
VMs to access the tenant virtual machines using the Management Access<br />
Network VLAN:<br />
access-list permit any<br />
<br />
For example, enter<br />
Implementing a New Tenant VLAN<br />
access-list 402 permit ip any 172.31.2.0 0.0.0.255<br />
6. Enter the following comm<strong>and</strong>s to enable the management VMs to access the<br />
tenant VLAN:<br />
access-list permit <br />
<br />
<br />
3850 6804–007 5–21
Implementing a New Tenant VLAN<br />
For example, enter<br />
access-list 402 permit ip 172.31.1.0 0.0.0.255<br />
192.168.102.0 0.0.0.255<br />
7. Enter the following comm<strong>and</strong>s to prevent a tenant VLAN from sending any<br />
traffic to ports 61132 <strong>and</strong> 61133, which are used by the <strong>Cloud</strong> Orchestrator<br />
management VM:<br />
access-list deny udp<br />
<br />
host eq <br />
For example, enter<br />
access-list 402 deny udp 192.168.102.0 0.0.0.255 host<br />
172.31.1.6 eq 61132<br />
access-list 402 deny udp 192.168.102.0 0.0.0.255 host<br />
172.31.1.6 eq 61133<br />
8. Enter the following comm<strong>and</strong>s to create an access group to apply the<br />
access lists to the tenant VLAN:<br />
interface <br />
ip access-group in<br />
ip access-group out<br />
For example, enter<br />
interface vlan 400<br />
ip access-group 402 in<br />
ip access-group 402 out<br />
9. Enter the following comm<strong>and</strong>s to add a static route to the new tenant VLAN<br />
network appliance:<br />
ip route <br />
<br />
<br />
For example, enter<br />
ip route 192.168.102.0 255.255.255.0 172.31.2.102<br />
10. If the tenant does NOT have a DNS server, NAT rules must be created to<br />
ensure that the tenant VLAN can communicate with the DNS on the<br />
uChargeback management VM. Use ip nat comm<strong>and</strong>s to configure the<br />
following.<br />
Note: A physical switch must support NAT to perform these comm<strong>and</strong>s.<br />
Refer to the documentation for your switch for more information on NAT <strong>and</strong><br />
the specific comm<strong>and</strong>s that apply.<br />
5–22 3850 6804–007
a. Configure the management access network VLAN interface as the<br />
network subject to inside NAT translation.<br />
b. Configure NAT rules to translate the <strong>and</strong> destination<br />
addresses to the address.<br />
11. Enter the following comm<strong>and</strong> to verify the configuration:<br />
show running-config<br />
12. Save the configuration by entering the following comm<strong>and</strong>:<br />
copy running-config startup-config<br />
You see the following: Destination Filename [startup-config]?<br />
13. Press Enter.<br />
CHECKPOINT:<br />
You see the response [OK].<br />
Enter the following comm<strong>and</strong> <strong>and</strong> verify that the tenant VLAN network appliance<br />
responds:<br />
ping <br />
5.5. Configuring the <strong>Cloud</strong> Orchestrator <strong>and</strong><br />
uChargeback Management VMs to<br />
Communicate with Tenant VLAN<br />
Perform the following procedure to enable communication between a tenant VLAN <strong>and</strong><br />
the Management Access Network <strong>and</strong> Intercom Network.<br />
Notes:<br />
• Ensure that the XML files on the jump box management VM are up to date.<br />
1. Open a console to the jump box management VM.<br />
2. Enter the following comm<strong>and</strong> from the PowerShell comm<strong>and</strong> window:<br />
.\Configure-Routes.ps1 –tenantName<br />
“”<br />
3. Enter the credentials if prompted.<br />
Implementing a New Tenant VLAN<br />
The script uses information in the cloud provider XML file <strong>and</strong> a tenant XML file (which<br />
were exported from the configuration workbook in 2.7 Completing <strong>and</strong> Exporting Tenant<br />
Worksheets) to configure static routes that allow communication to the new VLAN from<br />
the following:<br />
3850 6804–007 5–23
Implementing a New Tenant VLAN<br />
• <strong>Cloud</strong> Orchestrator management VM<br />
• uChargeback management VM<br />
• Jump box management VM<br />
• Stealth Licensing management VM (if Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is enabled)<br />
5.6. Configuring the Tenant VLAN Network<br />
Appliance to be Monitored by the Nagios<br />
Collector<br />
Note: Perform this procedure on each tenant VLAN network appliance for VLANs with<br />
tenant servers that will be monitored by the Nagios Collector software, if it is included in<br />
your environment.<br />
1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />
the tenant VLAN network appliance.<br />
2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />
configure<br />
3. Enter the following comm<strong>and</strong> to create a static DNS entry in the appliance, using<br />
values provided by your Unisys service consultant:<br />
set system static-host-mapping<br />
host-name <br />
inet <br />
This static DNS entry enables the Nagios agent to communicate with Nagios<br />
Collector over the Intercom Network.<br />
4. Enter the following comm<strong>and</strong>s:<br />
commit<br />
save<br />
exit<br />
5.7. Additional Nagios Collector Configuration<br />
Information<br />
Consider the following additional configuration information for the Nagios collector<br />
software as you add new components to your environment <strong>and</strong> perform ongoing<br />
operations:<br />
• Configure the firewall on Windows virtual machines to enable monitoring for all<br />
profiles.<br />
• It is recommended to use the value specified in to reference the collector when configuring the agent on the<br />
workload servers. This name was configured by your Unisys service consultant during<br />
the initial implementation.<br />
• Nagios profiles are defined in the Nagios Collector, which is not part of the <strong>Secure</strong><br />
5–24 3850 6804–007
<strong>Private</strong> <strong>Cloud</strong> product <strong>and</strong> must be implemented separately. Nagios profiles are<br />
created when the Nagios Collector is implemented.<br />
When commissioning a resource, enter the name of an applicable Nagios profile as<br />
the Nagios Profile parameter of the blueprint used to commission the resource.<br />
5.8. Configuring External Servers to Communicate<br />
with Tenant VLANs<br />
Use the procedure in this section if the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is configured to<br />
use VLANs for tenant isolation <strong>and</strong> the external server requires communication with<br />
commissioned tenant resources on the tenant VLANs. You must add static route<br />
statements on the external server to properly route traffic to the tenant VLANs using the<br />
Management Network Appliance as the gateway.<br />
Skip this section if the external server does not require communication with tenant<br />
resources.<br />
Procedure for Windows External Servers<br />
1. Start the Windows Comm<strong>and</strong> Prompt using the Run as administrator option.<br />
2. Enter the follow comm<strong>and</strong> to add static routes:<br />
route -p add mask <br />
where<br />
is the management-side tenant VLAN subnet from Table 1–25.<br />
is the VLAN netmask from Table 1–25.<br />
is the Management Network Appliance IP address on the Intercom<br />
Network from Table 1–5.<br />
3. Repeat this comm<strong>and</strong> for each tenant VLAN as required.<br />
Example<br />
route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200<br />
CHECKPOINT:<br />
Verify that the external server is able to communicate with a tenant resource on the<br />
tenant’s VLAN, using the FQDN of the tenant resource. If the tenant VLAN is configured,<br />
use the management side FQN of the tenant resource. For example,<br />
ping tenant-0003.managed.spc.local<br />
Implementing a New Tenant VLAN<br />
3850 6804–007 5–25
Implementing a New Tenant VLAN<br />
5–26 3850 6804–007
Section 6<br />
Creating <strong>and</strong> Managing Tenant<br />
Configurations<br />
This section describes how to create <strong>and</strong> manage tenant configurations using the Excel<br />
workbook, the Populator service, <strong>and</strong> the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. When you export<br />
data from the Excel workbook <strong>and</strong> run the appropriate Populator effector, the tenant,<br />
projects, <strong>and</strong> unrefined blueprints are created in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> in<br />
RBADB, <strong>and</strong> departments for the tenant <strong>and</strong> projects are created in uChargeback. Perform<br />
the procedures in this section to add these components <strong>and</strong> refine blueprints so that they<br />
can be used by tenants.<br />
When you onboard a new tenant, add new projects for an existing tenant, or create a new<br />
blueprint, you must perform the appropriate procedures as described in this section. If you<br />
are adding multiple tenants, repeat the procedures for the next tenant, using the XML data<br />
file for that tenant.<br />
6.1. Updating <strong>Cloud</strong> Provider or Adding Tenant<br />
Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Environment<br />
Perform the following procedure to do the following in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
environment:<br />
• Update cloud provider information<br />
• Add new tenants<br />
• Update existing tenants<br />
When you perform this procedure for a tenant, you also automatically add or update all<br />
tenant projects <strong>and</strong> create new blueprints that can be refined.<br />
Use the appropriate XML data file for the cloud provider or for the tenant you are adding or<br />
updating.<br />
1. If you have not already done so, export the updated cloud provider or tenant data<br />
configuration XML file <strong>and</strong> save it to the jump box management VM.<br />
Note: See 1.1 Completing Worksheets for Installation <strong>and</strong> Configuration for more<br />
information on exporting this file.<br />
2. Open a console to the jump box management VM.<br />
3850 6804–007 6–1
Creating <strong>and</strong> Managing Tenant Configurations<br />
3. Enter the following comm<strong>and</strong> from the PowerShell comm<strong>and</strong> window:<br />
.\Copy-Directory.ps1 –vmlist uco<br />
This script copies the XML files from the jump box management VM to the <strong>Cloud</strong><br />
Orchestrator management VM.<br />
4. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
5. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />
URL in Table 2–2.<br />
6. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />
7. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />
8. In the Service Organization pane on the left, click the Populator service (refer<br />
to Figure 6–1).<br />
Note: The position of the Populator service in the list can vary.<br />
Figure 6–1. <strong>Operations</strong> Console Populator<br />
9. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />
6–2 3850 6804–007
10. Under All Effectors, click one of the following effectors:<br />
• If you are adding a new tenant, click addTenant.<br />
This effector adds one tenant, including projects <strong>and</strong> unrefined blueprints for that<br />
tenant. It requires an XMLFileName parameter to identify the XML data file for the<br />
tenant. Use the filename from step 1, including the extension.<br />
If you are adding more than one tenant, you must complete this procedure for<br />
each tenant individually.<br />
• If you are making modifications to an existing tenant, click updateTenant.<br />
This effector updates one tenant, including projects <strong>and</strong> unrefined blueprints for<br />
that tenant. It requires an XMLFileName parameter to identify the XML data file<br />
for the tenant. Use the filename from step 1, including the extension.<br />
• If you are updating the cloud properties, click update<strong>Cloud</strong>Properties.<br />
This effector updates the cloud properties in RBADB.<br />
Note: You do not need to enter a value for the XMLFileName parameter. The<br />
default value <strong>Cloud</strong>Provider.xml is used.<br />
11. Click Execute.<br />
12. Check the result in the Result pane.<br />
You should see the message “Completed” when the process is complete.<br />
13. Exp<strong>and</strong> Logs in the right pane to view the log messages.<br />
Status <strong>and</strong> error messages from the Populator service are recorded both under Logs<br />
<strong>and</strong> in the following file:<br />
\Unisys\SPC-Automation\logs\Configuration.log<br />
Notes:<br />
• In the <strong>Operations</strong> Console, you can either filter the messages by level or check the<br />
level of each message to determine if any errors are being reported.<br />
• If you see an error that states the <strong>Cloud</strong> folder does not exist, then you logged into<br />
the <strong>Operations</strong> Console using the wrong credentials. You must use the credentials<br />
for the uOrchestrate <strong>Operations</strong> Console in Table 2–1.<br />
14. If errors are reported, do the following:<br />
a. Make the appropriate corrections in the cloud provider or tenant data worksheet<br />
<strong>and</strong> export the file.<br />
b. Repeat this procedure.<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
Note: If you are updating a tenant, run the updateTenant effector (rather than<br />
the addTenant effector).<br />
6.2. Configuring Stealth-Enabled VLANs<br />
Perform the following procedure one time for each Stealth-enabled VLAN:<br />
3850 6804–007 6–3
Creating <strong>and</strong> Managing Tenant Configurations<br />
1. For the Stealth-enabled VLAN that you are configuring, verify that the information<br />
specified in Table 1–31 matches the vCenter configuration, as follows:<br />
• Folder name – Verify that the folder name specified in Table 1–31 exists in vCenter<br />
(when viewed using the VMs <strong>and</strong> Templates view in the vSphere Client). If a folder<br />
with this name does not exist in vCenter, access the VMs <strong>and</strong> Templates view in<br />
vSphere Client, <strong>and</strong> create the folder under the Datacenter specified in<br />
Table 1–11.<br />
Note: The name of this folder must be unique within vCenter. The same folder<br />
can be shared by different tenants or by different Stealth-enabled VLANs, but the<br />
folder must have a unique name.<br />
• Resource pool – Verify the resource pool specified in Table 1–31 exists in vCenter<br />
in the appropriate workload server or cluster (the server or cluster where the<br />
infrastructure VMs should be created). If the resource pool does not exist, create it<br />
in the appropriate workload server or cluster.<br />
• Datastore name – Verify the datastore name value matches one of the storage<br />
names that is accessible by the workload servers or the cluster. If the datastore<br />
name is incorrect, make the appropriate correction.<br />
Notes:<br />
- If the value in the workbook is updated, re-export the tenant worksheet <strong>and</strong><br />
copy it to the jump box management VM. See 1.1.6 Exporting the Data for<br />
more information.<br />
- If the same storage is being used for commissioned virtual machines, the<br />
name of the storage should be compatible with the value defined in<br />
Table 1–13.<br />
• Folder within the datastore – Verify that the folder name in the “Connection<br />
information for Workload vCenter” section of Table 1–9 exists in the datastore<br />
specified in the previous bullet. If this folder does not exist in that datastore, then<br />
create the folder <strong>and</strong> upload the master.flp file to it.<br />
2. Open a console to the jump box management VM.<br />
3. Enter the following comm<strong>and</strong> from the Powershell comm<strong>and</strong> window:<br />
.\Generate-OnBoardingXML.ps1<br />
–tenantName “”<br />
Note: Quotation marks are required around the tenant name if the contains spaces.<br />
This script produces one XML file for each Stealth-enabled VLAN for the specified<br />
tenant. The XML files are located in C:\ProgramData\Unisys\SPC-Automation\XML,<br />
<strong>and</strong> the file names have the following format: OnBoarding_.xml.<br />
The comm<strong>and</strong> also generates a Job Groups XML file named<br />
“StealthOnBoardingJobs-restartable.xml,” <strong>and</strong> several other supporting XML files.<br />
These files are located in the C:\Unisys\Stealth\_ folder,<br />
where is the name of the tenant being onboarded from Table 1–24<br />
<strong>and</strong> the is the identifier for the Stealth-enabled tenant VLAN specified in<br />
Table 1–26.<br />
6–4 3850 6804–007
4. Open a comm<strong>and</strong> prompt window, <strong>and</strong> type the following comm<strong>and</strong>:<br />
cd C:\Unisys\Stealth<br />
5. In the comm<strong>and</strong> prompt window, type the following comm<strong>and</strong>:<br />
java -jar AutomationClient.jar C:\Unisys\Stealth\<br />
_\StealthOnBoardingJobs-restartable.xml<br />
where the <strong>and</strong> are the folder names generated earlier in<br />
this procedure as a result of running the Generate-OnBoardingXML comm<strong>and</strong>.<br />
The java -jar comm<strong>and</strong> starts the onboarding process for the specified Stealthenabled<br />
VLAN. This process takes about one <strong>and</strong> a half hours to complete.<br />
6. Verify the following registry entries exist on the Stealth Proxy Server <strong>and</strong> Stealth<br />
Relay Server infrastructure VMs, as follows:<br />
a. Open a console to the Stealth Proxy Server infrastructure VM.<br />
The Stealth Proxy Server VM name, user name, <strong>and</strong> password are listed in<br />
Table 1–31.<br />
b. On the Start menu, click Run, enter regedit in the Open box, <strong>and</strong> then click<br />
OK.<br />
c. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.<br />
d. Verify that a REG_SZ registry entry named Syslog exists, which contains the IP<br />
address of the Stealth Relay Server.<br />
If this registry entry does not exist, do the following:<br />
• Right-click SaberNet, point to New, <strong>and</strong> then click String Value.<br />
• Name the value Syslog.<br />
• Right-click Syslog, <strong>and</strong> click Modify.<br />
• In the Edit String dialog box, in the Value Data box, enter the IP address of<br />
the Stealth Relay Server from Table 1–31.<br />
• Click OK to close the Edit String dialog box.<br />
e. Close the Registry Editor.<br />
f. Close the console to the Stealth Proxy Server infrastructure VM.<br />
g. Restart the Stealth Proxy Server infrastructure VM.<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
h. Open a console to the Stealth Relay Server infrastructure VM.<br />
The Stealth Relay Server VM name, user name, <strong>and</strong> password are listed in<br />
Table 1–31.<br />
i. On the Start menu, click Run, enter regedit in the Open box, <strong>and</strong> then click<br />
OK.<br />
j. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.<br />
k. Verify that a REG_SZ registry entry named Syslog exists <strong>and</strong> contains the value<br />
of the Stealth Licensing management VM FQN from Table 1–32.<br />
3850 6804–007 6–5
Creating <strong>and</strong> Managing Tenant Configurations<br />
If this registry entry does not exist, do the following:<br />
• Right-click SaberNet, point to New, <strong>and</strong> then click String Value.<br />
• Name the value Syslog.<br />
• Right-click Syslog, <strong>and</strong> click Modify.<br />
• In the Edit String dialog box, in the Value Data box, enter the value of the<br />
Stealth Licensing management VM FQN from Table 1–32.<br />
• Click OK to close the Edit String dialog box.<br />
l. Close the Registry Editor.<br />
m. Close the console to the Stealth Relay Server infrastructure VM.<br />
n. Restart the Stealth Relay Server infrastructure VM.<br />
7. Repeat the previous two steps for each Stealth-enabled VLAN XML for the tenant.<br />
Note: If you experience any problems, see 12.14 Troubleshooting Configuring Stealth-<br />
Enabled VLANs.<br />
CHECKPOINT:<br />
1. Open a console to the Stealth Licensing management VM.<br />
2. Verify the log information in Syslog.<br />
6.3. Underst<strong>and</strong>ing Blueprints <strong>and</strong> General<br />
Blueprint <strong>Guide</strong>lines<br />
A blueprint defines the resources that users can commission using the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal. When users commission resources, they provide values for a set of<br />
parameters, based on constraints that the administrator or operator configures. Each<br />
blueprint is specific to a type of resource—virtual machine, physical server, or virtual<br />
desktop—<strong>and</strong> its associated attributes.<br />
The types of resources that can be created <strong>and</strong> managed by users are determined by the<br />
blueprints that you create.<br />
6–6 3850 6804–007
Underst<strong>and</strong>ing Base Blueprints, Unrefined Blueprints, <strong>and</strong> Refined<br />
Blueprints<br />
Blueprints can be categorized as base blueprints, unrefined blueprints, <strong>and</strong> refined<br />
blueprints, as follows:<br />
• Base blueprints are default blueprints that cannot be changed or cannot be used to<br />
commission resources. There is one base blueprint for each type of resource: virtual<br />
machine, physical server, <strong>and</strong> virtual desktop.<br />
When you update the tenant worksheet with information about the blueprints that you<br />
want to create <strong>and</strong> then run the Populator addTenant or updateTenant effector, the<br />
base blueprints are automatically copied <strong>and</strong> saved with the name of your new<br />
blueprint. These copies are then edited to create more specific instances of a type of<br />
resource: this process is called blueprint refinement.<br />
• Unrefined blueprints<br />
When the Populator addTenant or updateTenant effector is run, unrefined blueprints<br />
are created using the blueprint name <strong>and</strong> description specified in the tenant<br />
worksheet. Unrefined blueprints must be refined before they can be used to<br />
successfully commission resources.<br />
Note: When you run the updateTenant effector, any blueprints you already created<br />
<strong>and</strong> refined remain unchanged, <strong>and</strong> any new blueprints you added to the workbook are<br />
created in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> in RBADB.<br />
• Refined blueprints<br />
Refined blueprints are blueprints that administrators or operators have refined. Users<br />
can use these blueprints to successfully commission resources.<br />
When a user commissions a resource from a blueprint, the values saved in the refined<br />
blueprint <strong>and</strong> the values entered by the user are copied to the resource. A resource is<br />
always associated with the blueprint that was used to commission it, but if you later<br />
modify the blueprint values, those changed values are not copied to the resource.<br />
You can refine all attributes associated with a blueprint, except the blueprint resource type<br />
(virtual machine, physical server, or virtual desktop).<br />
The following guidelines apply to refining blueprints.<br />
Blueprint Name<br />
Blueprints should have unique <strong>and</strong> meaningful names to enable end users to easily<br />
recognize the type of platform they are creating when they select a blueprint. The<br />
recommended blueprint naming convention is to indicate certain key attributes about the<br />
environment, such as<br />
• The operating system type <strong>and</strong> version<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
• The functionality of the resource (such as a Web server, database server, <strong>and</strong> so forth)<br />
or application stack included with the resource<br />
• Whether the blueprint is for a virtual machine, physical server, or virtual desktop<br />
3850 6804–007 6–7
Creating <strong>and</strong> Managing Tenant Configurations<br />
For example, W2K3x64Exchange–VM indicates a Windows Server 2003 virtual machine<br />
that is used as an Exchange server. W2K3x86SQL2005–P indicates a Windows Server<br />
2003 physical machine that is used as an SQL server. VOaaSGoldImageA-1024 indicates a<br />
virtual desktop using the file gold image named goldimageA.VHD with 1024 MB of<br />
memory.<br />
Setting Constraints<br />
As you configure blueprints, you can set constraints for each attribute. As the<br />
administrator, you configure each attribute to display for the user, as follows:<br />
• Configure user access <strong>and</strong> visibility to the attribute using one of the following values:<br />
- Read-write – The user commissioning a resource can see the attribute <strong>and</strong> can<br />
select from a list of values or type a value.<br />
- Read-only – The user commissioning a resource can see the attribute <strong>and</strong> selected<br />
value, but cannot change the value. If you set an attribute to read-only, <strong>and</strong> if a<br />
value is required for the resource to be successfully commissioned, you must<br />
specify a default value.<br />
For example, an OS Type is required for each resource, <strong>and</strong> so if you set the OS<br />
Type to read-only, you must specify an OS Type. In contrast, a Resource Pool<br />
Override attribute is not required, <strong>and</strong> so you can set this value to read-only <strong>and</strong><br />
leave it blank. As you create blueprints, you are given specific guidelines as to<br />
which blueprint attributes are required <strong>and</strong> which attributes should be set to<br />
read-only.<br />
- Hidden – The user cannot see (or change) the attribute or the value you selected. If<br />
you set an attribute to hidden, <strong>and</strong> if a value is required for the resource to be<br />
successfully commissioned, you must specify a default value.<br />
For example, an OS Type is required for each resource, <strong>and</strong> so if you set the OS<br />
Type to hidden, you must specify an OS Type. In contrast, a Resource Pool<br />
Override attribute is not required, <strong>and</strong> so you can set this value to hidden <strong>and</strong> leave<br />
it blank. As you create blueprints, you are given specific guidelines as to which<br />
blueprint attributes are required <strong>and</strong> which attributes should be set to hidden.<br />
For some attributes, you can select the access type you want to use, but for some<br />
other attributes, you are directed to set the access to read-only or hidden.<br />
• Fix the value of an attribute.<br />
To fix the value of an attribute, set the default value that you want to use, <strong>and</strong> then set<br />
the access to read-only or hidden so that the user cannot change it.<br />
• Provide a default value.<br />
If the attribute access is set to read-write, the default value for a blueprint property is<br />
the value that is suggested to the commissioning user. However, the user can change<br />
the value. (If the attribute access is set to read-only or hidden, the default value is the<br />
value used for the commissioned resource <strong>and</strong> the user cannot change it.)<br />
If you do not want to suggest a default value (if the user must pick a value based on a<br />
specific situation), you do not have to specify a default unless you are specifically<br />
instructed to do so. However, if the value is required, the user must specify a value in<br />
order to successfully commission a resource.<br />
6–8 3850 6804–007
Example<br />
For example, an OS Type for each resource is required, <strong>and</strong> so if you set that value to<br />
read-write <strong>and</strong> do not provide a default, the user must specify an OS Type. In contrast,<br />
Operator Action Instructions (additional actions that users request for their resources)<br />
is not required, <strong>and</strong> so you can set this value to read-write <strong>and</strong> not specify a default,<br />
<strong>and</strong> the user can leave it blank. As users commission blueprints, they are given<br />
directions on which values are required.<br />
• Provide a list of values (known as a ″One Of″ list) from which the user can select a<br />
value for an attribute.<br />
When you provide a One Of list, you set the access to read-write so that the user can<br />
select from the list of values. You can also set a default value to be initially suggested.<br />
You select the Refined check box to create a list.<br />
• Specify further constraints that limit a user’s data entry.<br />
If you want the user to enter values that meet certain criteria, you can select One Of or<br />
Regular Expression under Further Constraints. For example, if the name the user<br />
enters for a virtual machine must begin with “VM,” you can select the Regular<br />
Expression option <strong>and</strong> then enter “VM.*” in the Regular Expression box.<br />
Note: If you are setting access to an attribute as read-only or hidden, do not<br />
configure any Further Constraints. The user cannot enter any values for the attributes,<br />
<strong>and</strong> the Further Constraints are therefore meaningless.<br />
For example, if the resource type is a virtual machine <strong>and</strong> you want users to be able to<br />
commission a Windows Server 2008 with a fixed number of CPUs <strong>and</strong> a variable amount<br />
of memory, you could refine the blueprint parameters as follows:<br />
• CPU: In the Default list, select 1. Set the Access to read-only.<br />
The user sees the value CPU: 1 but cannot change it.<br />
• Memory: From the One Of list, select only the 2048 <strong>and</strong> 4096 check boxes (because<br />
Windows Server 2008 requires at least 2 GB of memory). Set the Default to 2048 to<br />
suggest that the user use less memory. Set the Access to read-write.<br />
The user sees a list with the choices 2048 <strong>and</strong> 4096. The value 2048 is selected, but<br />
the user can change the value to 4096.<br />
• Template: In the Default list, select the template for Windows Server 2008. Set the<br />
Access to hidden.<br />
The user does not see the template.<br />
• OS Type: In the Default list, select Windows Server 2008. Set the Access to read-only.<br />
The user sees the OS Type: Windows Server 2008 but cannot change it.<br />
6.4. Creating Blueprints<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
Do the following to create a new virtual machine or virtual desktop blueprint.<br />
Note: Only Unisys service consultants can refine new physical server blueprints using<br />
3850 6804–007 6–9
Creating <strong>and</strong> Managing Tenant Configurations<br />
the procedures in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong> (3850 6846).<br />
1. Meet the prerequisites for the type of the blueprint you are creating, as follows:<br />
• For new virtual machines blueprints, you must have created VMware vCenter<br />
Server templates for virtual machine commissioning, as described in<br />
Section 4, Creating VMware Template Gold Images).<br />
• For virtual desktops, configure the Virtual Office as a Service solution, as<br />
described in the <strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best<br />
Practices <strong>Guide</strong>.<br />
2. Create unrefined blueprints <strong>and</strong> add them to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal as<br />
follows:<br />
Note: If you are onboarding a new tenant, you should have already entered the<br />
blueprint names in the worksheet, exported the worksheet, <strong>and</strong> run the Populator<br />
addTenant effector as part of the onboarding process. If you did so, you have already<br />
created unrefined blueprints, <strong>and</strong> you can skip to the next step.<br />
a. Access the tenant worksheet <strong>and</strong> enter information for blueprints. The worksheet<br />
for each tenant includes data in Table 1–24 through Table 1–42. When the<br />
procedures in this section refer to any of these tables, be sure to use the data<br />
from the correct worksheet for the tenant.<br />
b. Export the worksheet as described in 1.1.6 Exporting the Data.<br />
c. Run the appropriate Populator effector as described in 6.1 Updating <strong>Cloud</strong><br />
Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />
The Populator effectors create the unrefined blueprints in the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal <strong>and</strong> in RBADB.<br />
3. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />
4. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />
5. Under Manage Blueprints, select the project associated with the blueprint you<br />
want to refine.<br />
The Blueprint pane is updated to list all blueprints associated with the project.<br />
6. Under Blueprints, select the blueprint you want to refine, <strong>and</strong> then click Edit<br />
Blueprint.<br />
The blueprint name <strong>and</strong> description appear in the blueprint by default, based on the<br />
values you entered in the tenant worksheet. You must refine all other values to match<br />
the values you entered in the tenant worksheet.<br />
7. Enter the values for each blueprint attribute based on the resource type <strong>and</strong> using the<br />
values in the tenant worksheets, as follows:<br />
• For virtual machines, the tenant worksheet is Table 1–35. See 6.5 Virtual Machine<br />
Attributes <strong>and</strong> Values for detailed information on each attribute <strong>and</strong> value.<br />
• For virtual desktops, the tenant worksheet is Table 1–39. See 6.6 Virtual Desktop<br />
Attributes <strong>and</strong> Values for detailed information on each attribute <strong>and</strong> value.<br />
Note: If you are creating a virtual machine blueprint, you see the Performance<br />
Monitoring category with Nagios Profile <strong>and</strong> the Migrate VM attributes. These<br />
6–10 3850 6804–007
attributes are intended for Unisys service consultants who are configuring custom<br />
Nagios monitoring or migrating virtual machines from earlier versions of the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong>, respectively. Customer administrators <strong>and</strong> operators should set the<br />
access for these attributes to Hidden <strong>and</strong> make no other changes to the values.<br />
8. Enter values for each group of attributes, <strong>and</strong> then click Next.<br />
9. After you enter values for all attributes, click Apply.<br />
6.5. Virtual Machine Attributes <strong>and</strong> Values<br />
This topic describes the details of all available virtual machine attributes <strong>and</strong> values.<br />
6.5.1. Virtual Machine General Configuration<br />
Table 6–1. Virtual Machine Basic Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Blueprint<br />
Name<br />
Blueprint<br />
Description<br />
The name of the blueprint, which is displayed to administrators, operators, <strong>and</strong> users.<br />
You enter this value in the tenant worksheet, <strong>and</strong> when you run the Populator addTenant<br />
or updateTenant effector, this name is used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
Notes:<br />
• If you update this value in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must also update it in<br />
the tenant worksheet.<br />
• Blueprint names must following the guidelines in 2.8.4 Naming <strong>Guide</strong>lines for<br />
Components in the <strong>Cloud</strong> Environment.<br />
A description of the blueprint, which is displayed only to administrators <strong>and</strong> operators.<br />
Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Name<br />
Descriptive name<br />
for the resource<br />
being<br />
commissioned (not<br />
the blueprint name).<br />
• Default: Leave this box blank so that the user can enter a name for the<br />
commissioned resource.<br />
• Access: Select Read-Write.<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
Note: This user-configured value is used only for display <strong>and</strong> tracking purposes. It is<br />
not related to the virtual machine host name.<br />
3850 6804–007 6–11
Creating <strong>and</strong> Managing Tenant Configurations<br />
Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
CPUs<br />
Number of CPUs.<br />
Memory<br />
Memory size in<br />
megabytes (MB).<br />
• One Of: Select the CPU values that you want the user to be able to select from.<br />
You can select one or more values.<br />
• Default: If you want the user to select from a list of number of CPUs, you can<br />
set a default or select none.<br />
If you want to force the user to use a specific number of CPUs, select the specific<br />
value in the Default list.<br />
Note: The Default value must be one of the values selected in the One Of box.<br />
• Access: If you want the user to select the number of CPUs, select Read-Write.<br />
If you want to force the user to use a specific number of CPUs, select Read-<br />
Only or Hidden.<br />
Note: All memory must be entered in multiples of 512 MB.<br />
• Default: If you want to force the user to use a specific amount of memory, enter<br />
it in this box. Or, if you want the user to select from a range or list of memory, you<br />
can set a default value in this box.<br />
If you do not want to set a specific amount of memory or a default amount of<br />
memory, leave this box blank.<br />
• Further Constraints:<br />
- None: If you want to force the user to use a specific amount of memory,<br />
enter that amount in the Default box, <strong>and</strong> then set the Further Constraints<br />
to None.<br />
- One Of: If you want the user to select from a list of specific values, set the<br />
Further Constraints to One Of, <strong>and</strong> then enter the values in the One Of box.<br />
Separate the values you enter with commas. If you enter a value in the<br />
Default box, you must also enter that same value in the One Of box.<br />
- Range: If you want the user to select from a range of values (using a slider<br />
bar), set the Further Constraints to Range, <strong>and</strong> then enter the minimum <strong>and</strong><br />
maximum values <strong>and</strong> the increment for the slider bar.<br />
The Minimum <strong>and</strong> Maximum values must be multiples of 512 MB. The<br />
Increment value must equal 512 MB.<br />
• Access: If you want the user to select the amount of memory, select Read-<br />
Write.<br />
If you want to force the user to use a specific amount of memory, select Read-<br />
Only or Hidden.<br />
6–12 3850 6804–007
Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Template<br />
Template to be<br />
used by the<br />
VMware clone <strong>and</strong><br />
customization<br />
process.<br />
OS Type<br />
Operating system<br />
installed in the<br />
target template.<br />
Note: The Template value must match the OS Type value. Therefore, if you want to<br />
provide a list of templates for the user to choose from, it is highly recommended that<br />
they all have the same operating system.<br />
• Refined: If you select this check box, the One Of list appears, <strong>and</strong> you can<br />
create a list of templates from which the end user can select.<br />
• Default: If you want the user to select from a list of templates, you can set a<br />
default or select none.<br />
If you want to force the user to use a specific template, select it in the Default list.<br />
• Access: If you want the user to select from a list of templates, select Read-<br />
Write.<br />
Notes:<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
If you want to force the user to use a specific template, select Read-Only or<br />
Hidden.<br />
• The OS Type must match the operating system installed in the template.<br />
Therefore, you should only configure a list of operating systems if you provide a<br />
list of templates. It is highly recommended that you select one operating system<br />
<strong>and</strong> set the value to Read-Only or Hidden.<br />
• If you are a Unisys service consultant migrating a blueprint from a previous<br />
version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, select the operating system type that is<br />
closest to the one previously used for the blueprint. (Do not use Other for a<br />
Windows Server 2008 blueprint type, as you did in previous releases.)<br />
• Refined: If you select this check box, the One Of list appears, <strong>and</strong> you can<br />
create a list of operating systems from which the end user can select.<br />
• Default: If you want the user to select from a list of operating system, you can<br />
set a default or select none.<br />
If you want to force the user to use a specific operating system, select it in the<br />
Default list.<br />
• Access: If you want the user to select from a list of operating systems, select<br />
Read-Write.<br />
If you want to force the user to use a specific template, select Read-Only or<br />
Hidden.<br />
3850 6804–007 6–13
Creating <strong>and</strong> Managing Tenant Configurations<br />
6.5.2. Virtual Machine Resource Balancer<br />
Table 6–3. Virtual Machine Resource Balancer Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Resource Pool<br />
Override<br />
A regular<br />
expression that<br />
limits the resource<br />
pools that are<br />
considered to host<br />
the commissioned<br />
virtual machine.<br />
This value overrides<br />
the st<strong>and</strong>ard<br />
system-wide<br />
resource pool filter.<br />
Datastore<br />
Override<br />
A regular<br />
expression that<br />
limits the<br />
datastores that are<br />
considered to host<br />
the commissioned<br />
virtual machine.<br />
This value overrides<br />
the st<strong>and</strong>ard<br />
system-wide<br />
datastore filter.<br />
If you want to override the st<strong>and</strong>ard system-wide resource pool filter <strong>and</strong> manually<br />
limit the resource pools that are used to host commissioned virtual machines, enter<br />
the following values. Otherwise, skip this attribute.<br />
• Default: Enter an expression that you want to use to limit the resource pools<br />
used for the commissioned virtual machines <strong>and</strong> that matches resource pools in<br />
your environment.<br />
For example, if you want to limit the resource pools to pools that begin with the<br />
word “Windows,” then enter “Windows.*” in this box.<br />
• Access: Set this value to Read-Only or Hidden.<br />
Note: Do not set any Further Constraints. This value should be read-only or hidden<br />
from the user, <strong>and</strong> so further constraints are meaningless.<br />
If you want to override the st<strong>and</strong>ard system-wide datastore filter <strong>and</strong> manually limit<br />
the resource pools that are used to host commissioned virtual machines, enter the<br />
following values. Otherwise, skip this attribute.<br />
• Default: Enter an expression that you want to use to limit the datastores used<br />
for the commissioned virtual machines <strong>and</strong> that matches the datastores in your<br />
environment.<br />
For example, if you want to limit the datastores to datastores that begin with the<br />
word “Windows,” then enter “Windows.*” in this box.<br />
• Access: Set this value to Read-Only or Hidden.<br />
Note: Do not set any Further Constraints. This value should be read-only or hidden<br />
from the user, <strong>and</strong> so further constraints are meaningless.<br />
6–14 3850 6804–007
6.5.3. Virtual Machine Operating System Customization<br />
Table 6–4. Virtual Machine Operating System Customization Attribute <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Customize OS<br />
Enables<br />
customization of<br />
the virtual machine<br />
operating system.<br />
• Default: Select True.<br />
• Access: Select Hidden.<br />
Note: You must select these values. If you change the Default value to None or<br />
False, or if you allow the user to change it, none of the custom values you enter are<br />
configured in the virtual machine operating system.<br />
Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Machine Name<br />
Source<br />
Algorithm used to<br />
assign a name to a<br />
commissioned<br />
resource.<br />
• Refined: Do not select this check box.<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
• Default: Select one of the following machine name sources:<br />
- Generated: The system assigns a name based on the HostNamePrefix<br />
property set during initial implementation in the VMware Sysprep<br />
Configuration .<br />
- UserAssigned: The user assigns the host name. The host name must be<br />
between one <strong>and</strong> 15 characters; must include only letters, numbers, <strong>and</strong><br />
hyphens; must begin <strong>and</strong> end with a letter or number; <strong>and</strong> must not consist<br />
entirely of numbers.<br />
- UseDefault: The system assigns a value for Machine Name Source based<br />
on the UserProvidedMachineName property set during initial<br />
implementation in the VMware Sysprep Configuration. If the<br />
UserProvidedMachineName property is True, then the UserAssigned<br />
Machine Name Source is used. If the UserProvidedMachineName property<br />
is False, then the Generated Machine Name Source is used.<br />
- MCP: If you are configuring a blueprint for an MCP server, select this value.<br />
• Access: Set this value to Read-Only or Hidden.<br />
3850 6804–007 6–15
Creating <strong>and</strong> Managing Tenant Configurations<br />
Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Host Name<br />
Input into the<br />
generation of the<br />
virtual machine<br />
operating system<br />
host name.<br />
Windows<br />
License Key<br />
The license key for<br />
a Window operating<br />
system.<br />
R<strong>and</strong>om<br />
Password<br />
Determines if a<br />
r<strong>and</strong>om<br />
administrative<br />
password is<br />
assigned for<br />
additional security.<br />
This value enables the user to enter a unique host name, if either of the following is<br />
configured:<br />
• The Machine Name Source value is UserAssigned.<br />
• The Machine Name Source value is UseDefault, <strong>and</strong> the<br />
UserProvidedMachineName is set to True during initial implementation in the<br />
VMware Sysprep Configuration .<br />
If the Machine Name Source value is Generated or MCP, this value is ignored.<br />
• Default: Leave this box blank.<br />
• Access: If the user should enter a host name, set this value to Read-Write. If<br />
the user does not enter a host name, set this value to Hidden.<br />
• Default:<br />
- For non-Windows operating systems, leave this box blank.<br />
- For Windows operating systems, type the Windows operating system<br />
product key.<br />
• Access: Set the value to Hidden.<br />
• One Of: Select one or more of the following values:<br />
- Yes: A r<strong>and</strong>omly generated Administrator (for Windows) or root (for Linux)<br />
password will be assigned to the newly commissioned virtual machine.<br />
- No: A predefined password is assigned, based on the<br />
SysPrepVMAdminPwd property set during initial implementation in the<br />
VMware Sysprep Configuration table.<br />
- UseDefault: The system assigns a value for R<strong>and</strong>om Password based on<br />
the SysPrepR<strong>and</strong>omAdminPwd property set during the initial<br />
implementation in the VMware Sysprep Configuration table. If the<br />
SysPrepR<strong>and</strong>omAdminPwd property is True, then a r<strong>and</strong>om password is<br />
assigned (same as value Yes). If the SysPrepR<strong>and</strong>omAdminPwd property is<br />
False, then a predefined password is assigned, based on the<br />
SysPrepVMAdminPwd property set during initial implementatin in the<br />
VMware Sysprep Configuration table (same as value No).<br />
• Default: If you want the user to choose whether to implement a r<strong>and</strong>om<br />
administrator password, you can set a default or select none. If you want to<br />
force the user to use a particular option, select it in the Default list.<br />
• Access: If you want the user to be able to configure this attribute, set this value<br />
to Read-Write. If not, set this value to Read-Only or Hidden.<br />
6–16 3850 6804–007
Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Auto Logon<br />
Count<br />
For Windows<br />
operating systems,<br />
defines how many<br />
times the operating<br />
system performs an<br />
automatic log on<br />
during or after<br />
Sysprep.<br />
Run Once<br />
Comm<strong>and</strong><br />
Defines a “run once<br />
comm<strong>and</strong>” for<br />
Windows virtual<br />
machine operating<br />
systems; this<br />
comm<strong>and</strong> is<br />
executed during<br />
Sysprep<br />
processing.<br />
Note: For non-Windows operating systems, skip this attribute.<br />
• Default: Enter 1.<br />
• Access: Set this value to Read-Only or Hidden.<br />
Note: For non-Windows operating systems, skip this attribute.<br />
• Default: Depending on the Windows operating system, enter one of the<br />
following values:<br />
- For Windows Server 2003 or Windows XP, enter<br />
C:\dns-setup.vbs<br />
- For Windows Vista <strong>and</strong> Windows 7 operating systems, enter<br />
shutdown /r /f /t 0<br />
The shutdown constant causes the virtual machine operating system to be<br />
restarted, so it is logged out after Sysprep is complete.<br />
- For Windows Server 2008 environments with the optional Key Management<br />
Service (KMS) server, enter<br />
C:\activate.vbs<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
The script specifies the name of the KMS host to contact <strong>and</strong> activates<br />
Windows.<br />
• Access: Set this value to Read-Only or Hidden.<br />
3850 6804–007 6–17
Creating <strong>and</strong> Managing Tenant Configurations<br />
Table 6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
DHCP<br />
If this setting is<br />
true, the virtual<br />
machine is<br />
configured to use<br />
DHCP for all<br />
network adapters. If<br />
this setting is false,<br />
the first network<br />
adapter is<br />
configured with the<br />
fixed address<br />
information<br />
specified in the<br />
commission<br />
request <strong>and</strong> any<br />
other network<br />
adapters are<br />
configured for<br />
DHCP.<br />
IPv4 Address<br />
If DHCP is False,<br />
this is the fixed IP<br />
address to use for<br />
the first network<br />
adapter in the<br />
virtual machine.<br />
This setting should<br />
be left blank if using<br />
DHCP.<br />
Subnet Mask<br />
If DHCP is False,<br />
this is the subnet<br />
mask to use for the<br />
fixed IP address.<br />
Gateway<br />
If DHCP is False,<br />
this is the default<br />
gateway to use for<br />
the fixed IP<br />
address.<br />
• Default:<br />
- Select None if you do not want to set a default.<br />
- Select True if you want the virtual machine to use DHCP by default.<br />
- Select False if you want the virtual machine to set a static IP address by<br />
default.<br />
• Access: Set this value to Read-Write if you want to allow the user to select the<br />
address type, or set this value to Read-Only or Hidden if you want the virtual<br />
machine to use a specific address type.<br />
Note: If you set the Default to None, you must set the Access to Read-Write.<br />
• Default: Leave this box blank.<br />
• Access:<br />
- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />
specify the DHCP setting.<br />
- Set this value to Read-Only or Hidden if DHCP is True.<br />
• Default: Leave this box blank.<br />
• Access:<br />
- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />
specify the DHCP setting.<br />
- Set this value to Read-Only or Hidden if DHCP is True.<br />
• Default: Leave this box blank.<br />
• Access:<br />
- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />
specify the DHCP setting.<br />
- Set this value to Read-Only or Hidden if DHCP is True.<br />
6–18 3850 6804–007
Table 6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Port Group<br />
Network Name<br />
This setting is used<br />
for VLANs. The Port<br />
Group Network<br />
Name is also known<br />
as the Tenant VLAN<br />
Network Label; it<br />
identifies the<br />
tenant’s VLAN on<br />
the workload<br />
server. The first<br />
virtual machine<br />
network adapter is<br />
assigned to the<br />
value specified in<br />
the blueprint.<br />
COI Set<br />
This setting is used<br />
if your environment<br />
includes Stealth for<br />
<strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong>. The COI Set<br />
determines which<br />
other components<br />
this virtual machine<br />
can communicate<br />
with.<br />
• Refined: Ensure this check box is not selected.<br />
• Default:<br />
- If you are not using VLANs, select Unchanged.<br />
- If you are using VLANs, select the VLAN that matches the Tenant VLAN<br />
network label in Table 1–26.<br />
• Access: Set this value to Read-Only or Hidden.<br />
Note: These settings are recommended for a normal configuration. However, if your<br />
tenant has multiple VLANs <strong>and</strong> has end users who are knowledgeable about<br />
networking (for example, if you are configuring a test environment for a group of<br />
software developers) you could allow these users to choose their own VLAN selecting<br />
the Refined check box, select multiple VLANs in the Default list, <strong>and</strong> set the Access to<br />
Read-Write.<br />
Virtual machines commissioned from this template will include this Stealth for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> COI Set.<br />
• Default:<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
- Enter one COI Set Name from Table 1–33 in the tenant worksheet.<br />
- If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not included in your environment, leave<br />
this box blank.<br />
• Access: For security, set this value to Hidden.<br />
Note: Do not set any Further Constraints. This value should be read-only or hidden<br />
from the user, <strong>and</strong> so further constraints are meaningless.<br />
3850 6804–007 6–19
Creating <strong>and</strong> Managing Tenant Configurations<br />
6.5.4. Virtual Machine Additional Instructions<br />
Table 6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Operator Action<br />
Required<br />
Determines<br />
whether additional<br />
operator actions<br />
can be requested.<br />
Operator Action<br />
Instructions<br />
Lists all required<br />
operator actions.<br />
VM Migration<br />
Specifies whether a<br />
virtual machine<br />
should be migrated<br />
from an earlier<br />
version of the<br />
<strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong>.<br />
• Default:<br />
- Select None if you do not want to set a default.<br />
- Select True if you want to specify that additional operator actions can be<br />
requested by default.<br />
- Select False if you want to specify that additional operator actions cannot be<br />
requested by default.<br />
• Access: Set this value to Read-Write if you want to allow the user to select<br />
whether additional operator actions can be requested, or set this value to<br />
Hidden if you want to specify whether additional operator actions can be<br />
requested.<br />
Note: If you set the Default to None, you must set the Access to Read-Write.<br />
If Operator Action Required is True, this text box provides a place for the user to enter<br />
required actions.<br />
• Default: Leave this box blank, or enter parameters that help the user to enter<br />
meaningful operator actions. For example, enter:<br />
Additional required disk size (in GB):<br />
Additional software:<br />
Additional memory (in GB):<br />
Note: The user can overwrite any text you enter.<br />
• Access:<br />
- Set this value to Read-Write if Operator Action Required is True or if you<br />
allowed the user to specify this setting.<br />
- Set this value to Hidden if Operator Action Required is False.<br />
Unisys service consultants use this attribute to migrate virtual machines from earlier<br />
versions of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
Note: Unless you are a Unisys service consultant migrating virtual machines from an<br />
earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you must not change these values.<br />
• Default: Enter True if you are migrating a virtual machine.<br />
• Access: Select Hidden.<br />
6–20 3850 6804–007
Table 6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values (cont.)<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Migration VM<br />
Name<br />
Specifies the name<br />
of the virtual<br />
machine to be<br />
migrated.<br />
Unisys service consultants use this attribute to list the name of the virtual machine<br />
being migrated from an earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
Note: Unless you are a Unisys service consultant migrating virtual machines from an<br />
earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you must not change these values.<br />
Default: If VM Migration is True, enter the name of the VMware virtual machine that<br />
you want to migrate. Otherwise, leave this box blank.<br />
Access: Select Hidden.<br />
Table 6–8. Resource Pre-Expiration Notification<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Provide Lease<br />
Details<br />
Specifies<br />
whether the user<br />
should be notified<br />
in advance when<br />
the resource<br />
lease will expire.<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
• Lease pre-expiration notification: Select one of the following values:<br />
- Do not send pre-expiration notifications: The user does not receive<br />
notice before the resource expires.<br />
- 1 Day: The user receives notice one day before the resource expires.<br />
- 1 Week: The user receives notice one week before the resource expires.<br />
- Custom: Type a Date Value <strong>and</strong> select a Date Option to determine when<br />
the user should receive notice that the resource will expire.<br />
Enter the Date Value as a whole number, <strong>and</strong> then select the Date Option as<br />
either Day, Week, Month, or Hour.<br />
For example, enter 12 as the Date Value <strong>and</strong> select Hour as the Date Option to<br />
notify the user 12 hours before the resource expires.<br />
6.6. Virtual Desktop Attributes <strong>and</strong> Values<br />
This topic describes the details of all available virtual desktop attributes <strong>and</strong> values.<br />
3850 6804–007 6–21
Creating <strong>and</strong> Managing Tenant Configurations<br />
6.6.1. Virtual Desktop General Configuration<br />
Table 6–9. Virtual Desktop Basic Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Blueprint<br />
Name<br />
Blueprint<br />
Description<br />
The name of the blueprint, which is displayed to administrators, operators, <strong>and</strong> users.<br />
You enter this value in the tenant worksheet, <strong>and</strong> when you run the Populator addTenant<br />
or updateTenant effector, this name is used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
Notes:<br />
• If you update this value in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must also update it in<br />
the tenant worksheet.<br />
• Blueprint names must following the guidelines in 2.8.4 Naming <strong>Guide</strong>lines for<br />
Components in the <strong>Cloud</strong> Environment.<br />
A description of the blueprint, which is displayed only to administrators <strong>and</strong> operators.<br />
Table 6–10. Virtual Desktop General Configuration Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Name<br />
Descriptive name<br />
for the resource<br />
being<br />
commissioned (not<br />
the blueprint name).<br />
Assign to User<br />
The name of the<br />
user who will use<br />
the virtual desktop.<br />
• Default: Leave this box blank so that the user can enter a name for the<br />
commissioned resource.<br />
• Access: Select Read-Write.<br />
Note: This user-configured value is used only for display <strong>and</strong> tracking purposes. It is<br />
not related to the virtual desktop host name.<br />
• Default: Leave this box blank so that the person commissioning the virtual<br />
desktop can enter the user name.<br />
Notes:<br />
- An operator might commission multiple virtual desktops on behalf of a group<br />
of users.<br />
- This value must match the user name as it is configured in Session Manager<br />
during the Virtual Office as a Service deployment.<br />
• Access: Select Read-Write.<br />
6–22 3850 6804–007
6.6.2. Virtual Desktop Additional Instructions<br />
Table 6–11. Virtual Desktop Additional Instruction Attributes <strong>and</strong> Values<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Operator Action<br />
Required<br />
Determines<br />
whether additional<br />
operator actions<br />
can be requested.<br />
Operator Action<br />
Instructions<br />
Lists all required<br />
operator actions.<br />
• Default:<br />
- Select None if you do not want to set a default.<br />
- Select True if you want to specify that additional operator actions can be<br />
requested.<br />
- Select False if you want to specify that additional operator actions cannot be<br />
requested.<br />
• Access: Set this value to Read-Write if you want to allow the user to select<br />
whether additional operator actions can be requested, or set this value to<br />
Hidden if you want to specify whether additional operator actions can be<br />
requested.<br />
Note: If you set the Default to None, you must set the Access to Read-Write.<br />
If Operator Action Required is True, this text box provides a place for the user to enter<br />
required actions.<br />
• Default: Leave this box blank, or enter parameters that help the user to enter<br />
meaningful operator actions. For example, enter:<br />
Additional software:<br />
Note: The user can overwrite any text you enter.<br />
• Access:<br />
Creating <strong>and</strong> Managing Tenant Configurations<br />
- Set this value to Read-Write if Operator Action Required is True or if you<br />
allowed the user to specify this setting.<br />
- Set this value to Hidden if Operator Action Required is False.<br />
3850 6804–007 6–23
Creating <strong>and</strong> Managing Tenant Configurations<br />
Table 6–12. Resource Pre-Expiration Notification<br />
Attribute Name<br />
<strong>and</strong> Description Values<br />
Provide Lease<br />
Details<br />
Specifies<br />
whether the user<br />
should be notified<br />
in advance when<br />
the resource<br />
lease will expire.<br />
• Lease pre-expiration notification: Select one of the following values:<br />
- Do not send pre-expiration notifications: The user does not receive<br />
notice before the resource expires.<br />
- 1 Day: The user receives notice one day before the resource expires.<br />
- 1 Week: The user receives notice one week before the resource expires.<br />
- Custom: Type a Date Value <strong>and</strong> select a Date Option to determine when<br />
the user should receive notice that the resource will expire.<br />
Enter the Date Value as a whole number, <strong>and</strong> then select the Date Option as<br />
either Day, Week, Month, or Hour.<br />
For example, enter 12 as the Date Value <strong>and</strong> select Hour as the Date Option to<br />
notify the user 12 hours before the resource expires.<br />
6–24 3850 6804–007
Section 7<br />
Onboarding Tenants, Creating Users,<br />
<strong>and</strong> Assigning Roles<br />
Perform the procedures in this section to onboard new tenants, create users in Active<br />
Directory, <strong>and</strong> assign users to roles.<br />
Note: If you experience problems with any of the procedures in this section, see<br />
12.7 Troubleshooting Onboarding Tenants <strong>and</strong> Users.<br />
7.1. Underst<strong>and</strong>ing User Roles<br />
A user role is associated with a set of privileges. When a cloud administrator assigns a<br />
user to a role, the user receives the privileges corresponding to that role. A user can be<br />
assigned to multiple roles.<br />
The user roles are predefined in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, but cloud administrators<br />
are responsible for assigning users to roles.<br />
The following are the predefined <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> user roles.<br />
Liferay Administrator<br />
A user in this role has administrative privileges for Liferay, which is the software<br />
foundation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The Liferay administrator can access the<br />
Liferay menu bar <strong>and</strong> perform advanced operations.<br />
You should sign on as the Liferay Administrator only when directed, <strong>and</strong> when you are<br />
done performing the specific operation, you should immediately sign out <strong>and</strong> sign back in<br />
using your regular administrator credentials.<br />
<strong>Cloud</strong> Administrator<br />
A user in this role has administrative privileges within the cloud environment to monitor<br />
<strong>and</strong> manage the cloud on behalf of the cloud provider. For example, cloud administrators<br />
create tenants, monitor tenant usage, <strong>and</strong> configure tenant <strong>and</strong> project information in the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> other cloud interfaces (for example, the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> workbook <strong>and</strong> RBADB).<br />
<strong>Cloud</strong> administrators can also define roles <strong>and</strong> projects for tenant users.<br />
3850 6804–007 7–1
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
<strong>Cloud</strong> administrators receive notifications (by e-mail, by Remedy ticket, or by both) when<br />
any action occurs in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. This includes when resources are<br />
commissioned, when operational changes take place, <strong>and</strong> if any errors occur during the<br />
commissioning process.<br />
<strong>Cloud</strong> Operator<br />
<strong>Cloud</strong> User<br />
A user in this role performs any required manual operations for resources being<br />
commissioned <strong>and</strong> then uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to authorize commissioning<br />
requests. <strong>Cloud</strong> operators receive notifications (by e-mail, by Remedy ticket, or by both)<br />
when any action occurs in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. This includes when resources<br />
are commissioned, when operational changes take place, <strong>and</strong> if any errors occur during<br />
the commissioning process.<br />
A user in this role does not have privileges to perform actions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal <strong>and</strong> can only view the resources on the portal. This is a default role for users in the<br />
cloud provider organization who sign in to the portal for the first time. Existing cloud<br />
administrators can assign users in this role to become new cloud administrators or cloud<br />
operators, as appropriate.<br />
Tenant Administrator <strong>and</strong> Tenant Operator<br />
Tenant User<br />
Users in either of these roles have administrator privileges that are restricted to resources<br />
belonging to the tenant. Tenant administrators <strong>and</strong> tenant operators can use the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal to create commissioning requests for the tenant.<br />
Tenant administrators can also define roles <strong>and</strong> projects for tenant users.<br />
A user in this role can see the tenant data <strong>and</strong> commission resources using the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal. As part of the commissioning process, the user making the<br />
commissioning request also receives notifications about the request status.<br />
Machine Owner<br />
A user cannot be assigned to this role, because this role is dedicated to users that either<br />
initially created a resource or had the ownership of a resource transferred to them.<br />
A machine owner commissions a resource <strong>and</strong> is responsible for deciding when any<br />
associated actions should be performed, including starting, stopping, taking snapshots,<br />
<strong>and</strong> so on. The machine owner is also responsible for the maintenance of the applications<br />
that run on the machine. The machine owner remains in this role as long as the<br />
commissioned resource exists <strong>and</strong> ownership is not transferred to another user.<br />
7–2 3850 6804–007
7.2. Adding Tenants, Projects, <strong>and</strong> User Roles to the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />
Perform the procedures in this topic to onboard new tenant organizations in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal.<br />
7.2.1. Tenant Onboarding Overview<br />
Use the Onboard New Tenant function, which is available from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
<strong>Administration</strong> tab, to onboard new tenants <strong>and</strong> configure the following:<br />
• Tenant organization name <strong>and</strong> organization alias<br />
• Default user role<br />
• User roles <strong>and</strong> permissions<br />
• Tenant projects<br />
7.2.2. Onboarding a New Tenant<br />
To onboard a new tenant, do the following:<br />
1. Sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using your cloud administrator credentials.<br />
2. Ensure that the tenant workbook file (Tenant-.xml) is accessible from<br />
the system that you are using to access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
3. Select the <strong>Administration</strong> tab, click Onboard Tenants <strong>and</strong> then click Browse.<br />
The Choose File to Upload dialog box appears.<br />
4. Navigate to the XML file of the new tenant that you want to onboard <strong>and</strong> click Open.<br />
5. Click Onboard New Tenant.<br />
A confirmation message appears.<br />
6. Click OK to confirm.<br />
When you upload the Tenant-.xml file, it is validated. An error<br />
message appears if a tenant with the same name already exists.<br />
CHECKPOINT:<br />
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
• Do the following to verify that the tenant organization appears correctly in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error<br />
processing your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select<br />
Manage, <strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Organizations.<br />
3850 6804–007 7–3
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
The Organization names for each tenant are displayed.<br />
5. Ensure that Regular Organization is displayed in the Type column for each<br />
organization.<br />
6. Click the tenant name for the tenant you onboarded. The detail page appears.<br />
7. Click Custom Fields in the right pane.<br />
8. Verify that the fields are populated with the values from Table 1–24. This includes<br />
the Default Role Name (in the worksheet, Tenant initial logon role), Organization<br />
Alias (Tenant email suffix), <strong>and</strong> Default Project (Tenant initial logon project).<br />
• Do the following to verify that the roles have been created for the new tenant <strong>and</strong> that<br />
the permissions have been set appropriately in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal:<br />
1. In the left pane of the Control Panel, under Portal, click Roles.<br />
2. Verify that the following roles exist for each tenant:<br />
- _Administrators<br />
- _Operators<br />
- _Users<br />
- _MachineOwner<br />
7.3. Creating <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Users in Active<br />
Directory<br />
Perform the following procedure to create <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> users in Active Directory.<br />
This includes cloud provider users (who you want to administer <strong>and</strong> operate the cloud<br />
environment), as well as tenant administrators, operators, <strong>and</strong> users.<br />
Do the following:<br />
1. Access Active Directory Users <strong>and</strong> Computers.<br />
2. To create one or more users, do the following:<br />
a. Right-click Users, point to New, <strong>and</strong> then click User.<br />
The New Object – User page appears.<br />
b. In the First name box, enter the first name of the user.<br />
c. In the Last name box, enter the last name of the user.<br />
d. In the User Logon name box, enter a name that will be used to identify this user<br />
in Active Directory.<br />
Note: The User Logon name cannot contain any spaces or special characters,<br />
or the user will not be able to sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
e. Click Next.<br />
f. In the Password box, enter a password that will be used to sign into the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal.<br />
g. In the Confirm password box, reenter the password.<br />
7–4 3850 6804–007
Note: Ensure that the User must change password at next logon check<br />
box is not selected. If the check box is selected, the user will not be able to sign in<br />
to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
h. Click Next.<br />
i. Click Finish.<br />
j. Right-click the user that you just created, <strong>and</strong> select Properties.<br />
k. Enter the e-mail address in the Email box.<br />
Notes:<br />
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
• The e-mail address you enter will be used to sign in to the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal.<br />
• The e-mail address can contain special characters (such as a hyphen);<br />
however, an alphanumeric character must appear both before <strong>and</strong> after each<br />
special character.<br />
• If you are entering a cloud provider user, the e-mail address suffix that you<br />
enter must match the cloud provider “E-mail suffix” in Table 1–8. If you are<br />
entering a tenant user, the e-mail address suffix that you enter must match<br />
the “Tenant E-mail Suffix” in Table 1–24.<br />
l. Click Apply, <strong>and</strong> then click OK.<br />
3. Repeat the previous steps to create additional users.<br />
4. Only if you are adding a cloud administrator or operator or tenant administrator or<br />
operator, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the URL from Table 2–2 <strong>and</strong><br />
the e-mail address <strong>and</strong> password you configured in Active Directory.<br />
After signing in successfully, you can immediately sign out <strong>and</strong> then sign in as the next<br />
administrator or operator.<br />
Note: Do not perform this step for tenant users.<br />
7.4. Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to<br />
Roles, <strong>and</strong> Assigning Tenant Users to Projects<br />
When a new user signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the first time, the<br />
credentials are validated using Active Directory, <strong>and</strong> then the user is assigned to the<br />
default user role for the organization (based on the e-mail address suffix used to sign in).<br />
For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured<br />
in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically<br />
assigned to the default cloud provider user role.<br />
New tenant users who sign in to the portal for the first time are assigned to the default role<br />
<strong>and</strong> default project for their tenant organization in the same way, based on the tenant<br />
e-mail suffix in Table 1–24.<br />
3850 6804–007 7–5
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
Assigning Users to Roles<br />
Do the following to assign the cloud administrators <strong>and</strong> operators, as well as tenant<br />
administrators <strong>and</strong> operators, to their appropriate role:<br />
1. Sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the URL in Table 2–2 <strong>and</strong> your cloud<br />
administrator credentials.<br />
Note: During the initial implementation, your Unisys service consultant configured<br />
one cloud administrator, based on the <strong>Cloud</strong> Administrator user information for the<br />
initial cloud administrator user in Table 1–8. This initial cloud administrator can assign<br />
other cloud users to the cloud administrator role.<br />
2. Select the <strong>Administration</strong> tab, <strong>and</strong> then select Role <strong>and</strong> Project Membership<br />
in the left pane.<br />
The Role Membership Tenant, Folders & Projects portlet appears.<br />
3. To assign a cloud provider user to a cloud administrator or operator role, click <strong>Cloud</strong><br />
under Tenant, Folders & Projects.<br />
To assign a tenant user to a tenant administrator, operator, or user role, click the tenant<br />
name under Tenant, Folders & Projects.<br />
The list of users associated with the cloud provider or tenant organization appears<br />
under Users.<br />
4. Click Assign to Role.<br />
The Assign Role dialog box appears.<br />
5. Assign the users to the appropriate role by selecting the appropriate check box next to<br />
the user name.<br />
Note: If appropriate, you can assign multiple roles to a user.<br />
6. Click Save.<br />
If necessary, use this procedure to update a user’s assigned role.<br />
Assigning Tenant Users to Projects<br />
Do the following to assign tenant users to projects.<br />
Note: <strong>Cloud</strong> administrators <strong>and</strong> cloud operators are not assigned to projects, because<br />
they are able to administer all tenants <strong>and</strong> projects.<br />
1. On the Role Membership Tenant, Folders & Projects portlet, select a tenant project.<br />
Under Users, you see a list of all users currently assigned to the project.<br />
2. Click Assign to Project.<br />
The Assign Projects dialog box appears. The Assign Projects dialog box includes all<br />
tenant users, whether or not they are assigned to the particular project.<br />
3. Select the check box next to the user name to assign a user to that project, or clear the<br />
check box next to the user name to remove a tenant from a project.<br />
7–6 3850 6804–007
Note: If you want to assign all of the tenant users to a project, select the check box in<br />
the heading (next to the Last Name label).<br />
4. Click Save.<br />
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
If necessary, use this procedure to update a user’s assigned project.<br />
7.5. Checkpoint: Commissioning a Resource<br />
Do the following to verify that you can commission a resource:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> log in as a user who has permission to commission a<br />
resource.<br />
Note: It is recommended that you log in as a user, not as an administrator or<br />
operator.<br />
2. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Commission Resources in the<br />
left pane.<br />
3. Under Projects, select the project associated with the blueprint you want to<br />
commission.<br />
The Blueprint pane is updated to list all blueprints associated with the project.<br />
4. Under Blueprints, select the blueprint you want to commission, <strong>and</strong> then click<br />
Commission.<br />
5. Enter values for the blueprint attributes that were marked as Read-Write during the<br />
blueprint creation, <strong>and</strong> click Next to advance to the next set of blueprint attributes.<br />
At minimum, you must enter a Name for the virtual machine on the General<br />
Configuration page. (This is a name that you designate <strong>and</strong> use for your own<br />
reference; it is not the virtual machine host name.)<br />
See the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help (8207 3115) for more information about<br />
the values that users should enter when commissioning a blueprint.<br />
6. Click Finish to begin the process of commissioning the virtual machine.<br />
7. To monitor the progress of the virtual machine commissioning, do the following:<br />
a. Select Manage Requests in the left pane.<br />
b. Select the request in the Request Overview pane, <strong>and</strong> view details <strong>and</strong> status<br />
in the Request Details <strong>and</strong> Request Status tables.<br />
8. When you receive notification that the new resource is available, connect to the virtual<br />
machine using the remote access method specified in the template (for example,<br />
using Remote Desktop, VNC, or SSH).<br />
If you are using tenant VLANs to isolate tenant resources, <strong>and</strong> if you have not<br />
configured Public Network access for this resource, you must connect from the<br />
tenant’s home site or from the console of another virtual machine associated with the<br />
same tenant.<br />
Verify that you can log on using the credentials specified in the e-mail message or<br />
ticket.<br />
3850 6804–007 7–7
Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />
Note: If you access the virtual machine before the commissioning is finalized, you<br />
might see the Sysprep process in action. Do not respond to these dialog boxes,<br />
because they are h<strong>and</strong>led automatically during the Sysprep process.<br />
When complete, decommission the virtual machine using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />
to ensure that you do not use an operating system license.<br />
Note: The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is the only interface you should use to<br />
decommission (delete) virtual machines.<br />
7–8 3850 6804–007
Section 8<br />
Additional Networking Configuration<br />
This section includes additional networking configuration, including directions on Stealthenabling<br />
existing tenant VLANs, enabling inbound connections from the Internet for tenant<br />
VLANs, configuring the load balancer included with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> setting<br />
tenant VLAN firewall exceptions for VLANs belonging to the same tenant. These<br />
procedures are optional. Perform them as appropriate for your network environment.<br />
8.1. Enabling Stealth for an Existing Tenant VLAN<br />
You can enable Stealth on an existing tenant VLAN if there are no resources running on the<br />
VLAN.<br />
If there are resources running on the VLAN that you do not need to keep, use the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal to decommission these resources before continuing with this topic.<br />
See 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines or 11.2 Stopping <strong>and</strong><br />
Decommissioning Physical Machines for more information. If there are resources running<br />
on the VLAN that cannot be decommissioned, contact your Unisys service consultant.<br />
Note: You do not need to perform this procedure if you are configuring a new tenant<br />
VLAN that you have already identified as Stealth-enabled in the tenant workbook when<br />
you perform the procedures in Section 5, Implementing a New Tenant VLAN. Only<br />
perform this procedure if you want to Stealth-enable a VLAN that you have already<br />
configured as non-Stealth-enabled.<br />
Do the following to modify a configured tenant VLAN to be Stealth enabled:<br />
1. Modify the tenant worksheet to enable Stealth for the VLAN by entering the<br />
appropriate information in the following tables:<br />
a. Table 1–26<br />
b. Table 1–31<br />
c. Table 1–32<br />
d. Table 1–34 <strong>and</strong> Table 1–35<br />
2. Validate <strong>and</strong> export the tenant worksheet. See 1.1.5 Validating the Workbook <strong>and</strong><br />
1.1.6 Exporting the Data for more information.<br />
As instructed in 1.1.6 Exporting the Data, copy the Tenant-.xml file to<br />
the jump box management VM in the C:\ProgramData\Unisys\SPC-Automation\xml<br />
directory.<br />
3850 6804–007 8–1
Additional Networking Configuration<br />
3. Use a vSphere Client to connect to the vCenter server that is managing the workload<br />
servers.<br />
4. Create the clear text VLAN associated with this tenant VLAN using one of the options<br />
in 5.2.2 Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant Interconnect.<br />
Use the information in Table 1–26 to create the clear text VLAN.<br />
5. Locate the tenant VLAN network appliance that is connected to the existing tenant<br />
VLAN. The name of the tenant VLAN network appliance is the Host name value in<br />
Table 1–25.<br />
6. Select the tenant VLAN network appliance in the left pane, <strong>and</strong> then click Edit<br />
Settings under Comm<strong>and</strong>s.<br />
The Properties dialog box appears.<br />
7. Select the Network adapter that is connected to this tenant VLAN in the left pane.<br />
8. In the right pane, under Network Connection, change the Network label from the<br />
existing tenant VLAN to the clear text VLAN associated with this tenant VLAN.<br />
9. Click OK to close the Virtual Machine Properties dialog box.<br />
10. Prepare Stealth-enabled versions of any templates that you want to use on the<br />
Stealth-enabled VLAN, as described in 4.3 Preparing an Existing Virtual Machine or<br />
Template for a Stealth-Enabled VLAN.<br />
11. Perform the following procedures in Section 6, Creating <strong>and</strong> Managing Tenant<br />
Configurations:<br />
a. Update the tenant information, as described in 6.1 Updating <strong>Cloud</strong> Provider or<br />
Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />
b. Configure the Stealth-enabled VLAN, as described in 6.2 Configuring Stealth-<br />
Enabled VLANs.<br />
c. Refine blueprints for the Stealth-enabled VLAN, as described in 6.4 Creating<br />
Blueprints <strong>and</strong> 6.5 Virtual Machine Attributes <strong>and</strong> Values.<br />
8.2. Configuring Network Appliances for Inbound<br />
Internet Connections<br />
Note: Perform this procedure if Table 1–25 indicates that Internet Access – Incoming is<br />
Yes for this tenant.<br />
Tenant VLANs commonly use IP address ranges to which messages from the Internet<br />
cannot be routed. These include<br />
• Addresses that are defined as non-routable (any addresses in the ranges<br />
192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0 through 172.31.255.255)<br />
• Addresses that are outside of those ranges but are effectively non-routable if they are<br />
misplaced relative to their expected location in the Internet network topology<br />
Users on the Internet cannot initiate an inbound connection to any <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
virtual machines that have a non-routable address on the tenant VLAN.<br />
8–2 3850 6804–007
However, if the tenant requires inbound Internet connections (for example, if the tenant is<br />
running a Web application on the VLAN) then the tenant’s Internet users must be able to<br />
initiate connections to the appropriate Web sites. To enable these types of connections,<br />
you must configure the tenant VLAN network appliance to enable selected inbound<br />
connections to reach that application. This configuration involves Network Address<br />
Translation (NAT) forwarding rules <strong>and</strong> firewall rules.<br />
For the NAT forwarding rules to work properly, any tenant virtual machines that are running<br />
Web servers must have a static IP address on the tenant VLAN. This is necessary<br />
because the NAT rules are based on IP addresses rather than on host names.<br />
To plan the static IP addresses for your Web servers, refer to Table 1–26. Select static IP<br />
addresses in the tenant VLAN subnet range for the tenant VLAN, making sure to avoid<br />
addresses in the DHCP range. Record the static IP address that you assign so you do not<br />
reuse them for any other virtual machines.<br />
8.2.1. Disabling Internet Access for Tenant Virtual Machines<br />
If the tenant does not have any requirement for inbound Internet connections, you can<br />
disable the eth0 adapter to prevent all Internet connections. Do the following:<br />
1. Run the vSphere Client <strong>and</strong> connect to the vCenter server that is managing the<br />
workload servers.<br />
2. From the View menu, point to Inventory, <strong>and</strong> then click VMs <strong>and</strong> Templates.<br />
3. In the left pane, right-click the tenant VLAN network appliance, <strong>and</strong> click Edit<br />
Settings.<br />
4. On the Virtual Machine Properties dialog box, click the Hardware tab, <strong>and</strong> then click<br />
the network adapter used to enable Internet access.<br />
By default, this is Network Adapter 1. In Linux operating systems, this adapter is<br />
referred to as eth0.<br />
5. In the right pane, clear the Connected check box, <strong>and</strong> clear the Connect at Power<br />
On check box.<br />
6. Click OK.<br />
Additional Networking Configuration<br />
8.2.2. Underst<strong>and</strong>ing Inbound Connection Limitations<br />
The pre-supplied tenant VLAN network appliance template has firewall settings configured<br />
to disallow new inbound connections. The CUST_PUBLIC_IN firewall rule set includes the<br />
clause default-action drop, which means that all traffic is blocked unless otherwise<br />
specified. The CUST_PUBLIC_IN rule set is assigned as an in-filter of the Internet adapter<br />
(eth0). An in-filter affects all traffic that enters through the Internet adapter <strong>and</strong> traverses<br />
the network appliance to another destination.<br />
In the tenant VLAN network appliance template, the CUST_PUBLIC_IN also includes an<br />
exception to allow inbound traffic for sessions that were originally initiated by the tenant<br />
virtual machines. This exception is implemented in rule 100, as follows:<br />
3850 6804–007 8–3
Additional Networking Configuration<br />
name CUST_PUBLIC_IN {<br />
default-action drop<br />
rule 100 {<br />
action accept<br />
state {<br />
established enable<br />
}<br />
}<br />
}<br />
8.2.3. Providing a Public Source IP Address in Outbound<br />
Packets<br />
By default, network packets include the IP address of the source that created the packet.<br />
This means that outbound packets include the IP address of the tenant virtual machines.<br />
Since this IP address is usually non-routable, it would be impossible for any response to<br />
find its way back to the virtual machine.<br />
To enable two-way traffic, the source IP address of any outbound packets must be<br />
translated into a public IP address of the network appliance. The tenant VLAN network<br />
appliance might have already been configured with this NAT masquerade rule when it was<br />
deployed.<br />
CHECKPOINT:<br />
To verify this rule, or to configure the rule if needed, do the following:<br />
1. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />
VLAN network appliance.<br />
2. Log on using the credentials for the tenant VLAN network appliance.<br />
3. Enter the following comm<strong>and</strong>:<br />
configure<br />
4. Enter the following comm<strong>and</strong>:<br />
show service nat<br />
5. Review the output to determine if there is a rule with its type set to masquerade <strong>and</strong><br />
a source IP address range for the tenant VLAN.<br />
If the rule is present, it looks like the following:<br />
Rule 90 {<br />
outbound-interface eth0<br />
source {<br />
address 192.168.103.0/23<br />
}<br />
type masquerade<br />
}<br />
If the rule is defined, no further action is required.<br />
8–4 3850 6804–007
If you need to configure the rule, do the following:<br />
a. Assuming that the tenant VLAN addresses are in the range 192.168.103.0, enter<br />
the following comm<strong>and</strong>s:<br />
set service nat rule outbound-interface eth0<br />
set service nat rule source address 192.168.103.0/24<br />
set service nat rule type masquerade<br />
Note: The rule number must meet the following requirements:<br />
• It must be the same in all three comm<strong>and</strong>s.<br />
• It must be a rule number that is not currently in use.<br />
• It should be separated by other rule values by at least 10.<br />
b. Enter the following comm<strong>and</strong>:<br />
commit<br />
c. Enter the following comm<strong>and</strong>:<br />
save<br />
6. Enter the following comm<strong>and</strong> to exit configuration mode:<br />
exit<br />
8.2.4. Enabling Inbound Internet Connections<br />
Additional Networking Configuration<br />
Some of your tenants might require inbound Internet connections, for example for a Web<br />
application such as an E-store. These types of Web applications must allow inbound<br />
connections to be initiated by Internet end users. To configure access to these types of<br />
Web applications, you must do the following:<br />
1. Optionally, configure an additional IP address on the public NIC of the tenant VLAN<br />
network appliance.<br />
2. Configure a NAT rule to forward traffic from the network appliance to the virtual<br />
machine hosting the Web application.<br />
3. Configure a firewall rule to allow traffic to reach the virtual machine hosting the Web<br />
application.<br />
NAT rules <strong>and</strong> firewall rules can optionally be configured to specify port numbers in<br />
addition to IP addresses. The use of port numbers enables more precise control over how<br />
the target virtual machine can be accessed. If the tenant is running multiple Web<br />
applications on the same VLAN, these applications can be accessed through a shared IP<br />
address with distinct port numbers, or through distinct public IP addresses on the network<br />
appliance.<br />
The following examples describe configurations that use shared <strong>and</strong> unique public IP<br />
addresses. Use this information to help configure Web application routing, as appropriate<br />
for your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
3850 6804–007 8–5
Additional Networking Configuration<br />
Shared Public IP Address Example<br />
In this example, a tenant is running a Web application on a virtual machine. This application<br />
is named PetStore.<br />
If you want end users to access the PetStore Web site URL using the public IP address of<br />
the tenant VLAN network appliance with a port number as part of the Web address, you<br />
can use this type of configuration. Typically, you should choose a port number in the range<br />
of 49152–65535, which is the range defined by the Internet Assigned Numbers Authority<br />
(IANA) for dynamic or private ports.<br />
For the PetStore example, end users enter http://192.59.196.38:49152, assuming that<br />
192.59.196.38 is the public IP address of the tenant VLAN network appliance <strong>and</strong> 49152 is<br />
the port number that identifies the PetStore Web application. The PetStore Web server is<br />
a target virtual machine with the address 192.168.100.101, <strong>and</strong> the PetStore Web<br />
application uses the default port for HTTP traffic (port 80) <strong>and</strong> the default port for HTTPS<br />
traffic (port 443).<br />
To enable access to the PetStore Web site using the shared public IP address <strong>and</strong> port<br />
number, do the following:<br />
1. Access the virtual machine that is hosting the PetStore Web application, <strong>and</strong> log on to<br />
Windows.<br />
2. Use the st<strong>and</strong>ard Windows method to configure a fixed IP address on the tenant<br />
VLAN (private IP address). For example, set the IP address to 192.168.100.101.<br />
3. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />
VLAN network appliance.<br />
4. Log on using the credentials for the tenant VLAN network appliance.<br />
5. Enter the following comm<strong>and</strong>:<br />
configure<br />
6. Enter the following comm<strong>and</strong> to list the existing NAT rules:<br />
show service nat<br />
Make a note of the highest rule number that is currently in use. Add at least 10 to<br />
this number to determine the rule number that you create in the next step.<br />
7. To configure a forwarding rule for inbound traffic (in this example, rule 100) from the<br />
public IP address (in this example, 192.59.196.38:49152) to the private IP address (in<br />
this example, 192.168.100.101:80), enter the following comm<strong>and</strong>s:<br />
set service nat rule 100 type destination<br />
set service nat rule 100 protocol tcp_udp<br />
set service nat rule 100 inbound-interface eth0<br />
set service nat rule 100 destination address<br />
192.59.196.38<br />
set service nat rule 100 destination port 49152<br />
set service nat rule 100 inside-address address<br />
192.168.100.101<br />
set service nat rule 100 inside-address port <br />
8–6 3850 6804–007
Use a rule number that is not currently in use, <strong>and</strong> use appropriate IP addresses for<br />
your environment. Use the appropriate port if your Web application uses HTTP (80)<br />
or HTTPS (443), <strong>and</strong> it accepts both HTTP <strong>and</strong> HTTPS, perform this step twice (once<br />
using each port number).<br />
8. Enter the following comm<strong>and</strong> to display the current set of rules for the<br />
CUST_PUBLIC_IN firewall group:<br />
show firewall name CUST_PUBLIC_IN<br />
Make a note of the highest rule number in use by this firewall group.<br />
9. If your Web application uses HTTP traffic, enter comm<strong>and</strong>s in the following format to<br />
set a firewall exception:<br />
set firewall name CUST_PUBLIC_IN rule <br />
protocol tcp_udp<br />
set firewall name CUST_PUBLIC_IN rule <br />
action accept<br />
set firewall name CUST_PUBLIC_IN rule <br />
destination address <br />
set firewall name CUST_PUBLIC_IN rule <br />
destination port <br />
For the , use a number at least 10 higher than the highest rule<br />
number that is currently in use. For the , use the IP address<br />
of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTP traffic (port 80,<br />
in the Pet Store example).<br />
10. If your Web application uses HTTPS traffic, enter comm<strong>and</strong>s in the following format<br />
to set a firewall exception:<br />
set firewall name CUST_PUBLIC_IN rule <br />
protocol tcp_udp<br />
set firewall name CUST_PUBLIC_IN rule <br />
action accept<br />
set firewall name CUST_PUBLIC_IN rule <br />
destination address <br />
set firewall name CUST_PUBLIC_IN rule <br />
destination port <br />
For the , use a number at least 10 higher than the highest rule<br />
number that is currently in use. For the , use the IP address<br />
of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTPS traffic (port<br />
443, in the Pet Store example).<br />
11. Enter the following comm<strong>and</strong>:<br />
commit<br />
12. Enter the following comm<strong>and</strong>:<br />
save<br />
Additional Networking Configuration<br />
3850 6804–007 8–7
Additional Networking Configuration<br />
If you need to map additional Web applications to use the public IP addresses on the<br />
tenant VLAN network appliance, repeat the previous procedure with a different port<br />
number for the public IP address (49152 in the previous example) <strong>and</strong> a different private IP<br />
address (192.168.100.101 in the previous example).<br />
Unique Public IP Address Example<br />
In this example, a tenant is running a Web application on a virtual machine. This application<br />
is named AutoParts.<br />
If you want to simplify the AutoParts Web site URL <strong>and</strong> prevent end users from having to<br />
enter a port number as part of the Web address, you can assign an additional public IP<br />
address to the public (eth0) NIC on the network appliance. Then, you can configure<br />
forwarding from this IP address to the virtual machine that is hosting the AutoParts Web<br />
application, as follows:<br />
1. Access the virtual machine that is hosting the AutoParts Web application, <strong>and</strong> log on<br />
to Windows.<br />
2. Use the st<strong>and</strong>ard Windows method to configure a fixed IP address on the tenant<br />
VLAN (private IP address). For example, set the IP address to 192.168.100.102.<br />
3. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />
VLAN network appliance.<br />
4. Log on using the credentials for the tenant VLAN network appliance.<br />
5. Enter the following comm<strong>and</strong>:<br />
configure<br />
6. Add a public IP address for the virtual machine that is hosting the AutoParts Web<br />
application by entering the following comm<strong>and</strong>:<br />
set interfaces ethernet eth0 address 192.59.196.39/24<br />
In this example, the IP address is 192.59.196.39/24. Use an appropriate IP address<br />
for your environment.<br />
7. Enter the following comm<strong>and</strong> to list the existing NAT rules:<br />
show service nat<br />
Make a note of rule numbers that are not in use.<br />
8. To configure a forwarding rule for inbound traffic (in this example, rule 110) from the<br />
public IP address (in this example, 192.59.196.39) to the private IP address (in this<br />
example, 192.168.100.102), enter the following comm<strong>and</strong>s:<br />
set service nat rule 110 type destination<br />
set service nat rule 110 protocol tcp_udp<br />
set service nat rule 110 inbound-interface eth0<br />
set service nat rule 110 destination address<br />
192.59.196.39<br />
set service nat rule 110 inside-address address<br />
192.168.100.102<br />
8–8 3850 6804–007
Use a rule number that is not currently in use, <strong>and</strong> use appropriate IP addresses for<br />
your environment.<br />
9. Depending on whether your Web application uses HTTP or HTTPS traffic, enter the<br />
following comm<strong>and</strong>s to set a firewall exception. If you want to use HTTP, enter 80<br />
for the port in the following comm<strong>and</strong>s, <strong>and</strong> if you want to use HTTPS,<br />
enter 443 for the port .<br />
If your Web application accepts both HTTP <strong>and</strong> HTTPS, enter the following<br />
comm<strong>and</strong>s twice. The first time you enter these comm<strong>and</strong>s, use rule 300 <strong>and</strong> port<br />
80. The second time you enter these comm<strong>and</strong>s, use a different rule number <strong>and</strong><br />
port 443.<br />
Enter the following comm<strong>and</strong>s:<br />
set firewall name CUST_PUBLIC_IN rule 300<br />
protocol tcp_udp<br />
set firewall name CUST_PUBLIC_IN rule 300<br />
action accept<br />
set firewall name CUST_PUBLIC_IN rule 300<br />
destination address 192.168.100.102<br />
set firewall name CUST_PUBLIC_IN rule 300<br />
destination port <br />
set interfaces ethernet eth0 firewall in<br />
name CUST_PUBLIC_IN<br />
Note: Regardless of whether you enter these comm<strong>and</strong>s once or twice, use a rule<br />
number that is not currently in use, <strong>and</strong> use the appropriate IP addresses for your<br />
environment.<br />
Use the appropriate destination IP address for your environment, which is the static IP<br />
address of the Web application on the tenant VLAN network. Do not use the public IP<br />
address, because the destination NAT rule translates the destination IP address before<br />
the packet reaches the firewall.<br />
10. To change the source address of outbound traffic from the Auto Parts Web server so<br />
the source appears to be the public address (in this example, 192.59.196.39), enter<br />
the following comm<strong>and</strong>s:<br />
set service nat rule 5 type source<br />
set service nat rule 5 outbound-interface eth0<br />
set service nat rule 5 source address<br />
192.168.100.102<br />
set service nat rule 5 outside-address address<br />
192.59.196.39<br />
Use appropriate IP addresses for your environment.<br />
Note: The rule number for this rule must be lower than the number of the<br />
masquerade rule that you established previously, as discussed in 8.2.3 Providing a<br />
Public Source IP Address in Outbound Packets. Otherwise, the masquerade rule<br />
would take precedence.<br />
11. Enter the following comm<strong>and</strong>:<br />
commit<br />
12. Enter the following comm<strong>and</strong>:<br />
Additional Networking Configuration<br />
3850 6804–007 8–9
Additional Networking Configuration<br />
save<br />
If you need to map additional Web applications to other public IP addresses on the tenant<br />
VLAN network appliance, repeat the previous procedure with a different public IP address<br />
(192.59.196.39 in the previous example) <strong>and</strong> a different private IP address<br />
(192.168.100.102 in the previous example).<br />
8.3. Configuring an HAProxy Load Balancer for Web<br />
Applications<br />
The following topics describe how to configure a new HAproxy load balancer for Web<br />
applications. These instructions are for the open source HAproxy load balancer<br />
(http://haproxy.1wt.eu/).<br />
The load balancer virtual machine <strong>and</strong> all Web servers that use the load balancer must be<br />
configured with static IP addresses. To plan the static IP addresses, refer to Table 1–26.<br />
Select static IP addresses in the tenant VLAN subnet range for the tenant VLAN, making<br />
sure to avoid addresses in the DHCP range. Record the static IP address that you assign<br />
so you do not to reuse them for any other virtual machines.<br />
8.3.1. Deploying a New HAProxy Virtual Machine<br />
To deploy a new HAProxy virtual machine, do the following:<br />
1. Deploy a new virtual machine from the HAproxy Load Balancer template.<br />
(4.4 Importing Tenant VLAN Network Appliance <strong>and</strong> Load Balancer Templates<br />
describes how to import this template.)<br />
a. Using vSphere, connect to the vCenter server that is managing the workload<br />
servers.<br />
b. Deploy a virtual machine using the HAproxy Load Balancer template. Select the<br />
following options when deploying the virtual machine:<br />
• For Disk Format, select Same format as source.<br />
• For Guest Customization, select Do not customize.<br />
• Do not enable the option Power on the virtual machine after creation.<br />
c. After the new VM is created, select the Edit Settings option <strong>and</strong> configure the<br />
Network Adapter setting to the appropriate tenant VLAN. Make sure to select the<br />
Connect at power on option for the Network Adapter.<br />
d. Click OK to save the settings.<br />
e. Power on the virtual machine.<br />
2. Open a console to the new virtual machine <strong>and</strong> log in, using the user id spcadmin <strong>and</strong><br />
password U*spc2341.<br />
3. To assign the static IP address to the load balancer virtual machine <strong>and</strong> change the<br />
host name, first enter the appropriate IP addresses <strong>and</strong> host name in the following<br />
table:<br />
8–10 3850 6804–007
IP address<br />
Subnet mask<br />
Property Value<br />
Gateway address (the tenant VLAN network appliance IP<br />
address on the tenant VLAN)<br />
Host name<br />
Configure the IP addresses <strong>and</strong> change the host name, as follows:<br />
a. Select System, point to <strong>Administration</strong>, <strong>and</strong> then click Network.<br />
Note: If you are prompted to enter a password, enter U*spc2341.<br />
The Network Settings dialog box appears.<br />
b. Select the appropriate Ethernet connection <strong>and</strong> click Properties.<br />
The Properties dialog box opens for the connection.<br />
c. Select Static IP address in the Configuration list.<br />
d. Enter the IP address, subnet mask, <strong>and</strong> gateway address from the preceding table<br />
in the appropriate boxes.<br />
e. Click OK to save the changes <strong>and</strong> close the dialog box.<br />
f. In the Network Settings dialog box, select the General tab, enter the new<br />
host name in the Host name box, <strong>and</strong> click Close to save all changes.<br />
A message box appears stating that the host name is changed.<br />
g. Click Change Host name on the message box.<br />
h. Click Close to close the Network Settings dialog box.<br />
4. Reboot the HAProxy virtual machine.<br />
5. Configure inbound port forwarding on the tenant VLAN network appliance to forward<br />
inbound traffic from the Internet to the load balancer. Refer to 8.2 Configuring<br />
Network Appliances for Inbound Internet Connections for instructions on configuring<br />
inbound port forwarding.<br />
Note: When configuring the firewall rule for inbound port forwarding for the<br />
destination address <strong>and</strong> destination port, use the IP address <strong>and</strong> the port number of<br />
the Inside IP address <strong>and</strong> Inside IP address port from the following table.<br />
Address Type Comment Value<br />
Destination IP<br />
address:<br />
The IP address of the tenant VLAN network<br />
appliance connected to your Public Network,<br />
which is labeled the Public Network.<br />
Additional Networking Configuration<br />
3850 6804–007 8–11
Additional Networking Configuration<br />
Address Type Comment Value<br />
Destination IP<br />
address port:<br />
The port number that end users must append to<br />
the destination IP address in order to access<br />
your Web application.<br />
Inside IP address: The IP address of this load balancer on the<br />
tenant VLAN.<br />
Inside IP address<br />
port:<br />
The port number set for the load balancer in the<br />
haproxy.cfg file. By default, the port number in<br />
the file is set to 80.<br />
8.3.2. Configuring the HAProxy Configuration File<br />
Next, perform the following procedure to configure an HAproxy configuration file. A<br />
sample configuration file named haproxy.cfg is stored at /etc/Unisys/Loadbalancer/. You<br />
can modify this file or start a new configuration file <strong>and</strong> save it with a .cfg extension.<br />
The following instructions use the sample HAproxy configuration file to explain which<br />
fields need to be modified <strong>and</strong> the purpose of the fields. In order to modify the files, you<br />
must be logged in as root.<br />
Perform the following procedure to log in as root <strong>and</strong> configure the file:<br />
1. Open a Terminal window on the LoadBalancer appliance console.<br />
2. Enter the following comm<strong>and</strong> to log in as root:<br />
su<br />
3. When you are prompted for a password, enter<br />
U*spc2341<br />
4. Enter the following comm<strong>and</strong> to open the HAProxy configuration file so that you can<br />
edit it:<br />
vi /etc/Unisys/Loadbalancer/haproxy.cfg<br />
This file defines a group (“listen” block) called LOAD_BALANCER that contains 2<br />
servers: WEB_SERVER_1 <strong>and</strong> WEB_SERVER_2. The sample configuration file is as<br />
follows:<br />
global<br />
# Sets the maximum per-process number of concurrent connections.<br />
# Proxies stop accepting connections when this limit is reached.<br />
maxconn 4096<br />
# Writes pids of all daemons into file.<br />
# The file must be accessible to the user starting the process.<br />
pidfile /var/run/haproxy.pid<br />
# Makes the process fork into background. This is the recommended<br />
# mode of operation.<br />
8–12 3850 6804–007
daemon<br />
defaults<br />
mode http<br />
retries 3<br />
option redispatch<br />
maxconn 2000<br />
contimeout 5000<br />
clitimeout 50000<br />
srvtimeout 50000<br />
listen LOAD_BALANCER aaa.bbb.ccc.ddd:80<br />
mode http<br />
cookie LOAD_BALANCER insert<br />
balance roundrobin<br />
#balance leastconn<br />
option httpclose<br />
option forwardfor<br />
stats enable<br />
stats auth myuser:mypass<br />
server WEB_SERVER_1 ###.###.###.###:8080 #cookie LOAD_BALANCER_01<br />
check<br />
server WEB_SERVER_2 ###.###.###.###:8080 #cookie LOAD_BALANCER_02<br />
check<br />
5. This configuration file uses the roundrobin balance option; to use the leastconn<br />
balance option instead, insert a # sign in front of the “balance roundrobin” line <strong>and</strong><br />
remove the # sign from the “balance leastconn” line.<br />
6. Add valid IP addresses <strong>and</strong> port numbers to the configuration file as follows:<br />
• On the “listen LOAD_BALANCER aaa.bbb.ccc.ddd:80” line, do the following:<br />
- Change aaa.bbb.ccc.ddd to the IP address of the load balancer.<br />
- Update the port number (80) if it is different from the one already in the<br />
configuration file.<br />
• On the “server WEB_SERVER_1 ###.###.###.###:8080” <strong>and</strong> “server<br />
WEB_SERVER_2 ###.###.###.###:8080” lines, change the<br />
###.###.###.###:8080 to the IP address of the servers. Also change the port<br />
number if it is different from the one already in the configuration file.<br />
7. If needed, customize any field in the configuration file that is shown in uppercase:<br />
• LOAD_BALANCER<br />
• WEB_SERVER_1<br />
• WEB_SERVER_2<br />
• LOAD_BALANCER_01<br />
• LOAD_BALANCER_02<br />
Additional Networking Configuration<br />
3850 6804–007 8–13
Additional Networking Configuration<br />
8. Specify if you want to use the cookie load balancer feature. This feature works as<br />
follows:<br />
• When a user reaches the LOAD_BALANCER group (using http://aaa.bbb.ccc.ddd),<br />
the cookie LOAD_BALANCER is created <strong>and</strong> the server ID specified for “cookie”<br />
in the servers definitions is stored in it (that is, in LOAD_BALANCER_01 or<br />
LOAD_BALANCER_02).<br />
• With this cookie, HAProxy forces the use of the server stored within the cookie for<br />
the entire session.<br />
The “cookie LOAD_BALANCER insert” line <strong>and</strong> the “cookie LOAD_BALANCER_XX”<br />
parts in the LOAD_BALANCER group block control this feature. In the sample file, this<br />
feature is disabled. To enable this feature, remove the # that precedes the “cookie<br />
LOAD_BALANCER_XX” parts in the LOAD_BALANCER group block.<br />
9. Determine if you want to enable or disable the statistics page. The HAProxy load<br />
balancer has a built-in statistics page that can be reached from<br />
http://aaa.bbb.ccc.ddd/haproxy?stats.<br />
To enable the statistics page, change the user <strong>and</strong> password on the “stats auth<br />
myuser:mypass” line.<br />
To disable the statistics page, remove the following lines from the configuration file (or<br />
insert a # before these lines):<br />
• stats enable<br />
• stats auth myuser:mypass<br />
10. Save the configuration file.<br />
11. Verify that the HAProxy service shell script references the appropriate configuration<br />
file. Do the following:<br />
a. Enter the following comm<strong>and</strong> to open the haproxy service shell script so that you<br />
can edit it:<br />
vi /etc/init.d/haproxy<br />
b. Locate the line that references the location of the haproxy.cfg file. The line looks<br />
like the following:<br />
CONFIG=/etc/Unisys/Loadbalancer/haproxy.cfg<br />
c. Verify that the line correctly references the path <strong>and</strong> file, or update it so that it<br />
references the appropriate file.<br />
12. To enable the HAProxy load balancer to start from a shell script, do the following:<br />
a. Enter the following comm<strong>and</strong> to open the haproxy service shell script:<br />
sudo vi /etc/default/haproxy<br />
Note: This is not the same file that you opened in the previous step. Be sure to<br />
open /etc/default/haproxy.<br />
b. Change the ENABLED=0 setting to ENABLED=1.<br />
13. Reboot the LoadBalancer appliance.<br />
8–14 3850 6804–007
8.4. Configuring Tenant VLAN Firewall Exceptions<br />
By default, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> network configuration does not permit<br />
communication between virtual machines that reside on different tenant VLANs, even if<br />
those VLANs belong to the same tenant.<br />
If your tenants have a specific need to enable communication across VLANs, perform one<br />
of the following procedures:<br />
• 8.4.1 Enabling Selected Tenant VLANs to Communicate<br />
• 8.4.2 Enabling All Tenant VLANs to Communicate<br />
Note: These procedures apply only to tenant VLANs that belong to the same tenant.<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> does not support communication between tenant VLANs that<br />
belong to different tenants<br />
8.4.1. Enabling Selected Tenant VLANs to Communicate<br />
To enable selected tenant VLANs for a given tenant to communicate with each other, do<br />
the following:<br />
1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />
the tenant VLAN network appliance.<br />
2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />
configure<br />
3. Enter the following comm<strong>and</strong> to display the TENANT_VLANS_OUT firewall rule set:<br />
show firewall name TENANT_VLANS_OUT<br />
4. Verify that the output appears as follows:<br />
Additional Networking Configuration<br />
default-action accept<br />
rule 100 {<br />
action drop<br />
source {<br />
group {<br />
network-group TENANT_VLAN_NETWORKS<br />
}<br />
}<br />
}<br />
}<br />
Note: If the TENANT_VLANS_OUT rule set is different than the output shown<br />
previously, then the rule set has previously been customized for your environment.<br />
Refer to the firewall documentation at http://www.vyatta.org/documentation for<br />
assistance in underst<strong>and</strong>ing your existing rules. Then, adapt the remaining step in this<br />
procedure as needed for your environment.<br />
5. Add new rules to the TENANT_VLANS_OUT rule set to allow communication between<br />
selected tenant VLANs.<br />
3850 6804–007 8–15
Additional Networking Configuration<br />
The existing rule 100 has the effect of blocking all traffic between different tenant<br />
VLANs. Because rules are enforced in numerical order, any exceptions that you create<br />
should have rule numbers less than 100.<br />
For example, if you want to enable communication between two VLANs whose<br />
address ranges are 192.168.116.0 <strong>and</strong> 192.168.120.0, you could use the following<br />
comm<strong>and</strong>s to create rules 10 <strong>and</strong> 20:<br />
set firewall name TENANT_VLANS_OUT rule 10<br />
action accept<br />
set firewall name TENANT_VLANS_OUT rule 10<br />
source address 192.168.116.0/24<br />
set firewall name TENANT_VLANS_OUT rule 10<br />
destination address 192.168.120.0/24<br />
set firewall name TENANT_VLANS_OUT rule 20<br />
action accept<br />
set firewall name TENANT_VLANS_OUT rule 20<br />
source address 192.168.120.0/24<br />
set firewall name TENANT_VLANS_OUT rule 20<br />
destination address 192.168.116.0/24<br />
commit<br />
save<br />
The resulting rule set appears as follows:<br />
default-action accept<br />
rule 10 {<br />
action accept<br />
destination {<br />
address 192.168.120.0/24<br />
}<br />
source {<br />
address 192.168.116.0/24<br />
}<br />
}<br />
rule 20 {<br />
action accept<br />
destination {<br />
address 192.168.116.0/24<br />
}<br />
source {<br />
address 192.168.120.0/24<br />
}<br />
}<br />
rule 100 {<br />
action drop<br />
source {<br />
group {<br />
network-group TENANT_VLAN_NETWORKS<br />
}<br />
}<br />
}<br />
8–16 3850 6804–007
}<br />
Rule 10 allows traffic from 192.168.116.0 to reach 192.168.120.0, <strong>and</strong> rule 20 allows<br />
traffic from 192.168.120.0 to reach 192.168.116.0. However, the existing rule 100<br />
prevents either of these tenant VLANs from communicating with any other tenant VLANs.<br />
Restoring Blocked VLAN Traffic<br />
If you want to undo this change <strong>and</strong> restore the blocking of traffic between selected<br />
tenant VLANs, delete the rules you created. For example, enter the following:<br />
delete firewall name TENANT_VLANS_OUT rule 10<br />
delete firewall name TENANT_VLANS_OUT rule 20<br />
commit<br />
save<br />
8.4.2. Enabling All Tenant VLANs to Communicate<br />
To enable all tenant VLANs for a given tenant to communicate with one another, do the<br />
following:<br />
1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />
the tenant VLAN network appliance.<br />
2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />
configure<br />
3. Enter the following comm<strong>and</strong> to display the TENANT_VLANS_OUT firewall rule set:<br />
show firewall name TENANT_VLANS_OUT<br />
4. Verify that the output appears as follows:<br />
default-action accept<br />
rule 100 {<br />
action drop<br />
source {<br />
group {<br />
network-group TENANT_VLAN_NETWORKS<br />
}<br />
}<br />
}<br />
}<br />
5. Do one of the following, based on the output result:<br />
Additional Networking Configuration<br />
• If the TENANT_VLANS_OUT rule set appears as shown previously, then disable<br />
rule 100 by entering the following comm<strong>and</strong>s:<br />
set firewall name TENANT_VLANS_OUT rule 100 disable<br />
commit<br />
save<br />
• If the TENANT_VLANS_OUT rule set is different than the output shown<br />
previously, then the rule set has previously been customized for your<br />
3850 6804–007 8–17
Additional Networking Configuration<br />
environment. Enter comm<strong>and</strong>s to disable or delete all rules in this rule set that<br />
have an action value other than accept. For assistance, refer to the firewall<br />
documentation at http://www.vyatta.org/documentation .<br />
Restoring Blocked VLAN Traffic<br />
If you want to undo this change <strong>and</strong> restore the blocking of traffic between all tenant<br />
VLANs, enter the following comm<strong>and</strong>s:<br />
delete firewall name TENANT_VLANS_OUT rule 100 disable<br />
commit<br />
save<br />
8.5. Changing the Predefined IP Address on the<br />
Intercom Network<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is preconfigured to use the 172.31.1.0/24 IP address for all<br />
interfaces that connect to the Intercom Network. If you need to change this IP address<br />
<strong>and</strong> mask, you can do so by performing the following procedures.<br />
Before you begin this procedure, you should update the cloud provider <strong>and</strong> tenant<br />
worksheets to reflect the new values you want to use.<br />
8.5.1. Configuring the Jump Box, SQL Server, Portal, WSUS,<br />
Active Directory, <strong>and</strong> vCenter Server Management VMs<br />
to Use a New Intercom Network IP Address<br />
If you want to use a new Intercom Network IP address, do the following to configure the<br />
SQL Server, <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, WSUS, Unisys-supplied Active Directory, <strong>and</strong><br />
vCenter Server management VMs.<br />
Note: You might not be using all of these management VMs.<br />
1. Open a console to the SQL Server management VM.<br />
2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />
dialog box for TCP/IPv4.<br />
3. Update the properties to reflect the new Intercom Network IP address values in<br />
Table 1–5.<br />
4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />
5. Update each management VM entry in the hosts file, using the new Intercom<br />
Network IP address values in Table 1–5.<br />
6. Save <strong>and</strong> close the hosts file.<br />
7. If your environment includes VLANs <strong>and</strong> you are updating the Unisys supplied Active<br />
Directory management VMs, do the following:<br />
Note: Skip this step if you are updating any other management VMs.<br />
8–18 3850 6804–007
a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />
b. Type the following comm<strong>and</strong>:<br />
route print<br />
c. Note all of the entries listed in Persistent Routes section.<br />
d. For each Persistent Routes entry that uses the Management Network Appliance<br />
IP address on the Intercom Network as the “Gateway Address,” type the<br />
following comm<strong>and</strong>:<br />
route -p change <br />
<br />
For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />
10.1.1.0 255.255.255.0 172.31.1.200<br />
Change the route to use the new Intercom Network IP of the management<br />
network appliance, as follows:<br />
route -p change 10.1.1.0/24 172.31.2.200<br />
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />
Repeat the previous steps to configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />
If you are using the WSUS <strong>and</strong> VMware Update Manager management VM, repeat the<br />
previous steps on that VM.<br />
If you are using the Unisys supplied Active Directory management VMs, repeat the<br />
previous steps on those VMs.<br />
If you are using the Unisys-supplied vCenter Server management VM, repeat the previous<br />
steps on that VM.<br />
8.5.2. Configuring the uAdapt Controller Management VM to<br />
Use a New Intercom Network IP Address<br />
If you want to use a new Intercom Network IP address, do the following to configure the<br />
uAdapt Controller Management VM:<br />
1. Open a console to the uAdapt Controller Management VM.<br />
2. Open the file /etc/hosts.<br />
3. Update each management VM entry in the hosts file, using the new Intercom<br />
Network IP address values in Table 1–5.<br />
4. Save <strong>and</strong> close the file.<br />
5. Open the file /etc/sysconfig/network-scripts/ifcfg-eth0.<br />
Additional Networking Configuration<br />
6. Update the IPADDR= line with the new Intercom Network IP address.<br />
3850 6804–007 8–19
Additional Networking Configuration<br />
8.5.3. Configuring the uChargeback Management VM to Use a<br />
New Intercom Network IP Address<br />
If you want to use a new Intercom Network IP address, do the following to configure the<br />
uChargeback management VM:<br />
1. Open a console to the uChargeback management VM.<br />
2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />
dialog box for TCP/IPv4.<br />
3. Update the properties to reflect the new Intercom Network IP address values in<br />
Table 1–5.<br />
4. Set the Preferred DNS Server to the new uChargeback Management VM IP<br />
address on Intercom Network. Click OK until you exit the Properties dialog box.<br />
5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />
6. Update each management VM entry in the hosts file, using the new Intercom<br />
Network IP address values in Table 1–5.<br />
7. Save <strong>and</strong> close the hosts file.<br />
8. Access DNS Manager.<br />
9. In the left pane, exp<strong>and</strong> Forward Lookup Zones.<br />
10. For each zone in the left pane, update the IP addresses of all uChargeback<br />
management VM entries that contains the preconfigured IP address on the Intercom<br />
Network, 172.31.1.3, to use the new IP address.<br />
11. Access the uChargeback Administrator.<br />
In approximately one minute, you see a warning dialog box that you are unable to<br />
connect to the database server. (You receive this warning because you changed the IP<br />
address of the SQL Server management VM.)<br />
12. Click OK.<br />
13. Wait several minutes until the uChargeback Administrator Database Configuration<br />
Wizard appears.<br />
14. In the Database Configuration Wizard, enter the following values:<br />
• Server Name: <br />
• Instance Name: <br />
• Database Name: uChgData<br />
15. Click Finish.<br />
16. When the uChargeback Administrator appears, close it.<br />
17. If your environment includes VLANs, do the following:<br />
a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />
b. Type the following comm<strong>and</strong>:<br />
route print<br />
8–20 3850 6804–007
c. Note all of the entries listed in Persistent Routes section.<br />
d. For each Persistent Routes entry that uses the Management Network Appliance<br />
IP address on the Intercom Network as the “Gateway Address,” type the<br />
following comm<strong>and</strong>:<br />
route -p change <br />
<br />
For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />
10.1.1.0 255.255.255.0 172.31.1.200<br />
Change the route to use the new Intercom Network IP of the management<br />
network appliance, as follows:<br />
route -p change 10.1.1.0/24 172.31.2.200<br />
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />
8.5.4. Configuring the <strong>Cloud</strong> Orchestrator Management VM to<br />
Use a New Intercom Network IP Address<br />
If you want to use a new Intercom Network IP address, do the following to configure the<br />
<strong>Cloud</strong> Orchestrator management VM:<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />
dialog box for TCP/IPv4.<br />
3. Update the properties to reflect the new Intercom Network IP address values in<br />
Table 1–5.<br />
4. Set the Preferred DNS Server to the new uChargeback Management VM IP<br />
address on Intercom Network. Click OK until you exit the Properties dialog box.<br />
5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />
6. Update each management VM entry in the hosts file, using the new Intercom<br />
Network IP address values in Table 1–5.<br />
7. Save <strong>and</strong> close the hosts file.<br />
8. Using Notepad, open the file C:\Unisys\uspc\conf\uspcnetwork.config.xml.<br />
9. Using the values from Table 1–5, update the following nodes in the config.xml file:<br />
• udpAddr<br />
• tcpAddr<br />
Additional Networking Configuration<br />
3850 6804–007 8–21
Additional Networking Configuration<br />
10. Restart the following services.<br />
Caution<br />
Before restarting these services, ensure that no commissioning requests are in<br />
progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />
in-progress commissioning requests to be completed.<br />
• Unisys SPC Network Service<br />
• <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO Service<br />
11. If your environment includes VLANs, do the following:<br />
a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />
b. Type the following comm<strong>and</strong>:<br />
route print<br />
c. Note all of the entries listed in Persistent Routes section.<br />
d. For each Persistent Routes entry that uses the Management Network Appliance<br />
IP address on the Intercom Network as the “Gateway Address,” type the<br />
following comm<strong>and</strong>:<br />
route -p change <br />
<br />
For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />
10.1.1.0 255.255.255.0 172.31.1.200<br />
Change the route to use the new Intercom Network IP of the management<br />
network appliance, as follows:<br />
route -p change 10.1.1.0/24 172.31.2.200<br />
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />
After you change the Intercom Network IP address for the <strong>Cloud</strong> Orchestrator<br />
management VM, you must do the following to change the configuration for the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal management VM:<br />
1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />
2. Using Notepad, open the portal-ext.properties file, which is located in the<br />
following directory: C:\Unisys\liferay-portal-6.0.6\tomcat-<br />
6.0.29\webapps\ROOT\WEB_INF\classes<br />
3. Locate the axis.servlet.hosts.allowed property in the portal-ext.properties file.<br />
4. Enter the new Intercom Network IP address for the <strong>Cloud</strong> Orchestrator management<br />
VM in the axis.servlet.hosts.allowed property. (Use commas to separate the IP<br />
address numbers.)<br />
8–22 3850 6804–007
5. Save <strong>and</strong> close the properties file.<br />
8.5.5. Configuring the Management Network Appliance to Use<br />
a New Intercom Network IP Address<br />
If you are using VLANs in your environment <strong>and</strong> you want to use a new Intercom Network<br />
IP address, perform one of the following procedures to configure the Management<br />
Network Appliance, depending on whether the network appliance is virtual or physical.<br />
If you are not using VLANs, or if you want to use the default Intercom Network IP address,<br />
you can skip this topic.<br />
Configuring a Virtual Management Network Appliance to Use a New<br />
Intercom Network IP Address<br />
If you have a virtual Management Network Appliance, do the following to configure it to<br />
use a new Intercom Network IP address:<br />
1. Return to the console for the jump box management VM.<br />
2. Ensure that the cloud provider XML file on the jump box management VM is up-todate.<br />
3. From the Start menu, point to All Programs, Accessories, <strong>and</strong> then Windows<br />
PowerShell, <strong>and</strong> then click Windows PowerShell (x86).<br />
4. Enter the following comm<strong>and</strong> from the PowerShell (x86) window on the jump box<br />
management VM:<br />
.\Config-MNAicom.ps1<br />
Additional Networking Configuration<br />
The script configures the Intercom Network on the appliance using the information<br />
from the <strong>Cloud</strong> Provider XML file.<br />
Note: If you receive a warning message that there are limitations in your VMware ESX<br />
license, this means that the script cannot be completed because the required VMware<br />
license is not installed on the management server. If you receive this warning, you can<br />
either install the required VMware license or perform the steps in 12.6.2 Configuring the<br />
Virtual Management Network Appliance to Use a New Intercom Network IP Address (with<br />
a VMware License Restriction).<br />
Configuring a Physical Management Network Appliance to Use a<br />
New Intercom Network IP Address<br />
If you have a physical Management Network Appliance, do the following to configure it to<br />
use a new Intercom Network IP address.<br />
Note: The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you<br />
have another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />
3850 6804–007 8–23
Additional Networking Configuration<br />
1. Connect the console cable to the switch <strong>and</strong> connect to it using the Hyper Terminal, or<br />
connect to the switch using Telnet.<br />
2. Log in to the switch in privileged mode by typing enable, <strong>and</strong> then responding to the<br />
password prompt.<br />
The prompt changes to end with #. (For example, it changes from MySwitch> to<br />
MySwitch#.)<br />
3. Type the following comm<strong>and</strong> to enter configuration mode:<br />
configure terminal<br />
4. Enter the following comm<strong>and</strong>s to configure a new gateway IP address for the<br />
Intercom Network VLAN:<br />
interface vlan <br />
ip address <br />
5. Create new access lists with updated Intercom Network IP addressing information<br />
from Table 1–5 <strong>and</strong> Table 1–20, as follows:<br />
a. Note the current access lists that are using the Intercom Network by entering<br />
the following comm<strong>and</strong>:<br />
show access-lists<br />
b. Delete the current access lists that are using the Intercom Network by entering<br />
the following comm<strong>and</strong>:<br />
no access-list <br />
c. Create new access lists using the updated Intercom Network information by<br />
entering comm<strong>and</strong>s like the following:<br />
access-list permit any<br />
<br />
Note: If an access list number is changed from its previous value, ensure the<br />
appropriate access group is updated to use the new number.<br />
6. If NAT rules exist to enable the tenant VLAN to communicate with the DNS on the<br />
uChargeback management VM, use ip nat comm<strong>and</strong>s to update the rules to use the<br />
new uChargeback management VM Intercom Network IP address from Table 1–5.<br />
7. Enter the following comm<strong>and</strong> to verify the configuration:<br />
show running-config<br />
8. Save the configuration by entering the following comm<strong>and</strong>:<br />
copy running-config startup-config<br />
You see the following: Destination Filename [startup-config]?<br />
9. Press Enter.<br />
You see the response [OK].<br />
8–24 3850 6804–007
8.5.6. Configuring a Tenant VLAN Network Appliance to Use a<br />
New Intercom Network IP Address<br />
Perform the following procedure to configure a tenant VLAN network appliance to use a<br />
new Intercom Network IP address range:<br />
1. Revise the worksheet for this tenant by filling out an additional VLAN column in<br />
Table 1–26.<br />
2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the<br />
Data.<br />
3. Perform the procedure 5.3.1 Deploying a New Tenant VLAN Network Appliance <strong>and</strong><br />
VLAN, skip step 2 (deploying the tenant VLAN network appliance from a template)<br />
because the virtual machine already exists.<br />
If you need to configure more than seven VLANs for the same tenant, you must configure<br />
an additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN<br />
Network Appliance <strong>and</strong> VLAN.<br />
8.5.7. Configuring the Stealth Components to Use a New<br />
Intercom Network IP Address<br />
Note: If your environment does not include the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, skip this<br />
topic.<br />
Configuring the Stealth Licensing Server to Use a New Intercom<br />
Network IP Address<br />
If you want to use a new Intercom Network IP address, do the following to configure the<br />
Stealth Licensing management VM:<br />
1. Open a console to the Stealth Licensing management VM.<br />
2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />
dialog box for TCP/IPv4.<br />
3. Update the properties to reflect the new Intercom Network IP address values in<br />
Table 1–5.<br />
4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />
5. Update each management VM entry in the hosts file, using the new Intercom<br />
Network IP address values in Table 1–5.<br />
6. Save <strong>and</strong> close the hosts file.<br />
7. Do the following to reconfigure the SSL certificate on the Stealth Licensing<br />
management VM to use the new Intercom Network IP address:<br />
a. Enter the following comm<strong>and</strong> from a comm<strong>and</strong> prompt:<br />
netsh http show sslcert<br />
Additional Networking Configuration<br />
3850 6804–007 8–25
Additional Networking Configuration<br />
This comm<strong>and</strong> produces output similar to the following example:<br />
SSL Certificate bindings:<br />
-------------------------<br />
IP:port : 172.31.1.14:443<br />
Certificate Hash : 387d7c267b6601571a13124151e0c1020044fe99<br />
Application ID : {1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />
Certificate Store Name : MY<br />
Verify Client Certificate Revocation : Enabled<br />
Verify Revocation Using Cached Client Certificate Only : Disabled<br />
Usage Check : Enabled<br />
Revocation Freshness Time : 0<br />
URL Retrieval Timeout : 0<br />
Ctl Identifier : (null)<br />
Ctl Store Name : (null)<br />
DS Mapper Usage : Disabled<br />
Negotiate Client Certificate : Disabled<br />
The first output line (IP:port) shows the current IP address with which the<br />
certificate is associated.<br />
b. Stop the dynamic licensing service, as follows:<br />
net stop USSL_DynamicLicensing<br />
c. Delete the current association by specifying the IP address (IP:port) in the<br />
following comm<strong>and</strong>:<br />
netsh http delete sslcert ipport=<br />
Note: In this example, the IP:port value is 172.31.1.14:443.<br />
d. To associate the certificate with the correct address, enter the following<br />
comm<strong>and</strong>:<br />
netsh http add sslcert ipport=<br />
certhash=<br />
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />
where:<br />
is the new Intercom Network IP address of the<br />
Stealth Licensing management VM.<br />
is the IP address with which the certificate is associated.<br />
Note: The application ID must appear exactly as shown in the example.<br />
e. Start the dynamic licensing service, as follows:<br />
net start USSL_DynamicLicensing<br />
8. If your environment includes VLANs, do the following:<br />
a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />
b. Type the following comm<strong>and</strong>:<br />
route print<br />
c. Note all of the entries listed in Persistent Routes section.<br />
8–26 3850 6804–007
d. For each Persistent Routes entry that uses the Management Network Appliance<br />
IP address on the Intercom Network as the “Gateway Address,” type the<br />
following comm<strong>and</strong>:<br />
route -p change <br />
<br />
For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />
10.1.1.0 255.255.255.0 172.31.1.200<br />
Change the route to use the new Intercom Network IP of the management<br />
network appliance, as follows:<br />
route -p change 10.1.1.0/24 172.31.2.200<br />
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />
Configuring the Virtual Stealth Gateway to Use a New Intercom<br />
Network IP Address<br />
To configure the Virtual Stealth Gateway to use a new Intercom Network IP address, see<br />
10.18.1 Adding COI Sets <strong>and</strong> Modifying COI Set Members. You must change all filters that<br />
refer to the previous Intercom Network subnet address to refer to the new subnet value.<br />
You must perform this procedure for each Stealth-enabled tenant VLAN.<br />
8.5.8. Updating RBADB to Use the New Intercom Network IP<br />
Address<br />
To update RBADB to use the new Intercom Network IP address, do the following:<br />
1. Perform the procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment, running the update<strong>Cloud</strong>Properties<br />
effector.<br />
After you complete that procedure, return to this topic.<br />
2. If you have any tenants in your environment, <strong>and</strong> if any of those tenants are using the<br />
uChargeback management VM to act as their DNS server, you must update the<br />
uChargeback management VM IP address on the Intercom Network for each tenant.<br />
To do so<br />
a. Make the appropriate corrections in the tenant data worksheet.<br />
b. Export the worksheet to an XML file, using the procedure in 1.1.6 Exporting the<br />
Data, <strong>and</strong> copy it to the following directory on the jump box management VM:<br />
\Unisys\SPC-Automation\XML<br />
c. Perform the procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant<br />
Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment, running the Populator<br />
updateTenant effector.<br />
3. Click Log Off, <strong>and</strong> then close the browser window.<br />
Additional Networking Configuration<br />
3850 6804–007 8–27
Additional Networking Configuration<br />
8.5.9. Checkpoint<br />
To verify that the new IP address for the Intercom Network is working properly,<br />
commission a virtual machine using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
8–28 3850 6804–007
Section 9<br />
Changing Credentials <strong>and</strong> Performing<br />
Final Installation Tasks<br />
Credentials include the user name <strong>and</strong> password that enable you to log on to the product<br />
user interfaces. Initially, each product uses default credentials. The procedures in this<br />
section instruct you to change the credentials appropriately. The final checkpoint verifies<br />
that you can commission resources using the updated credentials. If the Virtual Office as a<br />
Service solution is included in your environment, you are also directed to install <strong>and</strong><br />
configure it at the end of this section.<br />
9.1. Recording Updated Credentials<br />
Credentials are the user name <strong>and</strong> password that enable you to log on to a product. For<br />
some products, you can change both the user name <strong>and</strong> password, but for others<br />
products, you can change only the password.<br />
It is strongly recommended that you change all credentials from the default values, using<br />
the procedures in this topic. Record the changed values in Table 2–1 <strong>and</strong> in the Excel<br />
workbook.<br />
9.2. Prerequisites to Changing Credentials<br />
Before you begin to change credentials, do the following:<br />
1. Verify that no commissioning requests are in progress by responding to all outst<strong>and</strong>ing<br />
approval requests <strong>and</strong> waiting for all in-progress commissioning requests to be<br />
completed. See 10.6 Responding to Requests Using the Operator Prompts Page for<br />
more information.<br />
2. Take a snapshot of each management VM. (You can delete these snapshots after you<br />
confirm the final checkpoint in this section.) Do the following:<br />
a. Open a console to the jump box management VM.<br />
b. Open a PowerShell comm<strong>and</strong> window from the jump box management VM, <strong>and</strong><br />
enter the following comm<strong>and</strong> to automatically take a snapshot of all management<br />
VMs (except the jump box management VM):<br />
.\Checkpoint-Snapshots.ps1<br />
–Name “”<br />
–Description “”<br />
3850 6804–007 9–1
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
Notes:<br />
• Quotation marks are required around <strong>and</strong> .<br />
• The is optional.<br />
If the script encounters a duplicate snapshot name for a management VM, it<br />
prompts you to do one of the following:<br />
• Enter a new value for , where the quotation marks are<br />
not required.<br />
• Enter C to continue, using the same name for the new snapshot.<br />
• Enter Q to quit taking snapshots <strong>and</strong> exit the script.<br />
• Press the Enter key to skip taking a snapshot for the VM.<br />
If the script displays the error message “a general system error occurred” or<br />
“VMware Tools is not running,” ensure that VMware Tools or the services for<br />
VMware Tools is running on each management VM (which can take a few minutes<br />
after a management VM is powered on), <strong>and</strong> then execute the script again.<br />
c. After the script completes, shut down the jump box management VM, manually<br />
take a snapshot, <strong>and</strong> then power it back on.<br />
3. Update the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal settings <strong>and</strong> prevent users from signing into<br />
the portal as follows:<br />
a. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal using the URL in Table 2–2 <strong>and</strong> the Liferay administrator credentials in<br />
Table 2–1.<br />
b. From the Manage list (at the left of the top pane), click Control Panel.<br />
c. Click Portal Settings under Portal in the left pane, <strong>and</strong> then click<br />
Authentication in the right pane.<br />
d. Click LDAP, <strong>and</strong> then click the Edit icon next to the LDAP server.<br />
e. Change the value in the Principal box to an invalid name, <strong>and</strong> then click Save.<br />
This disconnects the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal communication with Active<br />
Directory server.<br />
f. From the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, access Services, <strong>and</strong> then<br />
restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal service.<br />
Any users currently signed in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal are disconnected.<br />
9.3. Procedures for Changing Credentials<br />
The following topics describe the procedures to change the credentials in Table 2–1.<br />
Before changing any credentials, be sure to complete the prerequisites described in<br />
9.2 Prerequisites to Changing Credentials.<br />
9–2 3850 6804–007
Note: During the implementation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you are<br />
required to create new domain accounts (for example, for the uChargeback administrator)<br />
or use existing domain accounts (for example, for the Active Directory management VM).<br />
These credentials are not listed in Table 2–1, because there are no default values, but they<br />
are listed in the cloud provider workbook tables. Unless specifically stated in this topic, you<br />
can update these values using the st<strong>and</strong>ard domain credential management process for<br />
your environment.<br />
9.3.1. VMware ESXi Management Interface<br />
To change credentials for the root user, do the following:<br />
1. Open a vSphere Client to the management server.<br />
2. Select the management server node in the left pane <strong>and</strong> select the Local Users <strong>and</strong><br />
Groups tab.<br />
3. Right-click the root user <strong>and</strong> click Edit to edit the user properties.<br />
4. Update the password.<br />
5. Close the vSphere Client.<br />
CHECKPOINT:<br />
Open a new vSphere Client connection <strong>and</strong> verify that you can connect to the<br />
management server using the updated credentials.<br />
9.3.2. uAdapt Controller Management VM<br />
To change credentials for the root user, do the following:<br />
1. Open a console to the uAdapt Controller management VM, <strong>and</strong> log on using the<br />
current root credentials.<br />
2. Change the root password using the passwd comm<strong>and</strong>.<br />
3. Log off.<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
4. Log on using the updated credentials.<br />
9.3.3. Windows Management VMs Administrator Accounts<br />
Note: Depending on your environment, not all of the following management VMs could<br />
be in use.<br />
It is recommended that all the Windows based management VMs have the same<br />
Windows administrator credentials. Change them in the following order, using the<br />
procedures that follow:<br />
1. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM<br />
2. <strong>Cloud</strong> Orchestrator management VM<br />
3. uChargeback management VM<br />
3850 6804–007 9–3
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
4. SQL Server management VM<br />
5. vCenter server management VM<br />
6. WSUS management VM<br />
7. Jump box management VM<br />
8. Stealth Licensing management VM<br />
To change credentials for the local administrator user, do the following:<br />
1. Open a console to the next management VM in the previous list, log on using local<br />
administrator credentials, <strong>and</strong> complete the rest of this procedure before opening<br />
another console.<br />
2. To rename the local administrator, do the following:<br />
a. Open Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />
Groups, <strong>and</strong> then click Users.<br />
b. Locate the default administrator user <strong>and</strong> rename it.<br />
Caution<br />
Do not use the Server Manager interface to change the password, because an<br />
irreversible loss of information can occur.<br />
c. Log off.<br />
d. Log on using the new local administrator name.<br />
3. To change the Windows administrator password, do the following:<br />
a. Send a Ctl-Alt-Del to the management VM console, <strong>and</strong> then click Change a<br />
Password.<br />
b. Ensure that the username box contains the local administrator user name.<br />
c. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />
d. Log off.<br />
e. Log on using the updated administrator credentials.<br />
4. Repeat this procedure for each management VM that you are modifying. Refer to the<br />
previous list for the recommended order.<br />
9.3.4. uAdapt Console<br />
To change credentials for the uAdapt Console admin user, do the following:<br />
1. Connect to the uAdapt Console using the URL in Table 2–2 <strong>and</strong> log on.<br />
2. Select Accounts on the View menu.<br />
9–4 3850 6804–007
3. Select Admin in the Assigned Users list.<br />
4. Change the password in the right pane, <strong>and</strong> click the floppy disk icon to save the new<br />
password.<br />
5. Log out.<br />
CHECKPOINT:<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
Log on to the uAdapt Console using the updated credentials.<br />
6. Open a console to the uChargeback management VM, <strong>and</strong> log on using domain<br />
credentials with administrator privileges, as shown in Table 1–10.<br />
a. Launch the uChargeback Administrator.<br />
b. On the Tools menu, point to Options, click Security, <strong>and</strong> then click Next to go<br />
to the second page.<br />
The Security Configuration Options dialog box appears.<br />
3850 6804–007 9–5
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
7. If you changed the uAdapt Console Admin credentials, do the following:<br />
a. For the uAdapt Controller, update the values in the URL, Account <strong>and</strong> two<br />
Password boxes.<br />
b. Click Finish.<br />
CHECKPOINT:<br />
On the uChargeback management VM console, do the following:<br />
1. Launch the uChargeback Administrator.<br />
2. On the Tools menu, point to Monitor, <strong>and</strong> click Restart Monitor.<br />
3. On the Tools menu, point to Monitor, <strong>and</strong> click View Monitor Log.<br />
9–6 3850 6804–007
4. A success message is logged for uAdapt, which is similar to the following example:<br />
Discovering uAdapt inventory at http://xxx.xxx.xxx.xxx.<br />
Controller version=3.2.x.xxxxx<br />
Note: An error message might be logged during the time when the credentials are<br />
changed on the uChargeback management VM, <strong>and</strong> the uChargeback <strong>Administration</strong><br />
Service Account credentials are not yet updated to match. Refer to<br />
9.3.13 uChargeback Services Domain Account for information on changing the<br />
uChargeback <strong>Administration</strong> Service Account credentials.<br />
9.3.5. SQL Server Database Administrator<br />
To change credentials for the SQL Server database administrator sa user, do the following:<br />
1. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />
administrator user.<br />
2. Start the SQL Server Management Studio <strong>and</strong> connect using Windows<br />
Authentication.<br />
3. Exp<strong>and</strong> the Security <strong>and</strong> then the Logins folders in the Object Explorer pane, rightclick<br />
sa, <strong>and</strong> click Properties.<br />
4. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> click OK.<br />
5. Reboot the server to break any existing connections to the databases.<br />
CHECKPOINT:<br />
From the SQL Server management VM console, do the following:<br />
1. Start SQL Server Management Studio.<br />
2. Select the SQL Server Authentication authentication option.<br />
3. Log on using the updated credentials.<br />
9.3.6. RBADB Database Passwords<br />
You can change the RBADB database passwords for the following accounts:<br />
• ODSUI, which is the account that enables the RBADB Administrative interface to<br />
access the RBADB database<br />
• ODSRun, which is the account that enables the <strong>Cloud</strong> Orchestrator management VM<br />
to access the RBADB database<br />
Perform the following procedures to change the passwords for these accounts.<br />
ODSUI RBADB Database Account<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
To change credentials for the RBADB database ODSUI account, do the following:<br />
1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSUI<br />
account (rather than for the sa account).<br />
3850 6804–007 9–7
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
2. Open a console to the uChargeback management VM console, <strong>and</strong> log on as the local<br />
administrator user.<br />
3. Using a text editor, such as Notepad, open the following file:<br />
C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />
6.0\conf\Catalina\localhost\RBADB.xml<br />
4. Update the password in the RBADB.xml file to match the password that you updated<br />
on the SQL Server management VM for the ODSUI account.<br />
5. Save <strong>and</strong> close the file.<br />
6. Restart the Apache Tomcat 6 service.<br />
ODSRun RBADB Database Account<br />
To change credentials for the RBADB database ODSRun account, do the following:<br />
1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSRun<br />
account (rather than for the sa account).<br />
2. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on as the local<br />
administrator user.<br />
3. Using a text editor, such as Notepad, open the following file:<br />
C:\Unisys\UCO\conf\ODSAdapter.properties<br />
4. Update the password in the ODSAdapter.properties file to match the password that<br />
you updated on the SQL Server management VM for the ODSRun account.<br />
5. Save <strong>and</strong> close the file.<br />
6. Restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO service.<br />
Caution<br />
Before restarting this service, ensure that no commissioning requests are in<br />
progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />
in-progress commissioning requests to be completed.<br />
9.3.7. vCenter Database Administrator<br />
Note: Only perform this procedure if you are using the vCenter Server supplied by<br />
Unisys.<br />
9–8 3850 6804–007
To change credentials for the vCenter database administrator vpxuser, do the following:<br />
1. From a configuration workstation, do the following:<br />
a. Launch vSphere Client to the vCenter server.<br />
b. Click vCenter Server Settings on the <strong>Administration</strong> menu.<br />
c. Select Advanced Settings in the left pane.<br />
d. Update the values in the VirtualCenter.DBPassword box, <strong>and</strong> click OK.<br />
e. Exit the vSphere Client.<br />
2. Log on to the SQL Server management VM console as the local administrator user.<br />
3. Start the SQL Server Management Studio <strong>and</strong> connect using Windows<br />
Authentication.<br />
4. Exp<strong>and</strong> the Security <strong>and</strong> then the Logins folders in the Object Explorer pane, rightclick<br />
vpxuser, <strong>and</strong> click Properties.<br />
5. Update the values in the Password <strong>and</strong> Confirm password boxes to match the<br />
value you entered for VirtualCenter.DBPassword, <strong>and</strong> click OK.<br />
6. Open the vCenter server VM console, <strong>and</strong> restart the VMware VirtualCenter Server<br />
service.<br />
CHECKPOINT:<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
From a configuration workstation<br />
1. Launch vSphere Client <strong>and</strong> verify that you can connect to the vCenter server.<br />
2. Using the Inventory view, make sure that the expected inventory of workload servers<br />
<strong>and</strong> virtual machines is displayed.<br />
9.3.8. <strong>Cloud</strong> Orchestrator Database Administrator<br />
To change credentials for the <strong>Cloud</strong> Orchestrator database administrator,<br />
lifecycle-dbadmin, do the following.<br />
Note: Do not change the lifecycle-dbadmin user name.<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on as the local<br />
administrator user.<br />
2. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service.<br />
3. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />
administrator user.<br />
4. Start SQL Server Management Studio, <strong>and</strong> connect using Windows authentication.<br />
5. Exp<strong>and</strong> the Security folder <strong>and</strong> then exp<strong>and</strong> the Logins folders in the Object<br />
Explorer pane.<br />
6. Right-click lifecycle-dbadmin, <strong>and</strong> click Properties.<br />
7. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />
OK.<br />
3850 6804–007 9–9
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
8. In Windows Explorer, navigate to the C:\ProgramData\Unisys\ConfigSQL folder <strong>and</strong><br />
locate the LifecycleDbChangePw.bat file.<br />
9. Edit the LifecycleDbChangePw.bat file to replace the current password with the new<br />
password.<br />
10. Run the LifecycleDbChangePw.bat file.<br />
11. Enter Y when you receive a warning about replacing the existing task.<br />
The script adds a task with the new database password <strong>and</strong> replaces the existing task<br />
with the old password.<br />
12. Log on to the <strong>Cloud</strong> Orchestrator management VM console as the local administrator<br />
user.<br />
13. Navigate to the C:\Unisys\UCO\conf folder, <strong>and</strong> edit the hibernate-mssql.cfg.xml<br />
file.<br />
14. Edit the line to replace the existing password with the new password.<br />
15. Save <strong>and</strong> close the file.<br />
16. Start the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service, <strong>and</strong><br />
then verify that the service starts running <strong>and</strong> remains running.<br />
9.3.9. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Database Administrator<br />
To change credentials for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal database administrator,<br />
Portal-dbadmin, do the following.<br />
Note: Do not change the Portal-dbadmin user name.<br />
1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, <strong>and</strong> log on as the<br />
local administrator user.<br />
2. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />
3. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />
administrator user.<br />
4. Start SQL Server Management Studio, <strong>and</strong> connect using Windows authentication.<br />
5. Exp<strong>and</strong> the Security folder <strong>and</strong> then exp<strong>and</strong> the Logins folders in the Object<br />
Explorer pane.<br />
6. Right-click Portal-dbadmin, <strong>and</strong> click Properties.<br />
7. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />
OK.<br />
8. Return to the console for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal management VM.<br />
9. Navigate to the C:\Unisys\liferay-portal-6.0.6\tomcat-<br />
6.0.29\webapps\ROOT\WEB-INF\classes folder <strong>and</strong> edit the portalext.properties<br />
file.<br />
10. Edit the line ″jdbc.default.password=″ to replace the existing<br />
password with the new password.<br />
9–10 3850 6804–007
11. Save <strong>and</strong> close the file.<br />
12. Start the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />
9.3.10. Tomcat Manager<br />
To change credentials for the Tomcat manager admin user, do the following:<br />
1. Open a console to the uChargeback management VM, <strong>and</strong> log on as a local<br />
administrator.<br />
2. Using a text editor, such as Wordpad, open the following file.<br />
Note: The Wordpad text editor maintains the formatting in the file, which makes the<br />
file easier to update.<br />
C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\tomcatusers.xml<br />
3. Update the user name <strong>and</strong> password.<br />
4. Save <strong>and</strong> close the file.<br />
5. Restart the Apache Tomcat 6 service.<br />
CHECKPOINT:<br />
From the uChargeback management VM console, do the following:<br />
1. Access https://localhost:8443 using a Web browser, <strong>and</strong> click Continue.<br />
Note: If you get a certificate warning, dismiss it; it is not a problem.<br />
2. Verify that you can access the Tomcat Manager using the updated credentials.<br />
9.3.11. RBADB Administrator Interface<br />
Note: To change credentials for the RBADB database, see 9.3.6 RBADB Database<br />
Passwords.<br />
To change credentials for the RBADB admin user on the RBADB administrator interface,<br />
do the following:<br />
1. From the jump box management VM, access RBADB using a browser <strong>and</strong> the URL in<br />
Table 2–2, <strong>and</strong> log on as the admin user.<br />
2. Select Site Users in the left pane, <strong>and</strong> click the Admin Admin user.<br />
3. Click Reset Password in the upper right corner.<br />
4. Enter the new password in both boxes (to enter <strong>and</strong> confirm the new password), <strong>and</strong><br />
then click Submit.<br />
5. Close the browser to RBADB.<br />
CHECKPOINT:<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
Open a browser to RBADB using the updated credentials.<br />
3850 6804–007 9–11
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
9.3.12. Unisys-Supplied Domain Controllers<br />
If you configured the optional, Unisys-supplied Domain Controllers, change the Windows<br />
administrator credentials.<br />
Note: It is recommended that all Windows based management VMs have the same<br />
Windows administrator credentials. Therefore, you should change the administrator<br />
credentials to match those you configured in 9.3.3 Windows Management VMs<br />
Administrator Accounts.<br />
You can also add other administrator <strong>and</strong> non-administrator users to the domain, but it is<br />
not necessary.<br />
When you perform this procedure on one Domain Controller, the change is automatically<br />
made to the other Domain Controller.<br />
To change the credentials of the Unisys-supplied management-side Domain Controllers,<br />
do the following:<br />
1. Open a console to the primary Domain Controller (SPC-AD1) <strong>and</strong> log on using the<br />
Windows credentials in Table 2–1.<br />
2. To rename the administrator, do the following:<br />
a. Access Active Directory Users <strong>and</strong> Computers, <strong>and</strong> select Users in the<br />
left pane.<br />
b. Right-click the default administrator user, <strong>and</strong> then click Rename.<br />
c. Type the new administrator name, <strong>and</strong> then press Enter.<br />
d. Click Yes when you receive a warning that you should log out <strong>and</strong> log in using the<br />
new user name.<br />
e. In the Rename User dialog box, in the User logon name box, enter the new<br />
name for the user. This should be the same name that you specified previously<br />
when you renamed the user.<br />
f. Select the appropriate domain in the Domain list.<br />
g. Click OK.<br />
h. Log off.<br />
i. Log on using the new administrator name.<br />
3. To change the Windows administrator password, do the following:<br />
a. Send a Ctl-Alt-Del to the Domain Controller console, <strong>and</strong> then click Change a<br />
Password.<br />
b. Ensure that the username box contains the updated administrator user name.<br />
c. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />
CHECKPOINT:<br />
Log off the Domain Controller <strong>and</strong> log back in as the domain administrator user using the<br />
new credentials.<br />
9–12 3850 6804–007
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
When you have verified the new credentials, close the console to the Domain Controller<br />
management VM.<br />
9.3.13. uChargeback Services Domain Account<br />
Caution<br />
Do not perform this procedure if you will be commissioning physical servers. If<br />
you will be commissioning physical servers, leave the Services Domain<br />
Account as it was configured previously.<br />
To change credentials for the uChargeback Services domain account, do the following:<br />
1. Open a console to the uChargeback management VM, <strong>and</strong> log on using uChargeback<br />
administrator credentials in Table 1–10.<br />
2. Run the uChargeback Administrator<br />
3. On the Tools menu, point to Options, <strong>and</strong> click Security.<br />
4. Make note of the Account in the Service Account section; leave the dialog box<br />
open.<br />
5. Send a Ctl-Alt-Del to the virtual machine console, <strong>and</strong> click Change a Password<br />
(for the server).<br />
The Change Password dialog box opens.<br />
6. Change the user name to the account from the Service Account section that you<br />
noted previously. Refer to the values in Table 1–10.<br />
7. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> press Enter.<br />
The Change Password dialog box closes.<br />
8. In the Service Account section, update the two password values to match the new<br />
passwords for the Service account.<br />
3850 6804–007 9–13
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
9. Click Finish.<br />
The Unisys DWP Monitor Service <strong>and</strong> Unisys DWP Sdk Host services are restarted.<br />
10. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on using<br />
administrator credentials.<br />
11. Edit the following file:<br />
C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />
6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties.<br />
12. Update the value for provider.metric.pass to match the password value for the<br />
uChargeback service in Table 1–10.<br />
13. Restart the Apache Tomcat 6 service.<br />
9–14 3850 6804–007
CHECKPOINT:<br />
Check that the following services are started on the uChargeback management VM:<br />
• Unisys DWP Monitor Service<br />
• Unisys DWP Sdk Host<br />
9.3.14. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay Administrator<br />
To change the password for a <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay administrator, do the following.<br />
Note: All cloud <strong>and</strong> tenant user credentials should be configured using Active Directory.<br />
Use the st<strong>and</strong>ard Active Directory method to change those credentials as needed.<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> the Liferay administrator credentials in Table 2–1.<br />
2. Click the Welcome tab, <strong>and</strong> then click the name of the Liferay administrator.<br />
Note: If you are prompted to do so, reenter your credentials.<br />
The My Account page appears.<br />
3. On the Details page, update the Email Address <strong>and</strong> any other Name properties, if<br />
required, <strong>and</strong> then click Save.<br />
4. Click Password under User Information in the right pane.<br />
5. On the Password page, type the current password, type the new password, <strong>and</strong> then<br />
enter the new password again.<br />
6. Click Save.<br />
7. Sign out, <strong>and</strong> close the browser window.<br />
CHECKPOINT:<br />
On the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
1. Sign in using the updated credentials.<br />
2. Verify that you can access the Control Panel from the Manage list at the left of the<br />
top pane.<br />
9.3.15. Virtual Management Network Appliance Administrator<br />
If you are using VLANs to isolate tenant networks, <strong>and</strong> if you are using a virtual<br />
Management Network Appliance to connect the management server or servers to the<br />
Management Access Network, do the following to change the credentials for the<br />
administrator account that can configure the virtual Management Network Appliance:<br />
1. Open a console to the Management Network Appliance management VM, <strong>and</strong> log on<br />
using the default administrator credentials.<br />
2. Enter the following comm<strong>and</strong>s:<br />
configure<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
3850 6804–007 9–15
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
set system login user vyatta authentication<br />
plaintext-password <br />
commit<br />
save<br />
3. Log off using the logout comm<strong>and</strong>.<br />
CHECKPOINT:<br />
Log on using the updated credentials.<br />
9.3.16. Tenant VLAN Network Appliance Administrator<br />
If you are using VLANs to isolate tenant networks, then the administrator password was<br />
updated automatically when you ran the Config-TenantApp.sh script, as described in<br />
5.3.1 Deploying a New Tenant VLAN Network Appliance <strong>and</strong> VLAN. The script updated the<br />
password to the value in Table 1–25.<br />
If you want to change the password again, do the following:<br />
1. Open a console to the tenant VLAN network appliance, <strong>and</strong> log on using the current<br />
administrator credentials.<br />
2. Enter the following comm<strong>and</strong>s:<br />
configure<br />
set system login user vyatta authentication<br />
plaintext-password <br />
commit<br />
save<br />
3. Log off using the logout comm<strong>and</strong>.<br />
CHECKPOINT:<br />
Log on using the updated credentials.<br />
9.3.17. uChargeback vCenter User<br />
To configure the uChargeback vCenter User, do the following:<br />
1. If you are using the vCenter Server supplied by Unisys, change the credentials for the<br />
uChargeback vCenter User, as follows.<br />
Note: If you are using an existing vCenter Server in your environment, use your own<br />
procedures for changing the credentials.<br />
9–16 3850 6804–007
a. Open a console to the vCenter Server management VM, <strong>and</strong> log on using the local<br />
Windows administrator user credentials.<br />
b. Open the Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />
Groups, <strong>and</strong> then click Users.<br />
c. Locate the uChargeback vCenter User <strong>and</strong> rename it.<br />
d. Send a Ctl-Atl-Del comm<strong>and</strong> to the console.<br />
e. Click Change a password.<br />
f. Set the user to be the uChargeback vCenter User.<br />
g. Enter the previous password <strong>and</strong> new password in the boxes, <strong>and</strong> then press<br />
Enter.<br />
h. Close any vSphere Client sessions connected to vCenter Server, <strong>and</strong> then restart<br />
the VMware VirtualCenter Server service.<br />
2. If you renamed the uChargeback vCenter User, assign the new user name to the<br />
Read-Only role in vCenter Server, as follows:<br />
a. Using vSphere Client, connect to vCenter Server using the vCenter administrator<br />
user credentials.<br />
b. Select the Hosts & Clusters inventory view.<br />
c. Right-click the workload datacenter in the left pane <strong>and</strong> click Add Permission.<br />
The Assign Permissions dialog box appears.<br />
d. Click Add under Users <strong>and</strong> Groups.<br />
The Select Users <strong>and</strong> Groups dialog box appears.<br />
e. Leave the default value, (server), in the Domain box.<br />
f. Enter the new uChargeback vCenter User in the Users box.<br />
g. Click Check Names to verify that the user name is correct.<br />
If the user is not correct, an Incorrect username error message is displayed.<br />
h. Click OK.<br />
The Select Users <strong>and</strong> Groups dialog box closes.<br />
i. Select Read-only from the Assigned Role list.<br />
j. Click OK.<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
The Assign Permissions dialog box closes.<br />
3. Open a console to the uChargeback management VM, <strong>and</strong> log on using a<br />
uChargeback administrator account from Table 1–10.<br />
4. Run the uChargeback Administrator.<br />
5. Point to Options on the Tools menu, click Security, <strong>and</strong> then click Next to go to<br />
the second page.<br />
The Security Configuration Options dialog box appears.<br />
3850 6804–007 9–17
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
6. In the Virtual Center section, update the values in the Account <strong>and</strong> two<br />
Password boxes.<br />
7. Click Finish.<br />
CHECKPOINT:<br />
On the uChargeback Administrator, do the following:<br />
1. Point to Monitor on the Tools menu, <strong>and</strong> click Restart Monitor.<br />
2. Point to Monitor on the Tools menu, <strong>and</strong> click View Monitor Log.<br />
Verify that the vCenter inventory was successfully discovered.<br />
9.3.18. <strong>Cloud</strong> Orchestrator vCenter User<br />
To configure the <strong>Cloud</strong> Orchestrator vCenter User, do the following:<br />
1. If you are using the vCenter Server supplied by Unisys, change the credentials for the<br />
<strong>Cloud</strong> Orchestrator vCenter User, as follows.<br />
Note: If you are using an existing vCenter Server in your environment, use your own<br />
procedures for changing the credentials.<br />
a. Open a console to the vCenter Server management VM, <strong>and</strong> log on using the local<br />
Windows administrator user credentials.<br />
b. Open the Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />
Groups, <strong>and</strong> then click Users.<br />
c. Locate the <strong>Cloud</strong> Orchestrator vCenter User <strong>and</strong> rename it.<br />
d. Send a Ctl-Atl-Del comm<strong>and</strong> to the console.<br />
e. Click Change a password.<br />
f. Set the user to be the <strong>Cloud</strong> Orchestrator vCenter User.<br />
g. Enter the previous password <strong>and</strong> new password in the boxes, <strong>and</strong> then press<br />
Enter.<br />
h. Close any vSphere Client sessions connected to vCenter Server, <strong>and</strong> then restart<br />
the VMware VirtualCenter Server service.<br />
2. If you renamed the <strong>Cloud</strong> Orchestrator vCenter user, assign the user to the vCenter<br />
<strong>Cloud</strong> Orchestrator role, as follows:<br />
a. Launch the vSphere Client <strong>and</strong> connect to the vCenter server, using administrator<br />
credentials.<br />
b. Select the Hosts & Clusters inventory view.<br />
c. Right-click the workload datacenter <strong>and</strong> click Add Permission.<br />
The Assign Permissions dialog box appears.<br />
d. Click Add under Users <strong>and</strong> Groups to add the <strong>Cloud</strong> Orchestrator user for this<br />
role.<br />
The Select Users <strong>and</strong> Groups dialog box is displayed.<br />
9–18 3850 6804–007
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
e. Leave the default value, (server), in the Domain box.<br />
f. Select the vCenter <strong>Cloud</strong> Orchestrator user, click Add, <strong>and</strong> then click OK.<br />
g. Select the <strong>Cloud</strong> Orchestrator user role in the Assigned Role list.<br />
h. Click OK to close the dialog box.<br />
3. Log on to the <strong>Cloud</strong> Orchestrator management VM console using administrator<br />
credentials, <strong>and</strong> do the following:<br />
a. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service.<br />
b. In Wordpad, open the following file:<br />
C:\Unisys\UCO\mlets\serviceInstance.mlet<br />
Note: The Wordpad editor maintains formatting in the file, which makes it easier<br />
to update.<br />
c. Update the user <strong>and</strong> password parameter values with the new <strong>Cloud</strong> Orchestrator<br />
vCenter user credential values. These values appear in the following lines in this<br />
file:<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
4. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />
OK.<br />
5. Log on to the WSUS management VM console as the local administrator user.<br />
Note: The following steps use the VMware Update Manager Utility to change<br />
vumuser credentials that the VMware Update Manager uses. For additional<br />
documentation on the Update Manager Utility, refer to the VMware Web site <strong>and</strong><br />
perform a documentation search on “Update Manager Utility.”<br />
6. Navigate to the Update Manager installation directory:<br />
C:\Program Files (x86)\VMware\Infrastructure\Update Manager<br />
7. Double-click VMwareUpdateManagerUtility.exe.<br />
8. Enter the vCenter Administrator credentials in the User Name <strong>and</strong> Password<br />
boxes.<br />
9. Click Login.<br />
10. Click Database Settings in the Options pane of the Update Manager Utility.<br />
11. In the Configurations pane, enter vumuser in the User Name box, if it does not<br />
already exist in the box.<br />
12. Enter the same vumuser password in the Password <strong>and</strong> Confirm Password<br />
boxes that was entered in step 4.<br />
13. Click Apply.<br />
14. Restart the VMware vCenter Update Manager Service.<br />
CHECKPOINT:<br />
From a configuration workstation, do the following:<br />
1. Launch vSphere Client, <strong>and</strong> open the vCenter management VM console using<br />
administrator credentials.<br />
2. Run the VMware vSphere Client.<br />
3. Select Manage Plug-ins from the Plug-ins menu, right-click VMware vCenter<br />
Update Manager Extension, <strong>and</strong> then click Enable.<br />
4. Verify that the plug in is successfully enabled.<br />
5. Close the dialog box <strong>and</strong> exit vSphere.<br />
9.3.20. HAProxy Load Balancer for Web Applications<br />
If you are using the HAproxy load balancer for Web applications, which is an optional<br />
component included with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, do the following to change the<br />
password for the spcadmin <strong>and</strong> root users:<br />
1. Select System, point to <strong>Administration</strong>, <strong>and</strong> then click Users <strong>and</strong> Groups.<br />
2. In the Users Settings dialog box, select the appropriate user <strong>and</strong> click the<br />
Properties button.<br />
9–20 3850 6804–007
3. Select Set password by h<strong>and</strong>, <strong>and</strong> enter the new password for the user in the<br />
User password <strong>and</strong> Confirmation boxes.<br />
4. Click OK.<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
9.3.21. Stealth Infrastructure VMs, <strong>Administration</strong> Application,<br />
<strong>and</strong> Dynamic Licensing Web Interface<br />
Note: If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not included in your environment, skip the<br />
following procedures.<br />
Perform the procedures in this topic to change the credentials for the tenant Stealth<br />
Infrastructure VMs, for the <strong>Administration</strong> Application (which runs on the Stealth<br />
Configuration Machine infrastructure VM for each tenant), or to change the credentials for<br />
the Dynamic Licensing Web Interface (which runs on the Stealth Licensing management<br />
VM for the cloud environment as a whole).<br />
If you want to change the credentials for the Stealth Licensing management VM, perform<br />
the procedure in 9.3.3 Windows Management VMs Administrator Accounts.<br />
Stealth Configuration Machine, Stealth Transfer Machine, Stealth<br />
Proxy Server, <strong>and</strong> Stealth Relay Server Infrastructure VMs<br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, five Stealth<br />
infrastructure VMs are created for each Stealth-enabled VLAN.<br />
To change the credentials for the Stealth Configuration Machine, Stealth Transfer Machine,<br />
Stealth Proxy Server, <strong>and</strong> Stealth Relay Server infrastructure VMs, do the following. (You<br />
can change the password for one or all of the infrastructure VMs.)<br />
Note: To change the password for the Virtual Stealth Gateway infrastructure VM,<br />
perform the procedure in Virtual Stealth Gateway Infrastructure VM.<br />
1. Open a console to the first infrastructure VM whose credentials you want to change,<br />
<strong>and</strong> log on as the local administrator user specified in Table 1–31.<br />
2. To rename the local administrator user, do the following:<br />
a. Open Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />
Groups, <strong>and</strong> then click Users.<br />
b. Locate the local administrator user, right-click the user, <strong>and</strong> then select Rename.<br />
Note: When you perform this procedure on the Stealth Configuration Machine<br />
infrastructure VM, you see an Administrator user named FDAdmin. Do not<br />
change the user name for the FDAdmin user.<br />
c. Rename the local administrator user.<br />
d. Close Server Manager.<br />
Note: Do not use Server Manager to change the local administrator password,<br />
because an irreversible loss of information can occur.<br />
3850 6804–007 9–21
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
e. Log off.<br />
3. To change the local administrator password, do the following:<br />
a. Log on using the local administrator user name.<br />
b. Send a Ctl-Alt-Del comm<strong>and</strong> to the infrastructure VM console, <strong>and</strong> then click<br />
Change a Password.<br />
c. Ensure that the username box contains the local administrator user name.<br />
d. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />
e. Log off.<br />
f. Log on using the updated administrator credentials.<br />
Note: When you perform this procedure on the Stealth Configuration Machine<br />
infrastructure VM, you can perform this step twice: once for the local administrator<br />
user whose user name you changed <strong>and</strong> once for the FDAdmin user. The local<br />
administrator user <strong>and</strong> the FDAdmin user share the same initial password that you<br />
entered in Table 1–31. (The new passwords you assign for the local administrator user<br />
<strong>and</strong> for the FDAdmin user can be different values. If you change only the local<br />
administrator user password, be sure to make a note of the original password so that<br />
you can later log in as the FDAdmin user, if required.)<br />
4. Repeat this procedure for each Stealth infrastructure VM that you are modifying.<br />
5. Update Table 1–31 in the tenant worksheet to include the new credentials you<br />
entered for each infrastructure VM.<br />
6. If you changed the user name or password for the Stealth Transfer Machine<br />
infrastructure VM, you must also run the updateTenant effector. Perform the<br />
procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Environment, <strong>and</strong> run the updateTenant effector for the tenant whose<br />
Stealth infrastructure VMs were updated.<br />
Virtual Stealth Gateway Infrastructure VM<br />
To change the password for the Virtual Stealth Gateway infrastructure VM, do the<br />
following.<br />
Note: You cannot change the user name for the Virtual Stealth Gateway infrastructure<br />
VM.<br />
1. Open a console to the Stealth Configuration Machine infrastructure VM (which is<br />
associated with the Virtual Stealth Gateway infrastructure VM whose password you<br />
want to change).<br />
Log in using the FDAdmin user name <strong>and</strong> password. (The local administrator user <strong>and</strong><br />
the FDAdmin user share the same initial password that you entered in Table 1–31.)<br />
2. Open a comm<strong>and</strong> prompt.<br />
3. Change the directory to C:\Stealth Files\Software.<br />
4. Enter the following comm<strong>and</strong>:<br />
changeVSGpassword.bat <br />
9–22 3850 6804–007
You see a dialog box that prompts you to enter <strong>and</strong> confirm the new password.<br />
5. Enter <strong>and</strong> confirm the new password for the Virtual Stealth Gateway infrastructure<br />
VM.<br />
You see a message that states that the password was changed.<br />
6. Close the comm<strong>and</strong> prompt.<br />
Dynamic Licensing Web Interface<br />
Note: For more information on accessing the Dynamic Licensing Web Interface <strong>and</strong> the<br />
Stealth licensing settings you can view <strong>and</strong> change, see 10.18.4 Viewing <strong>and</strong> Configuring<br />
Stealth Licensing Options.<br />
To change the password for the Stealth Dynamic Licensing Web Interface, you must<br />
update the password on both the <strong>Cloud</strong> Orchestrator management VM <strong>and</strong> the Stealth<br />
Licensing management VM. Do the following:<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on using the<br />
current administrator credentials.<br />
2. Edit the following file in Notepad:<br />
C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />
6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties<br />
3. Locate the line that reads:<br />
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
<strong>Cloud</strong>.PlatformAPI.provider.license.password=<br />
The default password is U*spc2341.<br />
4. Update the password to a new value.<br />
5. Save <strong>and</strong> close the platformapi-config.properties file.<br />
6. Access Services, <strong>and</strong> restart the Apache Tomcat 6.0 Service.<br />
7. Close the console to the <strong>Cloud</strong> Orchestrator management VM.<br />
8. Open a console to the Stealth Licensing management VM, <strong>and</strong> log on using the<br />
current administrator credentials.<br />
9. Open a comm<strong>and</strong> prompt using the Run as administrator option.<br />
10. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.<br />
11. Enter the following comm<strong>and</strong> to change the password to match the value you entered<br />
on the <strong>Cloud</strong> Orchestrator management VM:<br />
dynamiclicensing.exe /set WebPassword <br />
Note: If the password contains spaces, enclose it in quotation marks.<br />
12. Close the comm<strong>and</strong> prompt.<br />
13. Close the console to the Stealth Licensing management VM.<br />
3850 6804–007 9–23
Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />
9.4. Restoring Users’ Connection to the Portal After<br />
Credentials Have Been Changed<br />
Before you began to change credentials, you were advised to update the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal settings to prevent users from signing into the portal. Do the following to<br />
reverse this procedure <strong>and</strong> enable users to sign into the portal:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. Click Portal Settings under Portal in the left pane, <strong>and</strong> then click<br />
Authentication in the right pane.<br />
4. Click LDAP, <strong>and</strong> then click the Edit icon next to the LDAP server.<br />
5. Change the value in the Principal box to the user name that the portal uses to<br />
authenticate with LDAP. This value is the same as the Principal (User) value from<br />
Table 1–6.<br />
6. Test the connection, <strong>and</strong> then click Save.<br />
This enables the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal communication with Active Directory<br />
server.<br />
9.5. Performing a Final Commissioning Checkpoint<br />
As a final checkpoint when you are finished changing credentials for all management VMs,<br />
do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> credentials that enable you to commission virtual<br />
machines.<br />
2. Verify that you can successfully commission a machine by repeating the procedure in<br />
7.5 Checkpoint: Commissioning a Resource .<br />
9.6. Installing Virtual Office as a Service<br />
If the Virtual Office as a Service (VOaaS) is included in the environment, refer to the <strong>Secure</strong><br />
Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong> (3843 4536) for<br />
information on installing the Virtual Office servers, completing networking for these<br />
servers, creating virtual desktop gold images, <strong>and</strong> configuring new tenants in the<br />
database.<br />
9–24 3850 6804–007
Section 10<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
This section describes the tasks performed by administrators <strong>and</strong> operators to support the<br />
cloud environment.<br />
10.1. Underst<strong>and</strong>ing How Requests are Processed<br />
During the configuration process, the Unisys service consultant sets up one or more of the<br />
following methods for user requests to be passed to administrators <strong>and</strong> operators:<br />
• Through e-mail<br />
• Through your Remedy ITSM ticketing system<br />
If your environment already includes BMC Remedy IT Service Management (ITSM)<br />
software suite version 7, the Unisys service consultant can configure tickets to be<br />
generated through the existing ticketing system.<br />
• Through the Unisys Remedy ITSM ticketing system<br />
If you choose, the Unisys service consultant can configure the tickets to be h<strong>and</strong>led by<br />
an off-site Unisys Remedy ITSM ticketing system.<br />
You receive notifications when action is required. If Remedy ITSM is configured in your<br />
environment, a Remedy ticket is generated to deliver this request. If Remedy ITSM is not<br />
configured, or if both Remedy ITSM <strong>and</strong> e-mail are configured, you receive an e-mail<br />
message.<br />
Users also receive notifications based on how the environment is configured.<br />
10.2. Responding to Virtual Machine Requests<br />
Users request new virtual machines, request that virtual machines be started or stopped,<br />
<strong>and</strong> request that virtual machines be decommissioned (deleted) using the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal. These tasks are performed, for the most part, automatically by the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal, <strong>and</strong> little manual action is required by administrators or operators. You<br />
receive notifications of new requests <strong>and</strong> when new virtual machine are commissioned.<br />
Note: Virtual machines must always be decommissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal. Do not delete virtual machines directly from VMware vCenter.<br />
3850 6804–007 10–1
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
If your version of Remedy ITSM is provided by Unisys <strong>and</strong> located at a Unisys datacenter,<br />
or if you are using e-mail to h<strong>and</strong>le <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> requests, no action is required.<br />
Only if your environment uses Remedy ITSM (a version provided by your organization),<br />
you must update the Remedy ticket status field manually as the request is processed.<br />
(The ticket status is set as “Draft” <strong>and</strong> does not change automatically.)<br />
Your site administrator determines whether users can request additional operator actions<br />
when commissioning virtual machines. These additional actions are not part of the normal,<br />
automatic, commissioning process, such as the following:<br />
• Adding an additional virtual hard drive of a specific size<br />
• Adding additional memory<br />
• Adding an additional virtual NIC<br />
• Installing specified software<br />
If the user requested additional actions for the virtual machine, you are notified of the<br />
actions <strong>and</strong> their requested values through your normal method of notification. You receive<br />
only the user-requested additional actions <strong>and</strong> values if the person who created the<br />
blueprint enabled users to request additional operator actions.<br />
You must examine each request <strong>and</strong> decide whether it was filled automatically or whether<br />
you need to perform a manual action to fill the request. When you finish satisfying all<br />
additional requests for a virtual machine, you<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />
2. Click the <strong>Administration</strong> tab.<br />
You see the Operator Prompts in the right pane.<br />
3. Select the waiting requests for which you completed additional actions, <strong>and</strong> approve<br />
them.<br />
4. Notify the user that the requested virtual machine is ready, using your normal<br />
procedure.<br />
The site administrator should provide operator training for the following:<br />
• The types of additional operator actions that users can request <strong>and</strong> valid values for<br />
each actions<br />
• The wording of administrator-defined properties that identify the additional operator<br />
actions that users can request<br />
• The value of any filters that apply to blueprints <strong>and</strong> how they affect the possible<br />
operator actions<br />
• How to perform the manual action for each request<br />
10–2 3850 6804–007
10.3. Managing Expired Virtual Machines<br />
When a virtual machine lease expires, the virtual machine is stopped, <strong>and</strong> it appears as<br />
Expired on the Resource Overview page of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. To access<br />
this page, click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />
From this page, you can change the lease, detach, or decommission (delete) an expired<br />
virtual machine. To filter the list of all virtual machines <strong>and</strong> display only those that have<br />
expired, select Lease from the Filter list, select Expired from the secondary list, <strong>and</strong><br />
then click Go.<br />
10.4. Responding to Physical Server Requests<br />
Users request that new physical servers be commissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal. Users request that physical servers be started, stopped, or decommissioned<br />
(deleted) through another method; the Unisys service consultant helps determine the<br />
method used to communicate these issues to administrators <strong>and</strong> operators.<br />
All physical server tasks require manual action by an administrator or operator. Refer to the<br />
following topics for more information on h<strong>and</strong>ling physical server requests.<br />
10.4.1. Commissioning New Physical Servers<br />
When a user requests that a new physical server be commissioned, you receive a notice<br />
asking you to start one of the uAdapt personas that was created when the account was<br />
configured.<br />
Do the following to start the uAdapt persona:<br />
1. Launch the uAdapt Console.<br />
2. Access the Dashboard view from the View menu.<br />
3. In the left list box, select Server Pools:Personas.<br />
4. Locate the server pool that matches the user request. Typically, the pool name is<br />
comprised of a company name (identified in the request as the ″company″) <strong>and</strong> the<br />
″blueprint″ name listed in the request. Use the pool that does not end with ″-active.″<br />
5. If a persona is available in the pool, then select a persona from the pool, making a note<br />
of the persona name.<br />
If no persona is available in the pool, then you must either contact your Unisys service<br />
consultant to arrange for an increase in the number of physical servers <strong>and</strong> personas<br />
available to your users, or you must delete an existing physical server to make those<br />
resources available to another user. See 10.4.3 Decommissioning Physical Servers<br />
(Releasing Physical Server Resources).<br />
6. In top-right list box, select Persona Assignment.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
7. In the second (lower) list box, select the matching pool name that ends with “-active.”<br />
3850 6804–007 10–3
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
For example, if the initial server pool is named<br />
Widget-W2K3x86MULT-CI-Small-0008-P, select the server pool named Widget-<br />
W2K3x86MULT-CI-Small-0008-P-active.<br />
8. Save the uAdapt configuration.<br />
9. Start the persona by selecting Start Persona on the right menu.<br />
10. Save the uAdapt configuration.<br />
11. After the persona is started, access the Catalog view, <strong>and</strong> then select Personas on<br />
the top-left list box.<br />
12. Select the persona that was selected in Step 5.<br />
13. Verify that Persona is selected in the top-right list box.<br />
14. Copy the value from the Name field, <strong>and</strong> then paste it in the Description field. In<br />
the Name field, type the ″physical machine name″ as it is listed in the user request.<br />
15. Save the uAdapt configuration.<br />
16. Ensure that the persona goes into the running state in uAdapt.<br />
17. Log onto the persona using Remote Desktop or the server console.<br />
18. From a comm<strong>and</strong> prompt, enter the following comm<strong>and</strong>:<br />
ipconfig /all<br />
19. From the output of this comm<strong>and</strong>, examine the IP addresses listed for each<br />
connection.<br />
Use this information to determine which connection is attached to the uAdapt Server<br />
Control Network, which connection is attached to the <strong>Cloud</strong> Management Network,<br />
<strong>and</strong> which connection (if any) is connected to the Public Network.<br />
Make a list of which connection names (such as Local Area Connection, Local Area<br />
Connection 2, <strong>and</strong> so forth) are connected to which network.<br />
20. Access Network Connections, as follows:<br />
• For Windows Server 2003, click Start, point to Control Panel, <strong>and</strong> then click<br />
Network Connections.<br />
• For Window Server 2008, click Start, <strong>and</strong> then click Control Panel. Doubleclick<br />
Network <strong>and</strong> Sharing Center, then click Manage network<br />
connections.<br />
21. Configure the network connections so that IPv6 is disabled, <strong>and</strong> so that only one of the<br />
network connections registers itself.<br />
If the system has a connection to the Public Network, then configure that network<br />
connection to register itself in DNS. Otherwise, configure the network connection for<br />
the <strong>Cloud</strong> Management Network to register itself in DNS.<br />
Note: Physical server commissioning cannot be finalized if the system registers with<br />
multiple DNS addresses.<br />
To configure each connection, perform the following steps:<br />
a. Double-click the connection in Network Connections.<br />
b. On the Status dialog box, click Properties.<br />
10–4 3850 6804–007
c. On the Properties dialog box, under This connection uses the following<br />
items, select one of the following, depending on your operating system:<br />
• For Windows Server 2008, clear the Internet Protocol Version 6<br />
(TCP/IPv6) check box, select Internet Protocol Version 4 (TCP/IP4),<br />
<strong>and</strong> then click Properties.<br />
• For Windows Server 2003, select Internet Protocol (TCP/IP), <strong>and</strong> then<br />
click Properties.<br />
Note: Because IPv6 is not supported by Windows Server 2003, there is no<br />
need to disable IPv6 explicitly.<br />
d. On the Internet Protocol Properties dialog box, click Advanced.<br />
e. On the Advanced TCP/IP Settings dialog box, select the DNS tab.<br />
f. Select the Register this connection’s addresses in DNS check box.<br />
g. Enable or clear the Use this connection’s DNS suffix in DNS<br />
registration check box.<br />
Note: Enable only one connection.<br />
h. Click OK to close the Advanced TCP/IP Settings dialog box.<br />
i. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.<br />
j. Click Close to close the Properties dialog box.<br />
22. Change the computer name to match the physical computer name; this name is the<br />
same as the changed persona name.<br />
23. Configure the server to synchronize time with a time server that is compatible with the<br />
uChargeback management VM.<br />
This is required in order for resource utilization metrics to display the correct data in<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
24. When Windows prompts you to reboot, click No.<br />
Note: You must use the uAdapt Console to “reboot” the Windows operating system<br />
by stopping <strong>and</strong> restarting the persona, as described in the following steps.<br />
25. Using the uAdapt Console, stop the persona, <strong>and</strong> then start it again.<br />
These comm<strong>and</strong>s enable the computer name change to take effect in Windows<br />
without causing the persona to retarget to a different server.<br />
Do the following to stop <strong>and</strong> then start the persona:<br />
a. Select Personas from the top-left list box.<br />
b. Select the persona.<br />
c. Select Stop Persona comm<strong>and</strong> in the right menu.<br />
d. Save the configuration.<br />
The persona changes states <strong>and</strong> eventually ends in the dormant state.<br />
e. In the top-right list box, select Persona Assignment.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–5
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
f. Verify that the top list box value is Try to run on server in Pool <strong>and</strong> that the<br />
bottom list box is set to the “-active” pool associated with the request.<br />
g. Select Start Persona on the right menu.<br />
h. Save the configuration.<br />
The persona changes states <strong>and</strong> eventually goes into the running state.<br />
26. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
27. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />
URL in Table 2–2.<br />
28. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />
29. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />
30. When you see the question, “What is the Computer Name of the newly started<br />
persona xxx?” enter the computer name (persona name) of the commissioned<br />
physical server.<br />
The computer name you enter must be resolvable from the <strong>Cloud</strong> Orchestrator <strong>and</strong><br />
the uChargeback management VMs. This can be the fully qualified domain name of<br />
the server, where the domain suffix is the Domain value from Table 1–9. For example,<br />
if the host name of the server is host-1, <strong>and</strong> the Domain value in Table 1–9 is<br />
Managed.example.com, then enter host-1.Managed.example.com.<br />
(The name that appears in this message is the ″User Entered Name″ listed in the user<br />
request, which is different from the physical computer name/persona name.)<br />
31. Click response.<br />
After you enter the computer name, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal completes the<br />
physical machine request. When the request is complete, the user who requested the<br />
physical server receives a notice that the physical server has been commissioned <strong>and</strong><br />
can be accessed using the new computer name.<br />
32. On the persona, ensure that the Unisys DWP Meter service is started <strong>and</strong> is<br />
configured to start automatically when the operating system is started.<br />
33. Restart the server using the following procedure, 10.4.2 Starting or Stopping Physical<br />
Servers.<br />
10.4.2. Starting or Stopping Physical Servers<br />
When a user requests that a physical server be started or stopped, you receive a notice<br />
requesting that you complete this action.<br />
Starting a Physical Server<br />
Do the following to start a physical server:<br />
1. Launch the uAdapt Console.<br />
2. Access the Catalog view from the View menu.<br />
3. Select Personas in the top-left list box.<br />
10–6 3850 6804–007
4. Select the persona that matches the computer name that the user requested you<br />
start.<br />
5. In the top-right list box, select Persona Assignment.<br />
6. Verify that the top list box value is Try to run on server in Pool <strong>and</strong> that the<br />
bottom list box is set to the “-active” pool associated with the request.<br />
7. Select Start Persona on the right menu.<br />
8. Save the configuration.<br />
The persona changes states <strong>and</strong> eventually ends in the running state.<br />
9. Verify that the state has changed to ″Running″ to ensure that the persona has<br />
successfully started.<br />
Stopping a Physical Server<br />
Do the following to stop a physical server:<br />
1. Launch the uAdapt Console.<br />
2. Access the Catalog view from the View menu.<br />
3. Select Personas from the top-left list box.<br />
4. Select the persona that the user requested to stop.<br />
5. Select Stop Persona on the right menu.<br />
6. Save the configuration.<br />
The persona changes states <strong>and</strong> eventually ends in the dormant state.<br />
7. Verify that the state has changed to ″Dormant″ to ensure that the persona has<br />
successfully stopped.<br />
Caution<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Do not change the server pool for the persona to the non-active pool; the<br />
non-active pool is only for personas that are not commissioned.<br />
10.4.3. Decommissioning Physical Servers (Releasing Physical<br />
Server Resources)<br />
When you decommission a physical server, you release its resources back to the cloud so<br />
that they can be reassigned.<br />
When a user requests that a physical server be decommissioned, you receive a notice<br />
requesting that you complete this action.<br />
3850 6804–007 10–7
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Decommission a physical server <strong>and</strong> making its resources available to other users includes<br />
the following tasks:<br />
1. Stopping the persona in uAdapt.<br />
2. Reinitializing the operating system image for this persona from the gold image that<br />
was configured by the Unisys service consultant. For the storage LUN for this<br />
persona, this involves doing either of the following:<br />
• Writing over the storage LUN.<br />
• Deleting the storage LUN <strong>and</strong> creating an identically named LUN.<br />
3. Moving the persona from the active pool to the inactive pool.<br />
Note: After you stop <strong>and</strong> decommission virtual machines, they are moved into the<br />
Archived Servers Department in uChargeback. This enables you to create historical<br />
reports, as needed. However, if you want to fully delete the virtual machines from<br />
uChargeback, see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />
Stopping the Persona<br />
Stop the persona in uAdapt. See 10.4.2 Starting or Stopping Physical Servers.<br />
Managing the Storage LUN<br />
Reinitialize the operating system image for this persona from the gold image that was<br />
configured by the Unisys service consultant. For the storage LUN for this persona, do<br />
either of the following:<br />
• Write over the existing LUN<br />
• Delete the existing LUN <strong>and</strong> create a new LUN with an identical name<br />
In order for the physical server to be recommissioned using uAdapt, you must<br />
rename the LUN using the exact name used previously. If you do not, the physical<br />
server becomes uncommissionable, <strong>and</strong> you must call your Unisys service consultant<br />
for assistance in creating a new persona.<br />
Use the documentation provided by your storage system to perform one of these tasks.<br />
Moving the Persona to the Inactive Server Pool<br />
Do the following to move the uAdapt persona from the active to the inactive server pool:<br />
1. Launch the uAdapt Console.<br />
2. Access the Catalog view from the View menu.<br />
3. Select Personas from the top-left list box.<br />
4. Select the persona that is being deleted.<br />
5. In the top-right list box, select Persona Assignment.<br />
6. In the second (lower) list box, select the matching pool name that does not end with<br />
10–8 3850 6804–007
″active.″ For example, if the assigned server pool is named Widget-W2K3x86-active,<br />
select the server pool named Widget-W2K3x86.<br />
7. Save the configuration.<br />
8. In the top-right list box, select Persona.<br />
9. Copy the value from the Description field, <strong>and</strong> then past it in the Name field.<br />
10. Save the configuration.<br />
10.5. Responding to Virtual Desktop Requests<br />
Users request that new virtual desktops be commissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal. Users can also request that virtual desktops be deleted (decommissioned) using<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. If a virtual desktop needs to be started or stopped, the<br />
administrator or operator receives a message by e-mail, by Remedy ticket, or by both,<br />
depending on the configuration.<br />
All virtual desktop tasks require manual action by an administrator or operator. Refer to the<br />
following topics for more information on h<strong>and</strong>ling requests.<br />
10.5.1. Commissioning New Virtual Desktops<br />
When a user uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to request that a virtual desktop be<br />
created, a notification (e-mail, Remedy ticket, or both) is created to direct the cloud<br />
administrator or operator to manually create the required desktop.<br />
The notification includes the specific blueprint name that should be used <strong>and</strong> a link to the<br />
<strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong> (3843 4536),<br />
which provides detailed instructions on implementing the Virtual Office as a Service<br />
solution, onboarding new tenants, <strong>and</strong> creating new virtual desktops. This document is<br />
available from the Unisys Product Support Web site (www.support.unisys.com). You can<br />
also refer to the <strong>Secure</strong> Virtual Office as a Service Session Manager Help (3826 5187),<br />
which is available directly from the Session Manager connection broker interface.<br />
After the desktop has been created <strong>and</strong> started in Session Manager, the administrator or<br />
operator must sign into the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> approve the pending request.<br />
The administrator or operator must also manually maintain a mapping of the resource<br />
descriptive name to the desktop name created. (This is used later when deleting virtual<br />
desktops.)<br />
10.5.2. Starting, Stopping, <strong>and</strong> Deleting Virtual Desktops<br />
Starting <strong>and</strong> Stopping Virtual Desktops<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
In general, users do not have to request that virtual desktops be started. When a user<br />
starts the process to connect to the virtual desktop using the Thin Client software, the<br />
software automatically tries to start the virtual desktop if it is not already running. Users<br />
can also use the Thin Client software to request that a virtual desktop be restarted (that is,<br />
3850 6804–007 10–9
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
if the virtual desktop is running, it is stopped <strong>and</strong> then restarted). A user can make a stop<br />
request from within the virtual desktop operating system, if the operating system image<br />
was built with a capability that enables users to shut it down.<br />
If a user needs administrator or operator assistance to start or stop a virtual desktop, the<br />
user must create a request using the method established with the Unisys service<br />
consultant.<br />
Deleting Virtual Desktops<br />
When a user uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to request that a virtual desktop be<br />
decommissioned (deleted), a notification—through e-mail, Remedy ticket, or both—is<br />
created to direct the cloud administrator or operator to manually complete the deletion<br />
process.<br />
The notification contains the resource descriptive name to be deleted <strong>and</strong> a link to the<br />
<strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong>, which<br />
provides detailed instructions on deleting the Virtual Office as a Service desktop.<br />
10.6. Responding to Requests Using the Operator<br />
Prompts Page<br />
Operator prompts are generated by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> when the automation<br />
software encounters a condition that requires intercession by an administrator or operator.<br />
For example, an operator prompt is generated if a user requests a custom configuration for<br />
a virtual machine, or if a commissioning request has failed due to a configuration or<br />
infrastructure problem (such as insufficient space to create a new virtual machine).<br />
In these cases, the administrator or operator responsible for h<strong>and</strong>ling the prompt should<br />
review the information presented <strong>and</strong> determine how to proceed. In the event of an error,<br />
if the problem can be resolved (for example, by adding additional storage), the<br />
administrator or operator should take whatever action is necessary to resolve the problem,<br />
<strong>and</strong> then approve the prompt. The automation software will retry the operation that failed.<br />
If the error cannot or should not be resolved (for example, due to invalid user input), the<br />
administrator or operator should reject the operator prompt. The automation software<br />
then informs the requesting user that his request has failed.<br />
The Operator Prompts page of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal enables administrators <strong>and</strong><br />
operators to approve or reject requests. Do the following to access the Operator Prompts<br />
page:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />
2. Click <strong>Administration</strong>.<br />
In the right pane, you see the Operator Prompt Overview, the Operator Prompt Details,<br />
<strong>and</strong> Operator Prompt Status tables. Each table provides a different level of detail about the<br />
operator prompts.<br />
10–10 3850 6804–007
See the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help for more information on using this page.<br />
10.7. Managing Tenant Users<br />
Perform the following procedures to change a user’s e-mail address, deactivate or<br />
reactivate a user, or delete a user.<br />
10.7.1. Updating a Tenant User’s E-mail Address<br />
To change a tenant user’s e-mail address, do the following.<br />
Note: If you change a user’s e-mail address in Active Directory, you must perform the<br />
following procedure to change the e-mail address in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Users.<br />
The Users page appears with a list of active users.<br />
4. Click the user whose e-mail address you want to change.<br />
5. Type the new e-mail address in the Email Address box.<br />
6. Click Save.<br />
10.7.2. Moving a User from One Tenant Organization to Another<br />
Note: Before moving a tenant user from one organization to another, ensure that the<br />
user does not own any resources (virtual machines, physical servers, or virtual desktops.)<br />
If the user owns any resources, you must either decommission those resources or change<br />
the ownership of those resources before performing this procedure. See<br />
Section 10, <strong>Cloud</strong> Portal <strong>Operations</strong>, for more information about decommissioning virtual<br />
machines, virtual desktops, or physical servers, or see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface<br />
Help for information about changing ownership of a resource.<br />
If you need to move a user from one tenant organization to another, do the following:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Users.<br />
The Users page appears.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–11
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
5. Using the First Name, Last Name, or Email Address boxes, search for the user<br />
whose organization you want to change.<br />
Note: You might have to click Advanced to see all available search fields.<br />
6. When you locate the user, click the user name.<br />
The Details page appears containing the details of the user.<br />
7. In the right pane, click Organizations.<br />
8. Click Select to assign the user to an organization.<br />
The Organizations window appears.<br />
9. Select one of the listed organizations.<br />
Note: You can search for an organization, if required.<br />
10. Click Remove next to the user’s former organization to remove the association with<br />
that organization.<br />
11. Click Roles.<br />
12. Click Remove next to the role or roles associated with the user’s former organization.<br />
13. At the bottom of the right pane, click Save.<br />
14. Exit Control Panel, <strong>and</strong> log out.<br />
15. Log in using your cloud administrator credentials, <strong>and</strong> assign the user to the<br />
appropriate role <strong>and</strong> project using the Role <strong>and</strong> Project Membership page. See<br />
7.4 Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to Roles, <strong>and</strong> Assigning Tenant Users<br />
to Projects for more information.<br />
10.7.3. Deactivating or Reactivating Tenant Users<br />
The following procedure describes how to deactivate tenant users <strong>and</strong> prevent them from<br />
logging in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. It also describes how to reactivate users, if<br />
needed.<br />
Do the following to deactivate a user:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Users.<br />
The Users page appears with a list of active users.<br />
4. Locate the users you want to deactivate, <strong>and</strong> select the check boxes next to the user<br />
names.<br />
5. Click Deactivate (at the top of the list of users) to deactivate the users.<br />
If you want to reactivate a user, do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
10–12 3850 6804–007
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Users.<br />
The Users page appears with a list of active users.<br />
4. From the Active list, select No, <strong>and</strong> then click Search.<br />
Note: You might have to click Advanced under the Search button to view the<br />
Active list.<br />
A list of the deactivated users appears.<br />
5. Locate the users you want to activate, <strong>and</strong> select the check boxes next to the user<br />
names.<br />
6. Click Restore (at the top of the list of users) to reactivate the users.<br />
10.7.4. Deleting Tenant Users <strong>and</strong> User Roles<br />
Deleting Tenant Users <strong>and</strong> User Roles from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal<br />
To delete tenant users, do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Users.<br />
The Users page appears with a list of active users.<br />
4. If you have not already deactivated the users you want to delete, do the following. If<br />
the users are already deactivated, skip to the next step.<br />
Do the following to deactivate users:<br />
a. Select the check boxes next to the users who you want to deactivate.<br />
b. Click Deactivate (at the top of the list of users) to deactivate the users.<br />
5. From the Active list, select No, <strong>and</strong> then click Search.<br />
Note: You might have to click Advanced under the Search button to view the<br />
Active list.<br />
A list of the deactivated users appears.<br />
6. Locate the users you want to delete, <strong>and</strong> select the check boxes next to the user<br />
names.<br />
7. Click Delete (at the top of the list of users) to delete the selected users.<br />
To delete a tenant user role, do the following.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3850 6804–007 10–13
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3. In the left pane, under Portal, click Roles.<br />
The Roles page appears with a list of roles.<br />
4. Locate the tenant user role you want to delete, click the Actions button for that user<br />
role, <strong>and</strong> then click View Users.<br />
5. Verify that no users are associated with the role you are deleting.<br />
If any users are associated with the role, you should create a new role <strong>and</strong> reassign<br />
the users before continuing.<br />
6. Locate the tenant user role you want to delete, click the Actions button for that user<br />
role, <strong>and</strong> then click Delete.<br />
10.8. Editing Blueprints<br />
To edit a blueprint that has already been refined, do the following.<br />
Note: Some blueprint attributes cannot be changed, such as blueprint type.<br />
1. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />
2. Under Manage Blueprints, select the project associated with the blueprint you<br />
want to edit.<br />
The Blueprint pane is updated to list all blueprints associated with the project.<br />
3. Under Blueprints, select the blueprint that you want to edit, <strong>and</strong> then click Edit<br />
Blueprint.<br />
4. Edit the values as required.<br />
Note: The blueprint name cannot be longer than 128 characters. Only numbers (0-9),<br />
uppercase <strong>and</strong> lowercase letters (A-Z, a-z), space, hyphen (-), underscore (_), period (.),<br />
ampers<strong>and</strong> (&), <strong>and</strong> at sign (@) characters are allowed.<br />
See the following topics for information:<br />
• 6.5 Virtual Machine Attributes <strong>and</strong> Values<br />
• 6.6 Virtual Desktop Attributes <strong>and</strong> Values<br />
5. After you finish editing the values, click Apply.<br />
10.9. Deleting Blueprints or Projects from the <strong>Cloud</strong><br />
Environment<br />
Note: Renaming projects is not a supported operation. To give a project a different name,<br />
you must delete it using the procedures in this topic <strong>and</strong> then recreate it using the new<br />
name.<br />
If you want to delete a blueprint, you must delete it from both the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal <strong>and</strong> from RBADB. If you want to delete a project, you must delete it from both<br />
RBADB <strong>and</strong> from uOrchestrate.<br />
10–14 3850 6804–007
Perform the procedures in this topic to delete components from the cloud environment.<br />
10.9.1. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal<br />
Note: To delete a blueprint, you must first decommission the resources that have been<br />
commissioned using the blueprint. You receive the following error message when you try<br />
to delete a blueprint that has resources tied to it:<br />
There has been a problem processing your request.<br />
To delete a blueprint from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />
2. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />
3. Under Manage Blueprints, select the tenant folder.<br />
The Blueprint pane is updated to list all blueprints associated with the tenant.<br />
4. Under Blueprints, select the blueprint that you want to delete, <strong>and</strong> then click<br />
Delete Blueprint.<br />
A confirmation message appears.<br />
5. Confirm that you want to delete the blueprint.<br />
The blueprint is deleted from the tenant <strong>and</strong> from all tenant projects with which it is<br />
associated.<br />
6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract <strong>and</strong><br />
Deleting a Blueprint.<br />
10.9.2. Deleting Projects or Blueprints from RBADB<br />
If you want to delete tenant projects or blueprints from RBADB, perform the following<br />
procedures.<br />
Note: If you delete a tenant, the projects associated with the tenant are deleted<br />
automatically. (See 11.6 Removing a Tenant Contract <strong>and</strong> Tenant from RBADB for<br />
information about deleting tenants.) However, any blueprints associated with the tenant<br />
must be deleted individually, as described later in this topic.<br />
In addition, remove any deleted projects or blueprints from the tenant data worksheet, so<br />
that any future updates in the worksheet can be applied correctly to RBADB.<br />
Note: It is not necessary to export the worksheet at this time.<br />
Restrictions When Deleting Items in RBADB<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• A project cannot be deleted if it is associated with any commissioned resources.<br />
• A contract cannot be deleted if it is associated with any commissioned resources.<br />
3850 6804–007 10–15
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• A tenant cannot be deleted if it is associated with a contract.<br />
• A blueprint cannot be deleted if it is associated with a contract.<br />
Verifying that Commissioned Resources Are Not Associated with<br />
Tenants, Projects, or Blueprints<br />
You cannot delete a tenant, project, or blueprint if it is associated with any commissioned<br />
resources. To verify that commissioned resources are not associated with tenants,<br />
projects, or blueprints, do the following:<br />
1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />
2. Log in with the RBADB Administrator credentials in Table 2–1.<br />
3. Click Contracts in the left pane.<br />
4. Select the contract for the tenant.<br />
You see the Contracted Resources page, which includes a table listing associated<br />
blueprints.<br />
5. For any Blueprint Type whose Deployed value is not 0, select View Deployed<br />
Resources from the Actions list.<br />
You see the Deployed Resources page, which includes a table listing<br />
commissioned resources. Commissioned resources are grouped by project, <strong>and</strong> each<br />
machine is identified by the tenant fully qualified name (FQN).<br />
For any deployed resources that are associated with tenants, projects, or blueprints<br />
that you want to decommission (delete), do the following:<br />
a. Access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, <strong>and</strong> verify that the commissioned<br />
resources have not been decommissioned. If any commissioned resources have<br />
not been decommissioned from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must ensure<br />
that they are decommissioned.<br />
If possible, you should request that users decommission their own virtual<br />
machines. The procedure that explains how users decommission virtual machines<br />
is included in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help. However, if users are no<br />
longer available to decommission their own virtual machines, you might have to<br />
decommission them. See 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines<br />
for more information.<br />
The procedure that explains how administrators decommission physical servers is<br />
described in 10.4.3 Decommissioning Physical Servers (Releasing Physical Server<br />
Resources).<br />
b. If any commissioned resources still remain in RBADB, access the Deployed<br />
Resources page, <strong>and</strong> delete those resources by clicking the recycle bin icon next<br />
to each machine.<br />
Note: Perform this step only if you are sure that the resources do not exist in the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The recycle bin icon is provided only to resolve errors<br />
between commissioned resources that do not exist in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal but still appear in RBADB. If you delete a resource that still exists in the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, serious errors can occur.<br />
10–16 3850 6804–007
Removing a Blueprint from a Contract <strong>and</strong> Deleting a Blueprint<br />
Note: The Import VMware Virtual Machine blueprint can be removed from the tenant’s<br />
contract; however, you should not remove this blueprint from RBADB.<br />
A blueprint cannot be deleted if it is associated with a contract. To remove a blueprint from<br />
a contract (if the contract has not already been deleted) <strong>and</strong> delete a blueprint, do the<br />
following in RBADB:<br />
1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />
2. Log in with the RBADB Administrator credentials in Table 2–1.<br />
3. If you need to remove a blueprint from a contract (if the contract has not already been<br />
deleted), do the following:<br />
a. Click Contracts in the left pane.<br />
b. Select the contract for the tenant.<br />
You see the Contracted Resources page, which includes a table of associated<br />
blueprints.<br />
c. Verify that there are no commissioned resources associated with the blueprint<br />
(that the value in the Deployed column is 0). See Verifying that Commissioned<br />
Resources Are Not Associated with Tenants, Projects, or Blueprints.<br />
d. Select Delete Resource from the Actions list.<br />
e. Click OK to confirm that you want to remove the blueprint from the contract.<br />
4. Click Blueprint Types in the left pane.<br />
5. Select the blueprint you want to delete.<br />
6. Click Delete.<br />
7. Click OK to confirm that you want to delete the blueprint.<br />
Deleting a Project<br />
To delete a project, do the following.<br />
Note: If you delete a tenant, all associate projects are automatically deleted from<br />
RBADB.<br />
1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />
2. Log in with the RBADB Administrator credentials in Table 2–1.<br />
3. Click Accounts in the left pane.<br />
4. Click SubAccounts for the tenant whose project you want to delete.<br />
5. Select the subaccount for the project you want to delete.<br />
6. Click Delete.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Note: If the Delete button is not active, there might be commissioned resources<br />
associated with this project. See Verifying that Commissioned Resources Are Not<br />
Associated with Tenants, Projects, or Blueprints for information on how to verify this<br />
3850 6804–007 10–17
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
<strong>and</strong> delete commissioned resources if required.<br />
7. Click OK to confirm that you want to delete the project.<br />
8. Perform the procedure in 10.9.3 Removing Projects from uOrchestrate to remove the<br />
project from uOrchestrate.<br />
10.9.3. Removing Projects from uOrchestrate<br />
To remove a project from uOrchestrate, do the following:<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
2. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />
URL in Table 2–2.<br />
3. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />
4. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />
5. In the Service Organization pane on the left, click the Registration service.<br />
6. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />
7. Under All Effectors, click removeSubAccountStructure.<br />
This effector removes a single project from an existing tenant. Type the name of the<br />
tenant that owns the project in the tenant parameter, <strong>and</strong> then type the name of the<br />
project that you want to delete in the subAccount parameter.<br />
8. Click Execute.<br />
9. Check the result in the result pane.<br />
You should see the message “Success” when the process is complete.<br />
10. If there were any errors encountered attempting to delete the tenant or project,<br />
resolve them, <strong>and</strong> then rerun the effector.<br />
For example, if you see an error message that states that a folder cannot be deleted<br />
because a resource is associated with it, delete the resource, <strong>and</strong> then rerun the<br />
effector.<br />
10.9.4. Archiving Projects in uChargeback<br />
After you delete projects from RBADB <strong>and</strong> uOrchestrate, you should archive those<br />
projects in uChargeback. Do the following:<br />
1. From a vSphere Client, open a console to the uChargeback management VM, <strong>and</strong> log<br />
in using the domain uChargeback administrator account from Table 1–10.<br />
2. Access the uChargeback Administrator from the Start menu by pointing to All<br />
Programs, pointing to Unisys, pointing to uChargeback,, <strong>and</strong> then clicking<br />
Administrator.<br />
3. In the Object Browser tree in the left pane, exp<strong>and</strong> the Departments tree, select<br />
the project that has been deleted from RBADB <strong>and</strong> uOrchestrate, <strong>and</strong> drag that project<br />
under Archived Accounts.<br />
10–18 3850 6804–007
If you want to fully delete a project after archiving it, see 11.8 Removing Tenant Resources<br />
<strong>and</strong> Departments from uChargeback.<br />
10.10. Configuring Snapshot Limits <strong>and</strong> Managing<br />
Snapshots<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment enables you to take snapshots of your virtual<br />
machines at any time. These snapshots are known as versions on the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal.<br />
As an administrator, you can limit the number of snapshots that can be taken. By default,<br />
the snapshot limit is not set, meaning that one snapshot can be taken for each virtual<br />
machine. You can update this value to allow the appropriate amount of storage for your<br />
environment to be used to store snapshots.<br />
10.10.1. Configuring Snapshot Limits<br />
You configure snapshots limits using the Excel worksheets. You can configure limits at<br />
three levels:<br />
• For the entire <strong>Cloud</strong> environment<br />
• For a specific tenant folder<br />
• For a specific project folder<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
If you set these three values differently, then the snapshot limits at the lower levels of the<br />
hierarchy take precedence over snapshot limits at higher levels. That is, snapshot limits<br />
defined at the project level take precedence over the tenant <strong>and</strong> <strong>Cloud</strong> level limits, <strong>and</strong><br />
snapshot limits defined at the tenant level take precedence over the <strong>Cloud</strong> level limit. The<br />
only exception is that the default value (blank) does not override snapshot limits set at<br />
higher levels of the hierarchy.<br />
If you want to prevent users from saving snapshots, then set the appropriate snapshot<br />
limit to 0; you can set this limit on the <strong>Cloud</strong> level, the tenant level, or project level. If you<br />
set the <strong>Cloud</strong> level snapshot to 0 <strong>and</strong> you leave the tenant <strong>and</strong> project values blank, then<br />
users cannot save snapshots. However, if you set the <strong>Cloud</strong> level snapshot to 0 <strong>and</strong> then<br />
set a different value for a particular tenant or project, only virtual machines that belong to<br />
that tenant or project can save snapshots.<br />
The snapshot limits you set apply to each virtual machine individually. That means that if<br />
you set the snapshot limit to 10 at the project level, <strong>and</strong> if you have 10 virtual machines in<br />
that project, then you could have a total of 100 snapshots.<br />
To update the snapshot limit for the cloud environment, change the Snapshot Limit in<br />
Table 1–9, export the cloud provider worksheet, <strong>and</strong> run the Populator<br />
update<strong>Cloud</strong>Properties effector, as described in 6.1 Updating <strong>Cloud</strong> Provider or Adding<br />
Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />
To set the snapshot limit for a tenant, change the Snapshot Limit in Table 1–29. To set the<br />
3850 6804–007 10–19
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
snapshot limit for a project, change the Snapshot Limit in Table 1–40. Then, export the<br />
worksheet, <strong>and</strong> then run the Populator updateTenant effector as described in 6.1 Updating<br />
<strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />
10.10.2. Managing Snapshots<br />
You can create, delete, or revert a snapshot of a virtual machine.<br />
Note: You cannot take snapshots of a physical server or a virtual desktop.<br />
The portal enables you to take snapshots of your virtual machines at any time. These<br />
snapshots are known as versions. A virtual machine snapshot is a representation of the<br />
state of a virtual machine <strong>and</strong> its data at a given time. Snapshots are useful for storing a<br />
virtual machine state that you might need to restore as the current processing state in the<br />
future.<br />
The portal enables you to do the following tasks:<br />
• Creating New Snapshots<br />
• Reverting to a Different Snapshot<br />
• Deleting a Snapshot<br />
Creating New Snapshots<br />
Do the following to create a new snapshot:<br />
1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />
2. Select the virtual machine for which you want to take a snapshot in the Resource<br />
Overview pane, <strong>and</strong> click Create Snapshot.<br />
Create Snapshot dialog box appears.<br />
Note: If the virtual machine is running, the best practice is to stop the virtual machine<br />
before taking a snapshot. This ensures that you know the state of the virtual machine<br />
before you take the snapshot, <strong>and</strong> the size of the snapshot is smaller if the snapshot is<br />
taken when the virtual machine is stopped.<br />
3. Type a name for the new snapshot, enter a description of the snapshot, <strong>and</strong> click<br />
Execute.<br />
Reverting to a Different Snapshot<br />
1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />
2. Select the virtual machine in the Resource Overview pane <strong>and</strong> click Revert<br />
Snapshot.<br />
Revert Snapshot dialog box appears. Revert Snapshot displays a list of all the<br />
available snapshots, with the latest snapshot selected.<br />
3. Select the snapshot that you want to revert to <strong>and</strong> click Execute.<br />
10–20 3850 6804–007
Note: When you activate a different snapshot, you lose the current state of your virtual<br />
machine, unless you first stop the virtual machine <strong>and</strong> take a snapshot before activating<br />
another snapshot.<br />
Deleting a Snapshot<br />
1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />
2. Select the virtual machine in the Resource Overview pane <strong>and</strong> click Delete<br />
Snapshot.<br />
Delete Snapshot dialog box appears. Delete Snapshot displays a list of all the<br />
available snapshots, with the latest snapshot selected.<br />
3. Select the snapshot that you want to delete <strong>and</strong> click Execute.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
10.11. Using the Resource Utilization Dashboard<br />
The Resource Utilization dashboard enables the users—based on their roles <strong>and</strong><br />
privileges—to view the utilization information (CPU, Memory, Storage, <strong>and</strong> Network) of<br />
various resources allocated to the tenants <strong>and</strong> their associated projects.<br />
When you initially sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you see the Resource<br />
Utilization Overview dashboard on the Home page.<br />
This dashboard provides a graphical overview of CPU utilization, Memory utilization,<br />
Storage utilization, <strong>and</strong> Network utilization for virtual machines <strong>and</strong> physical servers in a<br />
single pane.<br />
This data is gathered every 15 minutes, <strong>and</strong> the time zone listed on the dashboard is that<br />
of the uChargeback management VM. uChargeback can manage data from workload<br />
servers in different time zones, but all data is stored using the uChargeback management<br />
VM time zone. It is highly recommended that you synchronize your system clocks so that<br />
data can be meaningfully compared across multiple workload servers.<br />
For CPU <strong>and</strong> Memory utilization, each resource in the cloud environment is grouped in one<br />
of four categories: low, medium, high, <strong>and</strong> critical. Each category is a range of percentages<br />
of the total available capacity. A Unisys service consultant configures these categories<br />
during initial implementation.<br />
For example, the categories can be defined as follows: Low (0-30%), Medium (31-60%),<br />
High (61-75%), <strong>and</strong> Critical (76-100%). If there are a total of 1000 resources (800 virtual<br />
machines <strong>and</strong> 200 physical servers) in the cloud environment, you can graphically view the<br />
number of resources that fall into each range for CPU utilization <strong>and</strong> Memory utilization.<br />
In contrast, for Storage <strong>and</strong> Network utilization, the values displayed are for all virtual<br />
machines <strong>and</strong> all physical servers in the cloud environment (rather than on a resource-byresource<br />
basis).<br />
CPU Utilization: The average percentage of available CPU capacity that a resource<br />
consumes for a given 15-minute period.<br />
3850 6804–007 10–21
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Note: For virtual machines, this is the view presented by the virtualization server rather<br />
than the view from the virtual machine operating system.<br />
Every 15 minutes, uChargeback requests the average utilization for each resource, <strong>and</strong><br />
then each resource is sorted into one of four ranges based on that measurement (low,<br />
medium, high, <strong>and</strong> critical).<br />
The uChargeback metric “Server CPU Percent Average” is derived as follows:<br />
• For virtual machines: VMware metric cpu.usage.average<br />
• For physical servers, one of the following, based on the operating system:<br />
- Windows: perfmon Processor object <strong>and</strong> % Processor Time counter<br />
- Linux: /proc file system /proc/stat<br />
Memory Utilization:<br />
The amount of memory that is actively used, as estimated by VMkernel based on recently<br />
accessed memory pages, which is expressed as a percentage of the allocated memory for<br />
the resource for a 15-minute period. For example, if the resource has been allocated 1024<br />
MB <strong>and</strong> is using 512 MB, then the memory utilization is 50%.<br />
Every 15 minutes, uChargeback requests the average utilization for each resource, <strong>and</strong><br />
then each resource is sorted into one of four ranges based on that measurement (low,<br />
medium, high, <strong>and</strong> critical).<br />
The uChargeback metric “Server Memory Percent Active” is computed as (VMware<br />
metric mem.active.average / VMware metric<br />
VirtualMachine.config.hardware.memoryMB) × 100.<br />
Storage Utilization: The total used <strong>and</strong> total free space (in GB) across all virtual<br />
machines <strong>and</strong> physical servers for a 15-minute period. This includes running, stopped, <strong>and</strong><br />
expired resources.<br />
Every 15 minutes, uChargeback requests the utilization for each resource, <strong>and</strong> the results<br />
from all resources are aggregated in one value for used space (GB) <strong>and</strong> one value for free<br />
space (GB).<br />
The uChargeback metrics “Server Storage Available” <strong>and</strong> “Server Storage Used” are<br />
derived as follows:<br />
• For virtual machines: VMware metrics guest.disk.freeSpace <strong>and</strong> guest.disk.capacity<br />
minus guest.disk.freeSpace<br />
• For physical servers, one of the following, based on the operating system:<br />
- Windows: Windows Management Instrumentation (WMI) Win32_LogicalDisk<br />
object <strong>and</strong> Size property<br />
- Linux: df –h Linux comm<strong>and</strong><br />
Network Utilization: The total number of bytes transmitted <strong>and</strong> received over all NICs<br />
on all resources for a 15-minute period.<br />
10–22 3850 6804–007
Every 15 minutes, uChargeback requests the utilization for each resource, <strong>and</strong> the results<br />
from all resources are aggregated in one value for I/O transmitted <strong>and</strong> one value for I/O<br />
received.<br />
The uChargeback metrics “Server I/O Network Xmt” <strong>and</strong> “Server I/O Network Rcv” are<br />
derived as follows:<br />
• For virtual machines: VMware metrics net.transmitted.average <strong>and</strong><br />
net.received.average<br />
• For physical servers, one of the following, based on the operating system:<br />
- Windows: Windows Performance Counter – Network Interface category <strong>and</strong><br />
Bytes Received/sec counter name<br />
- Linux: /proc file system /proc/net/dev<br />
To view additional details at the cloud, tenant, or project level <strong>and</strong> to sort by resource type,<br />
click Tenant/Project Utilization.<br />
For more information, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help.<br />
10.12. Configuring Resource Utilization Ranges<br />
When a user initially signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, he or she sees the<br />
Resource Utilization Overview dashboard. This dashboard provides a graphical overview of<br />
CPU utilization, Memory utilization, Storage utilization, <strong>and</strong> Network utilization for virtual<br />
machines, physical servers, <strong>and</strong> virtual desktops in a single pane.<br />
For CPU <strong>and</strong> Memory utilization, each resource in the cloud environment is grouped in one<br />
of four categories: low, medium, high, <strong>and</strong> critical. Each category is a range of percentages<br />
of the total available capacity. For Storage <strong>and</strong> Network utilization, the values displayed are<br />
for all virtual machines <strong>and</strong> all physical servers in the cloud environment (rather than on a<br />
resource-by-resource basis).<br />
CPU <strong>and</strong> memory ranges are common to all tenants in the cloud. Values for the CPU <strong>and</strong><br />
memory ranges are set by default. If required, you can modify these values by changing<br />
the following parameters in the configuration file, ECMConfig.properties, <strong>and</strong> then<br />
restarting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
Valid ranges for CPU <strong>and</strong> Memory Thresholds are between 0 <strong>and</strong> 100 in the following<br />
format:<br />
-<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–23
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Do the following to view <strong>and</strong> change these ranges:<br />
1. Navigate to the following directory on the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management<br />
VM:<br />
\\webapps\unisys-ecm-portlet\WEB-INF\config<br />
For example, navigate to C:\Unisys\liferay-portal-6.06\tomcat-6.0.29\webapps\unisysecm-portlet\WEB-I<br />
NF\config<br />
2. Open the following file using a text editor, such as Notepad:<br />
ECMConfig.properties<br />
3. For each of the following ranges, modify the specified parameters as desired:<br />
• CPU Threshold (cpuThreshold) - low, medium, high, <strong>and</strong> critical ranges<br />
• Memory Threshold (memoryThreshold) - low, medium, high, <strong>and</strong> critical ranges<br />
4. Restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />
10.13. Managing the Lifecycle Database<br />
The <strong>Cloud</strong> Orchestrator Lifecycle database uses table structures to store the following<br />
entities:<br />
• Requests<br />
• Approval requests<br />
• Various log entries<br />
If the number of entries in these tables is high, the database becomes large <strong>and</strong><br />
performance can be affected. On the other h<strong>and</strong>, removing too many entries from the<br />
database can hinder debugging <strong>and</strong> tracing efforts.<br />
The Lifecycle database contains stored procedures for removing the older unneeded<br />
database table entries to manage the size of the database <strong>and</strong>, thereby, improve<br />
performance. The stored procedures use parameters that specify how old table entries<br />
need to be before they are deleted. The default settings are as follows:<br />
• Requests are deleted when they are older than one day.<br />
• Log entries are deleted when they are older than one week.<br />
A Windows scheduled task calls the stored procedures once an hour, using a data file at<br />
the following location on the database server in the <strong>Cloud</strong> Management Environment to<br />
determine which procedures to call:<br />
c:\ProgramData\Unisys\ConfigSQL\LifecycleCleanup.sql<br />
Initially, the data file contains the following lines:<br />
exec uorch_lifecycle.dbo.Request_Delete<br />
exec uorch_lifecycle.dbo.ActionLog_Delete<br />
10–24 3850 6804–007
You can append the following parameters, separated by a comma <strong>and</strong> a space, to<br />
determine which entries to delete:<br />
• Number of units (integer)<br />
• Unit type (one of ‘minutes’, ‘hours’, ‘days’, ‘weeks’, or ‘months’, including the single<br />
quotation marks)<br />
For example, to delete requests that are older than two weeks instead of the default one<br />
day, you can change the first line in the LifecycleCleanup.sql file to<br />
exec uorch_lifecycle.dbo.Request_Delete 2, ‘weeks’<br />
The stored procedures calculate the age of any single entry based on the newest entry in<br />
the table. Therefore, if the newest entry in the requests table is 10:00 AM on June 16,<br />
then the preceding example causes the stored procedures to delete all requests that<br />
completed before 10:00 AM on June 2 the next time the Windows scheduled task runs.<br />
10.14. Creating uChargeback Criteria<br />
Specifications<br />
uChargeback enables you to analyze usage data for the virtual machines in the <strong>Cloud</strong><br />
environment <strong>and</strong> export that usage data for billing, if required. The first step is to create a<br />
criteria specification to identify the resource usage data that uChargeback generates. A<br />
criteria specification is a set of parameters that uChargeback Exporter <strong>and</strong> Calculator use<br />
to extract usage data from the uChargeback database.<br />
Caution<br />
Criteria specifications are based upon the usage data that is collected.<br />
Therefore, do not create a criteria specification until usage data has been<br />
collected by the uChargeback management server from a managed server.<br />
1. To add a criteria, in the uChargeback Administrator, right click the Criteria<br />
Specification node in the Object Browser, <strong>and</strong> select Add New Criteria.<br />
The following is an example Criteria Specification named Billing. Create a criteria<br />
specification that is appropriate for the environment.<br />
Table 10–1. Example Criteria Specification, Page 1 Data<br />
Option Name Option Value Comments<br />
Name Billing<br />
Summary<br />
Level<br />
Sum by Server<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–25
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Table 10–1. Example Criteria Specification, Page 1 Data (cont.)<br />
Option Name Option Value Comments<br />
Department<br />
Level<br />
Gr<strong>and</strong>child Departments<br />
Date Range Last Month If this option is grayed out,<br />
do not proceed. There must<br />
be usage data collected<br />
from a managed server in<br />
order to specify a Date<br />
Range.<br />
Interval 1 Month<br />
Resources<br />
Tree<br />
Server Count Active<br />
Server CPU Time<br />
Server Memory Allocated<br />
Servers Tree By department is checked <strong>and</strong> <strong>Secure</strong> <strong>Cloud</strong> is<br />
checked<br />
Sources Tree To exclude Processor Idle <strong>and</strong> System Idle, the<br />
System Idle Process <strong>and</strong> Processor Idle boxes<br />
are cleared<br />
2. Click Next.<br />
Table 10–2. Example Criteria Specification, Page 2 Data<br />
Option Name Option Value<br />
Selected Tab Usage Data<br />
Load Data immediately True (box is checked)<br />
For more information, see the “Add or Edit Criteria Specification” topic in the uChargeback<br />
Installation, Configuration, <strong>and</strong> <strong>Operations</strong> <strong>Guide</strong>. This document is available from the<br />
uChargeback Administrator.<br />
10.15. Importing Existing Virtual Machines<br />
If your environment or your tenants’ environments include existing virtual machines, you<br />
can import them to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> so that they can be managed using the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The Unisys <strong>Cloud</strong> Import Utility imports virtual machines into<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, as described in this subsection.<br />
10–26 3850 6804–007
10.15.1. Prerequisites for Importing Virtual Machines<br />
Before you run the Import Utility, verify the following:<br />
• The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal has tenants, projects, blueprints, <strong>and</strong> users<br />
configured.<br />
• The <strong>Cloud</strong> Orchestrator management VM <strong>and</strong> <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> management VM<br />
are in a running state.<br />
• The virtual machines to be imported exist in vCenter.<br />
• The virtual machines to be imported use a valid DNS zone, as defined by the provider<br />
or tenant account against which they will be imported.<br />
• A valid DNS entry, containing the management-side DNS address, exists for the virtual<br />
machines to be imported in the DNS zone for commissioned virtual machines or any<br />
other zone reachable using the DNS servers in Table 1–3.<br />
• A valid DNS entry exists for the machines to be imported in the tenant DNS server.<br />
• The virtual machines to be imported are running <strong>and</strong> respond to ping requests using<br />
the virtual machines fully qualified name as defined in the cloud provider DNS server.<br />
• The virtual machines to be imported do not contain snapshots that include the percent<br />
sign (%) in the snapshot name.<br />
• If any agents are required by software running in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
environment, the virtual machines to be imported contain those required agents. For<br />
example, if Nagios is included in your environment, install the required Nagios agents<br />
before importing the virtual machines.<br />
10.15.2. Utility Components <strong>and</strong> Layout<br />
The Import Utility has the following components, as shown in Figure 10–1:<br />
• Virtual Machines list<br />
The left pane contains the Virtual Machines list, which displays the c<strong>and</strong>idate virtual<br />
machines that can be imported. C<strong>and</strong>idate virtual machines are virtual machines that<br />
exist in the vCenter inventory but are not managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />
• Import table<br />
The upper-right pane contains the Import table. The Import table defines the required<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> information for each virtual machine, including the virtual<br />
machine name, hostname, Nagios profile (if applicable for your environment), tenant,<br />
project, associated user, <strong>and</strong> the lease period.<br />
• Request table<br />
The middle-right pane contains the Request table, which displays information about<br />
recent import requests, including the following:<br />
- Request ID<br />
A unique identifier representing an individual import request.<br />
- VM Name<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–27
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
The virtual machine name associated with an individual import request.<br />
- Status<br />
The status of an individual import request. This field displays summary information<br />
about the success or failure of a given request.<br />
- Time Started<br />
The start time of a given import request.<br />
- Time Completed<br />
The completion time of a given import request.<br />
• Request details<br />
The lower-right pane displays detailed information about the individual import request<br />
for the virtual machine that is currently selected in the Request table.<br />
Figure 10–1. Unisys <strong>Cloud</strong> Import Utility<br />
10–28 3850 6804–007
10.15.3. Using the Import Utility<br />
Launching the Import Utility<br />
To launch the Import Utility, do the following:<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
2. Open a comm<strong>and</strong> prompt, <strong>and</strong> navigate to C:\Unisys\UCO\vmimport.<br />
3. Run com.unisys.cloud.vmimport.jar.<br />
The Unisys <strong>Cloud</strong> Import Utility opens.<br />
Selecting Virtual Machines to Import<br />
To select virtual machines to import, do the following:<br />
1. In the left pane of the Import Utility, select one or more virtual machines that you want<br />
to import. (The left pane of the import utility displays all c<strong>and</strong>idate virtual machines<br />
available for import.)<br />
2. Do either of the following to move the selected virtual machines to the Import table:<br />
• Click <strong>and</strong> drag the selected virtual machines from the Virtual Machines list to the<br />
Import table.<br />
• Right-click one of the selected virtual machines in the Virtual Machines list, <strong>and</strong><br />
then click Select for Import.<br />
The selected virtual machines are removed from the Virtual Machine list <strong>and</strong> added to<br />
the Import table.<br />
If you need to remove a virtual machine from the Import table <strong>and</strong> return it to the<br />
Virtual Machines list, you can select <strong>and</strong> drag the virtual machine back to the Virtual<br />
Machines list, or you can right-click a virtual machine <strong>and</strong> then click Delete.<br />
Entering Data in the Import Table<br />
After one or more virtual machines have been added to the Import table, you must provide<br />
a value for each cell in the table in order to successfully import the virtual machines.<br />
Perform one of the following procedures to enter values in the Import table:<br />
• To enter a value in any one cell, click that cell <strong>and</strong> type the required information.<br />
• To enter all required values for a single virtual machine, do the following:<br />
1. Right-click a virtual machine, <strong>and</strong> then click Edit.<br />
2. Enter the values in the Edit Single Import dialog box.<br />
3. Click OK to save your changes.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–29
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• To enter shared values for a group of virtual machines, do the following:<br />
1. Select the virtual machines that share some of the same values.<br />
2. Right-click, <strong>and</strong> then click Edit.<br />
3. Enter the values in the Edit Multiple Import dialog box<br />
Note: You cannot enter values for the Name or Hostname in the Edit Multiple<br />
Import dialog box, because those are unique entries for each virtual machine.<br />
4. Click OK to save your changes.<br />
5. Enter values in each Name <strong>and</strong> Hostname cell individually for each virtual<br />
machine, <strong>and</strong> update any other values as required.<br />
Enter the following values for each virtual machine:<br />
• Name<br />
A descriptive name for the virtual machine to be imported (for example, “webserver”<br />
or “testVM”). This value is required; if you do not provide a value, the Import Utility will<br />
not attempt to import the virtual machine.<br />
• Host Name<br />
The host name used by the virtual machine operating system. This value must exactly<br />
match the host name of the operating system, or the import operation will fail. This<br />
value is required; if you do not provide a value, the Import Utility will not attempt to<br />
import the virtual machine.<br />
• Nagios Profile<br />
This optional field is intended for use only if your environment includes Nagios <strong>and</strong> if<br />
the imported virtual machine will be monitored by Nagios. This value should contain a<br />
valid host profile.<br />
• VM Name<br />
The virtual machine name as it appears in vCenter. Do not change this value.<br />
• Tenant<br />
This <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> tenant with which the imported virtual machine should be<br />
associated. This value is required; if you do not provide a value, the Import Utility will<br />
not attempt to import the virtual machine.<br />
• Project<br />
This <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> tenant project with which the imported virtual machine<br />
should be associated. This value is required; if you do not provide a value, the Import<br />
Utility will not attempt to import the virtual machine.<br />
• User<br />
The specific user with which the imported virtual machine should be associated. This<br />
value is required; if you do not provide a value, the Import Utility will not attempt to<br />
import the virtual machine.<br />
• Lease Duration (Days)<br />
10–30 3850 6804–007
The lease period (in days) of the virtual machine to be imported. Enter the number of<br />
days until the virtual machine lease expires, or enter Permanent to indicate that a<br />
virtual machine lease should never expire. This value is required; if you do not provide<br />
a value, the Import Utility will not attempt to import the virtual machine.<br />
Starting <strong>and</strong> Monitoring the Import Operation<br />
After you enter the required information in the Import table for one or more virtual<br />
machines, do one of the following to start the import:<br />
• Select Import from the Action menu.<br />
• Right-click the Import table, <strong>and</strong> then click Import.<br />
When the import operation starts, the Request table in the middle-right pane of the Import<br />
Utility is populated with an entry for each virtual machine being imported.<br />
The Request table entries are updated as the import operation occurs. You can select an<br />
individual entry to view more detailed information about an individual import request in the<br />
Request details pane.<br />
When a request is complete, you can remove it from the Request table by right-clicking<br />
the request, <strong>and</strong> then clicking Delete.<br />
H<strong>and</strong>ling Failed Requests<br />
If a request fails, right-click the failed request in the Request table, <strong>and</strong> click Select for<br />
Import. This returns the virtual machine to the Import table, <strong>and</strong> you can review <strong>and</strong><br />
revise your input <strong>and</strong> attempt the import operation again.<br />
10.15.4. Operational Considerations<br />
Rolling Back an Import Operation<br />
Although the Import Utility provides a mechanism for starting an import operation, it does<br />
not provide any further life-cycle management operations (for example, the Detach or<br />
Decommission operation used to remove a virtual machine from <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
management). If an imported virtual machine needs to be removed from management by<br />
the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for any reason, remove that virtual machine using the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> portal.<br />
Refreshing the Display<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
The Import Utility does not automatically refresh after it is launched. In some cases, you<br />
might need to refresh the display to discover newly created virtual machines, users, or<br />
projects. You can refresh the display by selecting Refresh from the View menu. When a<br />
refresh operation is in progress, parts of the Import Utility are temporarily disabled <strong>and</strong><br />
cannot be used until the view is completely refreshed.<br />
3850 6804–007 10–31
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
H<strong>and</strong>ling Duplicate Virtual Machine Names<br />
The Import Utility requires virtual machine names to be unique. If two or more virtual<br />
machines use the same name, an error is displayed, <strong>and</strong> the virtual machines are excluded<br />
from the virtual machines pane. This requirement for unique names is for all virtual<br />
machines, whether they are currently managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal or<br />
whether they are outside the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
If you want to import a virtual machine that shares a name with a virtual machine already<br />
managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, rename that virtual machine in vCenter, verify<br />
that the rename operation was successful, <strong>and</strong> then refresh the Import Utility. Do not<br />
rename the virtual machine in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
If your environment contains a duplicate virtual machine names, you receive an error each<br />
time you launch the Import Utility. If you do not want to import these machines, but you<br />
want the Import Utility to stop displaying this error, you can set the following property in<br />
the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file:<br />
#===========================================================#<br />
# Indicates that the import utility should display an error<br />
# message when two or more virtual machines use the same<br />
# name. If display_duplicate_vm_error = true, the utility<br />
# will display an error for each virtual machine name that<br />
# identifies two or more virtual machines.<br />
# If display_duplicate_vm_error = false, the import utility<br />
# will not display an error when duplicate virtual machines<br />
# are encountered.<br />
#===========================================================#<br />
display_duplicate_vm_error=false<br />
Note: The change to the ImportUtil.properties file is a global change, <strong>and</strong> if you update<br />
this setting, you never again receive notice that there are duplicate virtual machine names<br />
in the environment.<br />
10.15.5. Inspecting Logs <strong>and</strong> Troubleshooting<br />
Log Files<br />
If import failures occur, the log files might provide information about the causes of the<br />
failures.<br />
• The Import Utility log file is in the following folder:<br />
C:\Unisys\UCO\vmimport\logs<br />
• The Unisys <strong>Cloud</strong> Orchestrator service log file is in the following folder:<br />
C:\Unisys\uorchestrate\platform\log<br />
10–32 3850 6804–007
Troubleshooting<br />
If you receive either of the following errors, do the following to resolve them:<br />
• Error encountered when connecting to the Virtual Center Server<br />
If the Import Utility displays a message that it is unable to locate the connection<br />
information for Virtual Center, do the following:<br />
- Verify that the C:\Unisys\UCO\conf\serviceInstance.mlet file exists <strong>and</strong> contains<br />
the required information for connecting to vCenter, including the appropriate URL,<br />
user name, <strong>and</strong> password.<br />
For example:<br />
<br />
<br />
<br />
- Verify that the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file exists <strong>and</strong><br />
references the C:\Unisys\UCO\conf\serviceInstance.mlet file.<br />
• Error encountered when connecting to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Platform API<br />
If the Import Utility displays a message that an error was encountered when<br />
connecting to the platform API, open the following file <strong>and</strong> verify that the values are<br />
correct:<br />
C:\Unisys\UCO\vmimport\conf\ImportUtil.properties<br />
The expected values are as follows:<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
#===========================================================================#<br />
# The endpoint of the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Platform API<br />
#===========================================================================#<br />
platform_api_endpoint=http://localhost:8447/platform/1.0<br />
#===========================================================================#<br />
# The absolute path of the Unisys u<strong>Cloud</strong>Truststore file. This file<br />
# should contain all relevant Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> keys.<br />
#===========================================================================#<br />
javax.net.ssl.keyStore=C:/Unisys/<strong>Secure</strong>d/Certificate/u<strong>Cloud</strong>Truststore.jks<br />
#===========================================================================#<br />
# The password used for the keystore referenced by the javax.net.ssl.keyStore<br />
# property.<br />
#===========================================================================#<br />
javax.net.ssl.keyStorePassword=U*spc2341<br />
#===========================================================================#<br />
# The absolute path of the Unisys u<strong>Cloud</strong>Truststore file. This file<br />
# should contain all relevant Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> keys.<br />
#===========================================================================#<br />
javax.net.ssl.trustStore=C:/Unisys/<strong>Secure</strong>d/Certificate/u<strong>Cloud</strong>Truststore.jks<br />
#===========================================================================#<br />
# The password used for the keystore referenced by the javax.net.ssl.trustStore<br />
3850 6804–007 10–33
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
# property.<br />
#===========================================================================#<br />
javax.net.ssl.trustStorePassword=U*spc2341<br />
If any of the information in this file is inaccurate or has been customized to suit your<br />
environment, you must update the values above to reflect your custom settings.<br />
10.16. Configuring Tenant-Dedicated Workload<br />
Servers Manually<br />
The following topics describe the steps to create an initial tenant-dedicated hardware<br />
environment as part of the on-boarding process for a new cloud tenant. You can repurpose<br />
workload servers from a public cloud or multitenant private cloud infrastructure pool to<br />
serve as VMware ESX or ESXi workload servers that are dedicated to one tenant in the<br />
cloud environment. The cloud management environment is shared across all instances of<br />
the tenant-dedicated servers <strong>and</strong> the public cloud or multi-tenant private cloud in that<br />
cloud instance.<br />
Note: If you want to remove a workload server from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> (even if<br />
you later intend to add it back into the cloud environment), you must first migrate all virtual<br />
machines <strong>and</strong> templates from that workload server to another workload server still in use.<br />
If you remove a workload server while it is still hosting virtual machines <strong>and</strong> templates <strong>and</strong><br />
then re-add it, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> will not recognize the virtual machines <strong>and</strong><br />
templates as existing components in the environment. See the VMware documentation<br />
for more information on migrating virtual machines <strong>and</strong> templates.<br />
10.16.1. Creating Workload Server Clusters with HA <strong>and</strong> DRS<br />
Do the following to create workload server clusters with high availability (HA) <strong>and</strong> VMware<br />
Distributed Resource Scheduler (DRS):<br />
1. From a vSphere Client, connect to the vCenter management VM.<br />
2. In the Hosts <strong>and</strong> Clusters Inventory view, do one of the following:<br />
For a new cluster<br />
a. Right-click the datacenter name <strong>and</strong> click New Cluster.<br />
b. Enter a name for the cluster.<br />
For an existing cluster, right-click the cluster name <strong>and</strong> click Edit Settings.<br />
3. For Cluster Features, select VMware HA <strong>and</strong> VMware DRS to enable them.<br />
4. For a new cluster, click Next, select any desirable options, click Next several times,<br />
<strong>and</strong> then click Finish.<br />
For an existing cluster, select a feature in the left pane, select any desirable options for<br />
each feature, <strong>and</strong> then click OK.<br />
5. To add a workload server to the cluster, right-click the new cluster name <strong>and</strong> click Add<br />
Host.<br />
10–34 3850 6804–007
6. Enter the host name or IP address of the workload server <strong>and</strong> the root user name <strong>and</strong><br />
password for that server, <strong>and</strong> then click Next.<br />
If a Security Alert dialog box appears asking you to verify the authenticity of the<br />
server, click Yes.<br />
7. For licensing, assign an existing license or assign a new license, <strong>and</strong> then click Next.<br />
8. When prompted about virtual machine resources, select the option to put all of this<br />
server’s virtual machines in the cluster’s root resource pool, <strong>and</strong> then click Next.<br />
9. Click Finish.<br />
Repeat this procedure for all the workload clusters <strong>and</strong> servers.<br />
10.16.2. Completing Additional HA Tasks<br />
Refer to the vSphere Availability <strong>Guide</strong> for additional information on high availability (HA)<br />
configuration.<br />
Configure your redundant consoles to use the heartbeat network <strong>and</strong> any other HA<br />
capability that is required.<br />
10.16.3. Configuring a vMotion Interface for each Workload<br />
Server in each Cluster<br />
Configure vMotion so that virtual machines do not have to be powered off when they are<br />
migrated to another workload server. For security reasons, VMware best practices<br />
recommend that the service console <strong>and</strong> vMotion use their own networks. Do the<br />
following:<br />
1. From a vSphere Client, connect to the vCenter management VM.<br />
2. In the Hosts <strong>and</strong> Clusters Inventory view, select the workload server.<br />
3. Select the Configuration tab <strong>and</strong> click Networking.<br />
4. Click Add Networking in the upper right of the window.<br />
5. Select VMkernel, <strong>and</strong> click Next.<br />
6. Select whether to use an existing virtual switch or create a new switch, <strong>and</strong> click<br />
Next.<br />
7. Configure the port group properties, as follows, <strong>and</strong> click Next.<br />
a. Enter a network label.<br />
Use network labels to identify migration-compatible connections that are common<br />
to two or more workload servers.<br />
b. If a VLAN is being used, enter the number (between 1 <strong>and</strong> 4095) in the VLAN ID<br />
box.<br />
c. Select Use this port group for vMotion.<br />
8. Select the IP settings for the virtual switch, <strong>and</strong> click Next.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–35
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
9. Click Finish.<br />
10.16.4. Adding Tenants<br />
To ensure tenant isolation for dedicated workload servers, do the following:<br />
• Add tenants to the cloud environment, using the instructions in Section 6, Creating<br />
<strong>and</strong> Managing Tenant Configurations.<br />
• Set up resource pools <strong>and</strong> datastores for a cloud. using the guidelines in<br />
10.16.5 Configuring Resource Groups <strong>and</strong> Datastores <strong>and</strong> the naming conventions in<br />
10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming.<br />
10.16.5. Configuring Resource Groups <strong>and</strong> Datastores<br />
For the <strong>Cloud</strong> Orchestrator load balancer to run correctly, you need to create resource<br />
pools in vCenter for the workload servers (VMware ESX or ESXi virtualization servers), as<br />
follows:<br />
1. Start a vSphere Client, <strong>and</strong> connect to the vCenter server.<br />
2. Go to the Inventory Hosts <strong>and</strong> Clusters view <strong>and</strong> add new resource pools by<br />
performing one of the following procedures:<br />
• If you are using workload server HA or DRS, right-click the workload server cluster<br />
<strong>and</strong> click New Resource Pool.<br />
• Otherwise, right-click a workload server, <strong>and</strong> click New Resource Pool.<br />
3. Enter one of the resource pool names from Table 1–13. Retain the defaults for the rest<br />
of the values, or set them to match the provider’s local policy, <strong>and</strong> click OK.<br />
Note: See 10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming for more<br />
information on resource pool naming.<br />
4. Repeat steps 2 <strong>and</strong> 3 for each workload server or cluster in vCenter. There must be at<br />
least one resource pool for each workload server or cluster.<br />
5. Verify that the datastore names for the workload server conform to the naming<br />
convention in Table 1–13 by selecting the workload server in the left pane, <strong>and</strong> then<br />
selecting the Summary tab for each workload server.<br />
Note: See 10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming for more<br />
information on resource pool naming.<br />
10.16.6. Best Practices for Datastore <strong>and</strong> Resource Pool<br />
Naming<br />
Public <strong>Cloud</strong><br />
Use generic datastore <strong>and</strong> resource pool names to ensure that they are isolated from a<br />
private cloud. To ensure uniqueness, a naming convention in the following form is<br />
recommended:<br />
10–36 3850 6804–007
For example, specify the following:<br />
1. Using the vSphere Client, add a resource pool for each cluster specifying a generic<br />
resource pool name, such as the following:<br />
• Public-RP-1<br />
• Public-RP-2<br />
• {<br />
2. Using the vSphere Client, specify a generic identification for each virtual machine<br />
datastore that is used by the cluster, such as the following:<br />
• Public-DS-1<br />
• Public-DS-2<br />
• {<br />
3. Specify the following regular expressions in the virtual machine blueprint constant<br />
values:<br />
Name: ResourcePoolFilter<br />
Type: String<br />
Description: Resource Pool Filter<br />
Name: DatastoreFilter<br />
Type: String<br />
<strong>Private</strong> <strong>Cloud</strong><br />
Description: Datastore Filter<br />
Name / Type / Description Value<br />
Public-RP-.*<br />
Public-DS-.*<br />
Use tenant-unique datastore <strong>and</strong> resource pool names to ensure that tenant VMs are<br />
isolated. To ensure uniqueness, a naming convention in the following form is<br />
recommended:<br />
<br />
For example, if a tenant account is named Widget, specify the following:<br />
1. Using the vSphere Client, add a resource pool for each cluster specifying a generic<br />
resource pool name, such as the following:<br />
• WDG-RP-1 or Widget-RP-1<br />
• WDG-RP-2 or Widget-RP-2<br />
• {<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–37
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
2. Using the vSphere Client, specify a generic identification for each virtual machine<br />
datastore that is used by the cluster, such as the following:<br />
• WDG-DS-1 or Widget-DS-1<br />
• WDG-DS-2 or Widget-DS-2<br />
• {<br />
3. Specify the following regular expressions in the virtual machine blueprint constant<br />
values:<br />
Name: ResourcePoolFilter<br />
Type: String<br />
Description: Resource Pool Filter<br />
Name: DatastoreFilter<br />
Type: String<br />
Description: Datastore Filter<br />
Name / Type / Description Value<br />
10.16.7. Moving Workload Servers Between Clusters<br />
To move workload servers between clusters, do the following:<br />
1. From a vSphere Client, connect to the vCenter management VM.<br />
2. Repeat the following procedure for each affected template:<br />
Caution<br />
WDG-RP-.* or Widget-RP-.*<br />
WDG-DS-.* or Widget-<br />
DS-.*<br />
If a template resides on a workload server that is being repurposed <strong>and</strong> you do<br />
not want to move it with the server, you need to convert it temporarily to a<br />
virtual machine so that it is migrated to another workload server in the cluster.<br />
Otherwise, the template cannot be accessed while the server is in<br />
maintenance mode.<br />
a. In the Hosts <strong>and</strong> Clusters Inventory view, select the workload server that is<br />
being repurposed, <strong>and</strong> then click the Virtual Machines tab.<br />
b. Right-click a template <strong>and</strong> click Convert to Virtual Machine.<br />
c. Select the cluster in which the template currently resides, <strong>and</strong> click Next.<br />
d. Click Next <strong>and</strong> then Finish.<br />
10–38 3850 6804–007
3. In the Hosts <strong>and</strong> Clusters Inventory view, right-click the workload server <strong>and</strong><br />
click Enter Maintenance Mode.<br />
Click Yes or OK for any warning messages.<br />
If any virtual machines are on the virtualization server, ensure the Move powered<br />
off <strong>and</strong> suspended virtual machines to other hosts in the cluster option is<br />
selected.<br />
4. When the request completes, use the drag-<strong>and</strong>-drop mouse action to move the<br />
workload server to the desired cluster.<br />
5. For any templates that you converted to a virtual machine, in the Hosts <strong>and</strong><br />
Clusters Inventory view, right-click the virtual machine, point to Template, <strong>and</strong><br />
click Convert to Template.<br />
6. Right-click the workload server <strong>and</strong> click Exit Maintenance Mode to remove the<br />
maintenance mode on the server.<br />
10.17. Updating the <strong>Cloud</strong> Name in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal<br />
The following procedure is optional if you want to change the cloud name in <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal. Skip this procedure if you do not want to change the cloud name.<br />
To update the cloud name in <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, run the following script from a<br />
Powershell session on the jump box console, depending on whether the default password<br />
is being used for the PortalDB database:<br />
• The default password is being used for the PortalDB database:<br />
.\Update-<strong>Cloud</strong>NameInPortal.ps1<br />
• The default password is not being used for the PortalDB database:<br />
.\Update-<strong>Cloud</strong>NameInPortal.ps1 –updatePw $true<br />
Enter the correct password for the PortalDB database when prompted.<br />
The script performs the following actions:<br />
• Stops the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service on the portal management VM, if<br />
it is running<br />
• Edits all ecm_*.bat files on the SQL management VM to update them with the correct<br />
password if the default password is not being used.<br />
• Edits the following file on the SQL management VM to update the <strong>Cloud</strong> Name value<br />
from Table 1–1:<br />
C:\ProgramData\Unisys\ConfigSQL\ecm_db_update.sql<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• Runs the following file on the SQL management VM to update the PortalDB<br />
database:<br />
C:\ProgramData\Unisys\ConfigSQL\ecm_db_update_data.bat<br />
• Runs the following file on the SQL management VM to display the values in the<br />
SPC_PlatformInstances table:<br />
3850 6804–007 10–39
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
C:\ProgramData\Unisys\ConfigSQL\ecm_db_select_data.bat<br />
• Starts the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service on the portal management VM<br />
CHECKPOINT:<br />
Review the output from the script to verify that the cloud name is updated in the Platform<br />
Name column of the SPC_PlatformInstances table.<br />
10.18. Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> <strong>Operations</strong><br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in the cloud environment, you can perform<br />
the following procedures as needed.<br />
10.18.1. Adding COI Sets <strong>and</strong> Modifying COI Set Members<br />
Overview<br />
If your environment includes Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you might need to modify<br />
the COI configuration for a tenant Stealth-enabled VLAN. You might need to add new COI<br />
Sets for new virtual machines that will run in the existing Stealth-enabled VLAN, change<br />
COI Set access, or correct mistakes in the initial COI configuration.<br />
By performing the procedures in this topic, you are adding COI Sets to the existing VLAN<br />
or modifying the communication between existing COI Sets. The name of the COI Set<br />
assigned to commissioned virtual machines does not change, but the way that the COI<br />
Sets communicate across the VLAN does change.<br />
For example, you might have the following existing configuration:<br />
Stealth ID COI Set Name<br />
Stealth VLAN [1] HRSet FinanceSet,<br />
EngineeringSet<br />
External<br />
Access COI Sets to Access [COI Set Members]<br />
[HR, Finance,<br />
Engineering]<br />
Stealth VLAN [1] FinanceSet [Finance]<br />
Stealth VLAN [1] EngineeringSet [Engineering]<br />
If you add a new department called Marketing, <strong>and</strong> you want to configuring your existing<br />
HR <strong>and</strong> Engineering virtual machines to communicate with the marketing department, you<br />
can update this configuration by adding a new COI Set <strong>and</strong> modifying two of your existing<br />
COI Sets:<br />
10–40 3850 6804–007
Stealth ID COI Set Name<br />
Stealth VLAN [1] HRSet FinanceSet,<br />
EngineeringSet,<br />
MarketingSet<br />
External<br />
Access COI Sets to Access [COI Set Members]<br />
[HR, Finance,<br />
Engineering,<br />
Marketing]<br />
Stealth VLAN [1] FinanceSet [Finance]<br />
Stealth VLAN [1] EngineeringSet MarketingSet [Engineering,<br />
Marketing]<br />
Stealth VLAN [1] MarketingSet [Marketing]<br />
All of the existing virtual machines still have the same COI Set Name, but the ability to<br />
access other virtual machines in the Stealth-enabled VLAN has changed as a result of the<br />
addition of one COI Set <strong>and</strong> the modification of two other COI Sets.<br />
You use the open source Dia tool to perform the procedure to add or modify COI Sets.<br />
(This tool was installed for you by your Unisys service consultant during initial<br />
implementation.)<br />
After you finish updating the COI Sets using Dia, you should also update the tenant<br />
workbook with these changes so that you have a record of the current Stealth<br />
implementation. In the tenant workbook, you should update both the COI Set list <strong>and</strong><br />
update the COI Set value for any blueprints you changed. If you delete one or more COI<br />
Sets, you should also delete the commissioned virtual machines that were created using<br />
the COI Sets that you deleted, <strong>and</strong> then commission new virtual machines using the new<br />
COI Sets.<br />
Required Files for Adding or Modifying COI Sets<br />
The following files are generated on the jump box management VM during the initial<br />
onboarding process <strong>and</strong> are needed when you add or modify COI Sets:<br />
• In the directory where the initial XML files for onboarding were generated:<br />
AddModifyCOISets.xml<br />
• In the C:\Unisys\Stealth directory:<br />
shares.txt<br />
.dia<br />
Copy these three files to the following directory on the <strong>Cloud</strong> Orchestrator management<br />
VM (where all subsequent configuration is performed):<br />
C:\Unisys\UCO\Stealth<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–41
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Using Dia to Add <strong>and</strong> Modify COI Sets<br />
Note: You do not use Dia to update the IP address filters for the Home Site or Internet;<br />
instead, you do so using the AddModifyCOISets.xml file.<br />
Directions to update filters are included in the procedure to finalize COI Set changes in<br />
Finalizing COI Set Changes.<br />
To add or modify the COI Sets, do the following:<br />
1. If you have not already done so, copy the three required files from the jump box<br />
management VM to the C:\Unisys\UCO\Stealth on the <strong>Cloud</strong> Orchestrator<br />
management VM.<br />
2. On the <strong>Cloud</strong> Orchestrator management VM Start menu, point to Programs, point to<br />
Dia, <strong>and</strong> then click Dia.<br />
3. Click Open on the File menu.<br />
The Open Diagram dialog box appears.<br />
4. In the Open Diagram dialog box, navigate to C:\Unisys\UCO\Stealth.<br />
5. Select .dia, <strong>and</strong> then click Open.<br />
6. On the View menu, click Best Fit.<br />
The full view of the diagram exp<strong>and</strong>s on the grid.<br />
On the left side of the grid, you see one symbol for each of the components you can<br />
use to update the COI Sets, as follows:<br />
• A cube to create new COI Sets<br />
• An dotted line <strong>and</strong> arrow to enable communication between COI Sets<br />
• A cloud shape to enable communication with the tenant Home Site<br />
• A cloud shape to enable communication with the Internet<br />
In the center of the grid, you see the current COI Sets, the dotted lines that represent<br />
their communications, <strong>and</strong> cloud shapes to indicate communications with the Home<br />
Site <strong>and</strong> Internet. COI Sets that can administer the Stealth solution (that include the<br />
Stealth Admin COI) are red.<br />
7. Make sure that all components are exposed on the grid by dragging each COI Set <strong>and</strong><br />
each line slightly to expose any underlying components.<br />
8. To add a new COI Set, do the following:<br />
a. Select the COI Set cube on the left side of the grid.<br />
b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate<br />
function is a combination of copy <strong>and</strong> paste.)<br />
A new COI Set appears, <strong>and</strong> the cursor is automatically positioned for you to<br />
automatically name the COI Set.<br />
10–42 3850 6804–007
Notes:<br />
• If you do not see the cursor in the COI Set cube, select the COI Set, <strong>and</strong> then<br />
press F2.<br />
• Do not rename existing COI Sets.<br />
c. Delete the label “COI Set” from the COI Set you just created, <strong>and</strong> enter a new<br />
name. Use the following guidelines to name the new COI Set:<br />
• Use 12 or fewer alphanumeric characters.<br />
• Use a name that is unique in the Stealth-enabled VLAN. (You can use the<br />
same name that you used for a different VLAN or for a different tenant.)<br />
d. Drag the new COI Set to the appropriate place on the grid.<br />
9. To update the communication with a new or existing COI Set, do the following:<br />
a. Select the dotted line <strong>and</strong> arrow on the left side of the grid, <strong>and</strong> then on the Edit<br />
menu, click Duplicate.<br />
b. Drag the two ends of the line into place. Note the following:<br />
• Every dotted line must have an arrow on only one end. (It might appear that a<br />
line has an arrow on two ends, but that is simply two or more stacked lines.<br />
You can drag one line aside to view the line or lines beneath it.)<br />
• For two COIs to communicate, the arrow should point from the COI Set<br />
whose COI you want to include in the other COI Set. Using the COI Sets table<br />
in the tenant workbook, you should draw the communication path in Dia from<br />
right-to-left (from the COI Sets to Access pointing to the COI Set Name).<br />
In the example described earlier in this topic, the HRSet had the FinanceSet<br />
<strong>and</strong> EngineeringSet configured as COI Sets to Access. Therefore, the arrow<br />
points from the FinanceSet to the HRSet, <strong>and</strong> another line points from the<br />
EngineeringSet to the HRSet. In this example, the arrow on the new line<br />
should point from the MarketingSet to the HRSet. (This means that the<br />
Marketing COI is included in the HRSet.)<br />
• When a line is successfully associated with a COI Set, when you select the<br />
line, the end displays a red square. (When a line is unassociated, the end of<br />
the line displays a green square.)<br />
You might have to drag one line on top of another line to successfully<br />
associate the line with a COI.<br />
• Use the orange square box in the middle of the dotted line to change the<br />
shape <strong>and</strong> direction of the line.<br />
10. To add new communication with the Home Site or Internet, do the following:<br />
a. Select the Home Site cloud or Internet cloud on the left side of the grid.<br />
b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate<br />
function is a combination of copy <strong>and</strong> paste.)<br />
A new cloud appears.<br />
Note: Do not rename the Home Site or Internet.<br />
c. Drag the new cloud to an appropriate place on the grid.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–43
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
d. Select the dotted line <strong>and</strong> arrow on the left side of the grid, <strong>and</strong> then on the Edit<br />
menu, click Duplicate.<br />
e. Drag the end of the new line to a COI Set, <strong>and</strong> drag the arrow into the Home Site<br />
or Internet.<br />
11. To add the Stealth Admin COI to an existing COI Set (so that the virtual machines<br />
commissioned from the blueprint that includes that COI Set can administer Stealth),<br />
do the following:<br />
a. Select the COI Set.<br />
b. Right-click the COI Set, <strong>and</strong> click Properties.<br />
c. In the Fill Color list, select the red fill color.<br />
Note: If you did not select the COI Set (if you simply right-clicked the COI Set<br />
without first selecting it), you do not see this option. Close the Properties box <strong>and</strong><br />
begin again by selecting the COI Set.<br />
d. Click Apply, <strong>and</strong> then click OK.<br />
12. To delete a COI Set, select the COI Set, <strong>and</strong> then press Delete. Delete or redirect all<br />
of the lines associated with the COI Set.<br />
Note: If you delete one or more COI Sets, you should also delete the commissioned<br />
virtual machines that were created using the COI Sets that you deleted.<br />
13. When you are finished making changes to the COI Sets, click Save as on the File<br />
menu.<br />
The Save Diagram dialog box appears.<br />
14. Name the file using a different name than the original file name.<br />
For example, name it Ver2_.dia.<br />
15. Click Save.<br />
Finalizing COI Set Changes<br />
Do the following to finalize the changes you made using Dia:<br />
1. Using Notepad, open AddModifyCOISets.xml.<br />
2. Locate , <strong>and</strong> verify the user name <strong>and</strong> the password for the<br />
workload server on which the infrastructure VMs are running. If you changed the user<br />
name or password for the workload server, update these values.<br />
3. Locate , <strong>and</strong> verify the following values:<br />
• configMachinePassword – the password for the Stealth Configuration Machine<br />
infrastructure VM<br />
• VSGAdminPassword – the password for the Virtual Stealth Gateway infrastructure<br />
VM<br />
If you changed either of these passwords, update these values.<br />
4. Under , locate , <strong>and</strong><br />
change the value to the new file name:<br />
10–44 3850 6804–007
Ver2_.dia<br />
<br />
5. To modify filters, update the following values in the tag appropriately, using<br />
Cisco Access Control List wildcard mask notation.<br />
Note: You can calculate the Cisco Access Control List wildcard mask notation from<br />
the CIDR notation by using the following formula: CIDR a.b.c.d/x = Cisco Access List<br />
a.b.c.d/*(32-x).<br />
For example, if the CIDR notation is 192.16.96.0/24, then the Cisco Access Control<br />
List wildcard mask notation is 192.16.96.0/*8.<br />
Filters specify the external IP addresses that are allowed to communicate with<br />
Stealth-enabled virtual machines. Traffic to or from an IP address not included in the<br />
filter is discarded by the Virtual Stealth Gateway. For example, if the tenant’s home<br />
site uses the IP address range 172.16.240.0 to 172.16.255.255, the Cisco Access<br />
Control List wildcard mask range in the Home filter list would be 172.16.240.0/*12<br />
(<strong>and</strong> the CIDR notation would be /20).<br />
Update the following filters, as required:<br />
• CME (<strong>Cloud</strong> Management Environment)<br />
Note: You should not change the CME filter value unless you changed the IP<br />
address values of the <strong>Cloud</strong> Management Environment on the Intercom Network.<br />
• Internet<br />
Note: You can enter 0.0.0.0/0 to enable complete access to the Internet.<br />
• Home Site<br />
6. Click Save on the File menu, <strong>and</strong> then close Notepad.<br />
7. Open a comm<strong>and</strong> prompt, <strong>and</strong> navigate to the C:\Unisys\UCO\stealth directory.<br />
8. Enter the following comm<strong>and</strong> to create the appropriate XML files:<br />
Java –jar AutomationClient.jar<br />
GenerateAddMofifyCOISetsXML<br />
C:\Unisys\UCO\Stealth\<br />
AddModifyCOISets.xml><br />
<br />
When the script is finished, the following files appear in the :<br />
• AddModifyCOISets.xml<br />
• ReprovisionAffectedVMs.xml<br />
9. Enter the following comm<strong>and</strong> to modify the COI Sets on the Virtual Stealth Gateway<br />
infrastructure VM:<br />
Java –jar AutomationClient.jar<br />
BatchJob<br />
\AddModifyCOISets.xml<br />
shares.txt<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
10. Enter the following comm<strong>and</strong> to update any already commissioned virtual machines<br />
that are affected by the COI Set changes:<br />
3850 6804–007 10–45
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Java –jar AutomationClient.jar<br />
BatchJob<br />
\ReprovisionAffectedVMs.xml<br />
shares.txt<br />
When a virtual machine is commissioned, the COI Set that is assigned to that virtual<br />
machine is kept in a file named .ser on the <strong>Cloud</strong><br />
Orchestrator management VM. This file is accessed for current virtual machines,<br />
which have their COIs reprovisioned according to the new COI Set configuration<br />
when you run this ReprovisionAffectedVMs.xml comm<strong>and</strong>.<br />
Updating the Workbook <strong>and</strong> Deleting Unneeded Virtual Machines<br />
After you finish updating the COI Sets, you should also update the tenant workbook with<br />
these changes so that you have a record of the current Stealth implementation. In the<br />
tenant workbook, you should update both the COI Set list <strong>and</strong> update the COI Set value for<br />
any blueprints you changed.<br />
If you delete one or more COI Sets, you should also delete the commissioned virtual<br />
machines that were created using the COI Sets that you deleted, <strong>and</strong> then commission<br />
new virtual machines using the new COI Sets.<br />
10.18.2. Viewing Stealth Licenses in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal<br />
When Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, the Stealth<br />
Licenses page displays the licenses. To access this page from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal, select the <strong>Administration</strong> tab, <strong>and</strong> then click Stealth Licenses.<br />
This page displays the total number of stealth licenses included in your cloud environment,<br />
the number of licenses allocated to each tenant, <strong>and</strong> the number of licenses that are still<br />
available. The Usage Information pane displays the total licenses used by each tenant<br />
<strong>and</strong> each Stealth-enabled VLAN in the tenant.<br />
Note: Each tenant can have one or more Stealth-enabled VLANs. Stealth-enabled VLANs<br />
protect the communication between virtual machines in your cloud environment through<br />
the use of the Communities of Interest (COI). This enables multiple groups of virtual<br />
machines to share the same network without fear of another group accessing their data,<br />
which results in a more secure infrastructure<br />
When licenses are required for a particular tenant, the requests are communicated to the<br />
Stealth Licensing management VM.<br />
For information on underst<strong>and</strong>ing licensing, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong><br />
Planning <strong>Guide</strong>. For more information on this page, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface<br />
Help.<br />
10–46 3850 6804–007
10.18.3. Accessing Logs <strong>and</strong> Monitoring Tunnels Using the<br />
<strong>Administration</strong> Application<br />
The Stealth Solution <strong>Administration</strong> Application is a Web-based interface that enables you<br />
to access log <strong>and</strong> diagnostic information <strong>and</strong> to monitor Stealth tunnel usage on a Stealthenabled<br />
VLAN basis.<br />
Do the following to access <strong>and</strong> log on to the <strong>Administration</strong> Application pages for a<br />
particular tenant Virtual Stealth Gateway:<br />
1. Log on to a virtual machine that includes the Admin COI.<br />
Note: You can open a console to the Stealth Configuration Machine, which includes<br />
the Admin COI.<br />
2. Open a browser window, <strong>and</strong> enter the following URL in the address bar:<br />
http://:8080/stealth<br />
For example, enter http://192.168.222.222:8080/stealth.<br />
3. Type the Stealth Web administrator user name <strong>and</strong> password from Table 1–31.<br />
4. Click Logon.<br />
The Appliance Status page opens.<br />
See the help available with the <strong>Administration</strong> Application for more information on viewing<br />
logs <strong>and</strong> diagnostics information, clearing log information, <strong>and</strong> monitoring tunnel usage.<br />
Notes:<br />
• If you have any problems accessing or using the <strong>Administration</strong> Application Web<br />
pages, add the Virtual Stealth Gateway IP address to the Internet Explorer trusted<br />
sites. Do the following:<br />
1. Select Internet options from the Internet Explorer Tools menu.<br />
2. Select the Security tab.<br />
3. Click Trusted sites, <strong>and</strong> then click Sites.<br />
4. Add the Virtual Stealth Gateway IP address to the Trusted sites.<br />
5. Click Close to close the Trusted sites dialog box.<br />
6. Click OK to close the Internet Options dialog box.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• For security purposes, Unisys advises that you do not allow the browser to remember<br />
your log-on information, such as user name <strong>and</strong> password.<br />
• User log-on information is recorded in the Windows event log on the appliance.<br />
10.18.4. Viewing <strong>and</strong> Configuring Stealth Licensing Options<br />
You can view <strong>and</strong> configure Stealth licensing options for the components that run the<br />
Stealth license service. These include the Stealth Licensing management VM (for the<br />
cloud environment as a whole) <strong>and</strong> the Stealth Relay Server infrastructure VMs <strong>and</strong><br />
Stealth Proxy Server infrastructure VMs (for each tenant).<br />
3850 6804–007 10–47
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Note: The Stealth license service also runs on the Virtual Stealth Gateway infrastructure<br />
VM, but for security reasons, you cannot open a console to that VM or change its settings.<br />
These licensing options are configured during initial implementation <strong>and</strong> tenant<br />
onboarding, <strong>and</strong> changes are usually not required. However, you can make changes if<br />
required for your environment or for a particular tenant. For example, if you need to view<br />
the number of licenses in use for a particular tenant or restrict the number of Stealth<br />
licenses that can be used, you can do so using the procedures in this topic.<br />
Viewing Stealth Licensing Options in the Dynamic Licensing Web<br />
Interface<br />
This topic describes how you can make changes to the Stealth licensing options using a<br />
comm<strong>and</strong> line interface. You can also view (but not change) these settings using the more<br />
user-friendly Dynamic Licensing Web interface. To view these Stealth licensing settings<br />
from the Dynamic Licensing Web interface, do the following:<br />
1. Using the vSphere Client, open a console to the Stealth Proxy Server infrastructure<br />
VM or the Stealth Configuration Machine infrastructure VM.<br />
2. In a browser, enter the following URL in the address bar to connect to the Dynamic<br />
Licensing Web interface running on the Stealth Licensing management VM, Stealth<br />
Relay Server infrastructure VM, or the Stealth Proxy Server infrastructure VM:<br />
http://:/uisdynlic/param<br />
For example, from a console on the Stealth Proxy Server infrastructure VM, enter<br />
https://172.31.1.14/uisdynlic/param (if the port value is 443) or<br />
https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).<br />
3. When prompted, enter the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Dynamic Licensing Web<br />
interface credentials from Table 2–1.<br />
Updating Stealth Licensing Options using the Comm<strong>and</strong> Line<br />
Interface<br />
Do the following to verify the Stealth licensing options or make changes to the<br />
configuration (using a comm<strong>and</strong> line interface):<br />
1. Using the vSphere Client, open a console to the Stealth Licensing management VM to<br />
view the Stealth license server settings for the cloud environment.<br />
Note: If you want to view the Stealth license server settings for a particular tenant,<br />
open a console to the Stealth Relay Server infrastructure VM or the Stealth Proxy<br />
Server infrastructure VM for that tenant.<br />
2. If you are accessing the Stealth Licensing management VM, log on using the st<strong>and</strong>ard<br />
Windows management VM user name <strong>and</strong> password from Table 2–1.<br />
If you are accessing the Stealth Relay Server infrastructure VM or the Stealth Proxy<br />
Server infrastructure VM, log on using the tenant-specific password.<br />
3. Open a comm<strong>and</strong> prompt using the Run as administrator option.<br />
4. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.<br />
10–48 3850 6804–007
5. Enter one of the following comm<strong>and</strong>s to see the current status:<br />
• To see the number of available licenses for the entire cloud environment <strong>and</strong> the<br />
number of licenses allocated (labeled InUse) to all of the tenant Virtual Stealth<br />
Gateway infrastructure VMs, access the Stealth Licensing management VM <strong>and</strong><br />
enter the following comm<strong>and</strong>:<br />
dynamiclicensing.exe /alloc<br />
• To see the status of the licensing service, access the Stealth Relay Server<br />
infrastructure VM or the Stealth Proxy Server infrastructure VM <strong>and</strong> enter the<br />
following comm<strong>and</strong>:<br />
dynamiclicensing.exe /status<br />
You see the total number of allocated <strong>and</strong> available licenses, which should be<br />
equal. (For example, if a Virtual Stealth Gateway requested 10 licenses to be<br />
allocated, then that is the total available to the tenant at this time.)<br />
6. Enter the following comm<strong>and</strong> to see the current settings:<br />
dynamiclicensing.exe /set<br />
Note: Enter dynamiclicensing.exe /? to see a list of all values you can configure<br />
or enter dynamiclicensing.exe /set ? to see an explanation of each setting.<br />
When you enter dynamiclicensing.exe /set, you see the following:<br />
• DebugFile – The file to which the license service prints debugging information.<br />
The initial value is C:\Stealth\LicService.txt. If there are any problems in your<br />
environment, you might be asked to submit this file to the Unisys service<br />
consultant.<br />
• DebugFileSize – The maximum file size of the debugging file. If this limit is<br />
reached, then the earliest information in the file is overwritten. The default file size<br />
is 102400 KB (100 MB).<br />
• JournalFile – The file to which the license allocations <strong>and</strong> changes are recorded.<br />
The default is blank; therefore, license allocations are not recorded. You can<br />
change this if required.<br />
For example, to set the JournalFile, enter<br />
dynamiclicensing.exe /set JournalFile<br />
C:\Stealth\LicJournal.txt<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
When you set this value, you must restart the Stealth license service.<br />
Note: If you want to use a file name that includes spaces, you must enclose the<br />
file name in quotation marks.<br />
• LicenseChunk – The additional number of licenses that are requested by default<br />
by any Virtual Stealth Gateway. Do not change the LicenseChunk value, as it has<br />
no effect on the Stealth Licensing management VM, the Stealth Proxy Server<br />
infrastructure VM, or the Stealth Relay Server infrastructure VM.<br />
By default, this value is set to 0, which means that the Virtual Stealth Gateway<br />
dynamically requests additional licenses in direct proportion to the number of<br />
licenses that are already in use for that tenant. When the first request is made<br />
from a recently created Virtual Stealth Gateway, a small number of licenses (six)<br />
are requested. As additional virtual machines are commissioned, the Virtual<br />
3850 6804–007 10–49
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
Stealth Gateway dynamically requests additional licenses in direct proportion to<br />
the number of licenses that are already in use for that tenant; that is, it requests<br />
approximately 20% more licenses than the number of licenses currently in use.<br />
This dynamic licensing model helps to ensure that licenses are available as new<br />
virtual machines begin running <strong>and</strong> require Stealth licenses.<br />
Note: If a Virtual Stealth Gateway requests more licenses than are available, the<br />
Stealth Licensing management VM allocates the amount that is available.<br />
• LicenseLimit – The maximum number of licenses available. If, for any reason, you<br />
want to limit the number of licenses that can be used to less than are provided<br />
through the Stealth fob, you can set this parameter to a smaller value on the<br />
Stealth Licensing management VM.<br />
For example, if you purchased 400 licenses total, <strong>and</strong> you want to limit the<br />
environment to use only 100 licenses to reduce network traffic for a short time,<br />
then you can log on to the Stealth Licensing management VM console <strong>and</strong> set the<br />
LicenseLimit to 100 by entering<br />
dynamiclicensing.exe /set LicenseLimit 100<br />
This value has no impact on the Stealth Relay Server <strong>and</strong> Stealth Proxy Server,<br />
<strong>and</strong> so you should not change it on those infrastructure VMs.<br />
• LicenseTimeout – The number of seconds that a virtual machine can run without<br />
a license until communication stops. Do not change the LicenseTimeout value,<br />
as it has no effect on the Stealth Licensing management VM, the Stealth Proxy<br />
Server infrastructure VM, or the Stealth Relay Server infrastructure VM.<br />
The default value is 1800 seconds, or 30 minutes. This value enables virtual<br />
machines to continue communicating across the Stealth VLAN, even if there is<br />
an interruption in communication with the Stealth Licensing management VM.<br />
• LogLevel – The default value is set to 7 for normal logging. Information is saved<br />
to the Windows application log (which is accessible from Server Manager for the<br />
VM). You can set this value to 127 if you want to provide both application logging<br />
<strong>and</strong> debugging-level logging information. To do so, enter<br />
dynamiclicensing.exe /set LogLevel 127<br />
• MinLicenses – The minimum number of licenses to request for a tenant VLAN.<br />
You can set this value on a Stealth Relay Server or Stealth Proxy Server<br />
infrastructure VM, <strong>and</strong> the minimum number of licenses you request will be preallocated<br />
for the tenant VLAN. This setting can be used to ensure that enough<br />
licenses are available for high-priority applications running on a particular Stealth<br />
VLAN.<br />
For example, if a tenant purchases 100 licenses <strong>and</strong> wants to be sure that those<br />
license are immediately allocated, you can set the MinLicense value to 100, <strong>and</strong><br />
100 licenses are initially allocated. When the number of licenses needed<br />
exceeds the allocated amount, additional licenses are requested according to the<br />
regular formula for dynamic licensing. (Licenses are requested in direct<br />
proportion to the number of licenses that are already in use for that tenant; that<br />
is, the amount requested is approximately 20% more licenses than the number<br />
of licenses currently in use.)<br />
The default value is 0, meaning that licenses are requested in proportion to the<br />
number of licenses already in use.<br />
10–50 3850 6804–007
To change the minimum number of licenses, enter<br />
dynamiclicensing.exe /set MinLicenses <br />
• PollInterval – This determines the frequency of license requests. All the license<br />
systems that connect to each other should use the same value, <strong>and</strong> so you<br />
should not change this value.<br />
• Port – The port that the management VM or infrastructure VM listens on for<br />
incoming requests. The default port is 31420. You can change this port if<br />
necessary by entering<br />
dynamiclicensing.exe /set Port <br />
The VMs listen for communication as follows:<br />
- The Stealth Licensing management VM listens for communication from the<br />
Stealth Relay Server infrastructure VMs.<br />
- Each Stealth Relay Server infrastructure VM listens for communication from<br />
the associated Stealth Proxy Server infrastructure VM.<br />
- Each Stealth Proxy Server infrastructure VM listens for communication from<br />
the associated Virtual Stealth Gateway infrastructure VM.<br />
Note: If you change the port value, you must update the ServerAddresses value<br />
for any management or infrastructure VM that attempts to access this VM to<br />
update the port value in the address.<br />
• ServerAddresses – The IP addresses of the server to which the VM is transmitting<br />
messages about Stealth licensing (for requesting <strong>and</strong> releasing licenses). These<br />
values are automatically configured during tenant onboarding based on the values<br />
in the tenant workbook. On the Stealth Proxy Server infrastructure VM, this is the<br />
IP address of the Stealth Relay Server. On the Stealth Relay Server, this is the IP<br />
address of the Stealth Licensing management VM. On the Stealth Licensing<br />
management VM, this value is blank, because the Stealth Licensing management<br />
VM is not transmitting messages to any other components regarding license<br />
requests.<br />
• SSP – The <strong>Secure</strong> Socket Protocol is used to encrypt <strong>and</strong> transmit the license<br />
requests between VMs. This value is 1 to indicate SSP is enabled. Do not change<br />
this value.<br />
The protocol uses a h<strong>and</strong>shake when a connection between machines is<br />
established to determine the encryption keys. SSP is required when<br />
communicating with a license source or when Stealth is not available; otherwise,<br />
the VMs automatically communicate using Stealth. SSP requires that you log on to<br />
the VM; therefore, your credentials must be known to the VM.<br />
• WebCertificate – The certificate name (CN) or thumbprint used for SSL for the<br />
connection to the Dynamic Licensing Web interface (as described at the beginning<br />
of this topic). The Unisys service consultant configures this certificate during the<br />
initial implementation.<br />
To see the certificate, enter<br />
netsh http show sslcert<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
3850 6804–007 10–51
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
To change the certificate on the Stealth Licensing management VM, Stealth<br />
Relay Server infrastructure VM, or Stealth Proxy Server infrastructure VM, first<br />
import the new certificate into the certificate store. Then, enter the following<br />
comm<strong>and</strong>:<br />
netsh http add sslcert<br />
ipport=:<br />
certhash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br />
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />
Note: The appid must appear exactly as shown.<br />
For example, enter<br />
netsh http add sslcert ipport=192.168.233.34:443<br />
certhash=3bc4388ee6gee90e6acbhcd9acdc175d89469443<br />
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />
• WebPassword – The password that the Stealth Licensing management VM uses<br />
for the Dynamic Licensing Web interface. The default value is listed in Table 2–1.<br />
To change this value, perform the procedure in Dynamic Licensing Web<br />
Interface.<br />
• WebPort – The port that the Stealth Licensing management VM uses for the<br />
Dynamic Licensing Web interface. The default value is 443, <strong>and</strong> so you access<br />
these Web pages using the URL format: http://:/uisdynlic/param. For<br />
example, from a console on the Stealth Proxy Server infrastructure VM, you<br />
would enter https://172.31.1.14/uisdynlic/param (if the port value is 443) or<br />
https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).<br />
To change the port value, enter<br />
dynamiclicensing.exe /set WebPort <br />
10.18.5. Increasing the License Count for Stealth for <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong><br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, you receive a licensing<br />
fob (USB device) which determines the number of Stealth-enabled virtual machines that<br />
can be active at one time for Stealth-secured communications. By default, if your cloud<br />
environment includes Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you receive a fob with 10 licenses.<br />
If your initial order included additional Stealth licenses, your Unisys service consultant<br />
configured your management server to use the fob with the greater number of licenses<br />
you ordered. If your cloud environment is configured for HA, you receive two identical<br />
fobs.<br />
If you want to increase the number of Stealth licenses that are available in your<br />
environment, contact your Unisys service consultant, who will help you order a new fob<br />
with a greater licensing count. When you receive your new fob, simply remove the old fob<br />
from the management server, <strong>and</strong> insert the new fob in its place. You must insert the new<br />
fob into the same USB port in the management server in which the old fob was located. (If<br />
your environment includes HA, you must remove <strong>and</strong> replace the fobs in both<br />
management servers in the same USB ports.)<br />
10–52 3850 6804–007
As long as you take no more than 30 minutes to remove the old fob <strong>and</strong> insert the new<br />
fob, no additional configuration is necessary. The Stealth Licensing management VM<br />
automatically registers the new fob <strong>and</strong> the increased license count.<br />
Note: If you take longer than 30 minutes to remove <strong>and</strong> replace the fob, your Unisys<br />
service consultant must reconfigure the Stealth Licensing management VM to<br />
communicate with the USB drive containing the fob. Therefore, it is highly recommended<br />
that you have the new fob ready to insert before removing the old fob.<br />
10.18.6. Enabling Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> After Initial<br />
Implementation<br />
When you placed your order for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, the Stealth for <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> feature was automatically included (if your cloud environment is located in a nonexport<br />
restricted country). This includes the Stealth Licensing management VM, software<br />
to Stealth-enable VLANs <strong>and</strong> virtual machines, <strong>and</strong> the Stealth licensing fob (with 10<br />
available licenses).<br />
If, during initial implementation, you instructed your Unisys service consultant not to<br />
configure Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, then those components were not configured. If<br />
you later decide to use Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>—either on a trial basis with the 10<br />
available licenses or using a fob with a greater available license count—you must contact<br />
your Unisys service consultant to upgrade your environment to include this feature.<br />
10.19. Important Operational Restrictions<br />
The following operations are not supported in the cloud environment:<br />
• Do not use an XML editor to edit the cloud provider or tenant XML files created by the<br />
workbook.<br />
You must use Microsoft Excel to make all required changes <strong>and</strong> then to produce the<br />
updated XML files.<br />
• You cannot rename tenant projects. To give a tenant project a new name, you must do<br />
the following:<br />
- Delete all resources associated with the blueprint by performing the procedures in<br />
11.1 Stopping <strong>and</strong> Decommissioning Virtual Machinesor 11.2 Stopping <strong>and</strong><br />
Decommissioning Physical Machines. (Resources cannot be moved between an<br />
old project <strong>and</strong> a new project.)<br />
- Delete the project by performing the procedure in 10.9 Deleting Blueprints or<br />
Projects from the <strong>Cloud</strong> Environment.<br />
- Create a new project using the tenant worksheet.<br />
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
• If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, note the following:<br />
- You cannot remove Stealth from commissioned Stealth-enabled virtual machines<br />
or existing Stealth-enabled VLANs.<br />
- You cannot add Stealth to already-commissioned virtual machines or to existing<br />
VLANs that include resources.<br />
3850 6804–007 10–53
<strong>Cloud</strong> Portal <strong>Operations</strong><br />
If you want to remove Stealth from any component, delete the current component <strong>and</strong><br />
recreate it using the appropriate template. If you want to add Stealth to an alreadycommissioned<br />
virtual machine, delete the virtual machine <strong>and</strong> recreate it using the<br />
appropriate template.<br />
If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling<br />
Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN <strong>and</strong><br />
then Stealth-enable the VLAN.<br />
• Use only approved characters in tenant, project, <strong>and</strong> blueprint names. See<br />
2.8.4 Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong> Environment.<br />
10–54 3850 6804–007
Section 11<br />
Removing Tenants <strong>and</strong> Components<br />
from the <strong>Cloud</strong> Environment<br />
This section describes how to remove tenants or tenant components from your <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> environment, if you are hosting a multi-tenant environment. To completely<br />
remove tenants, their users, their machines, <strong>and</strong> the tenant infrastructure from the <strong>Cloud</strong><br />
environment, perform the procedures in 11.1 Stopping <strong>and</strong> Decommissioning Virtual<br />
Machines through 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />
If you want to remove a specific tenant component, perform the procedure in this section<br />
that is associated with that particular component. If you simply want to suspend tenant<br />
operations, you can perform only the procedures to disable users <strong>and</strong> stop virtual<br />
machines <strong>and</strong> physical servers.<br />
11.1. Stopping <strong>and</strong> Decommissioning Virtual<br />
Machines<br />
Do the following to stop the tenant virtual machines <strong>and</strong> decommission them (delete them<br />
from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>).<br />
Note: If you want to suspend a tenant account, you can simply stop the virtual machines<br />
without decommissioning them. After the virtual machines have been stopped, they<br />
cannot be restarted by any of the users (assuming that the tenant users have been<br />
disabled).<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />
2. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />
3. Select a running virtual machine in the Resources Overview table <strong>and</strong> click Stop.<br />
The status of the virtual machine transitions to Stopping <strong>and</strong> then to Stopped, but this<br />
transition could take some time.<br />
Select the next running virtual machine, <strong>and</strong> click Stop. (You do not need to wait until<br />
one machine is stopped before requesting that the next machine be stopped.)<br />
4. Select the resource in the Resources Overview table, <strong>and</strong> click Decommission to<br />
delete the virtual machine.<br />
A dialog box appears asking you to confirm that you want to decommission (delete)<br />
the specified resource.<br />
3850 6804–007 11–1
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
5. Click OK to confirm.<br />
On the Manage Requests page, a new entry appears. When the status of the remove<br />
entry changes to Success, the resource has been decommissioned. The resource<br />
also is removed from Manage Resources.<br />
6. Click <strong>Administration</strong>.<br />
7. On the Operator Prompts page, reject any outst<strong>and</strong>ing requests from the tenant.<br />
8. After all of the virtual machines in all projects have been stopped <strong>and</strong><br />
decommissioned, from a vSphere Client, connect to the vCenter management VM,<br />
using its current host name or IP address.<br />
9. Verify that all of the tenant virtual machines have been deleted.<br />
10. If any virtual machines still exist, verify that they are not still present in the <strong>Cloud</strong><br />
Orchestrator portal, <strong>and</strong> then delete them manually in vCenter.<br />
Note: After you stop <strong>and</strong> decommission virtual machines, they are moved into the<br />
Archived Servers Department in uChargeback. This enables you to create historical<br />
reports, as needed. However, if you want to fully delete the virtual machines from<br />
uChargeback, see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />
11.2. Stopping <strong>and</strong> Decommissioning Physical<br />
Machines<br />
To stop tenant physical servers, perform the following procedure: 10.4.2 Starting or<br />
Stopping Physical Servers.<br />
To decommission tenant physical servers (delete them from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>),<br />
perform the following procedure: 10.4.3 Decommissioning Physical Servers (Releasing<br />
Physical Server Resources).<br />
Notes:<br />
• If you want to suspend a tenant account, you can simply stop the physical servers<br />
without decommissioning them. After the physical servers have been stopped, they<br />
cannot be restarted by any of the users (assuming that the tenant users have been<br />
disabled).<br />
• After you stop <strong>and</strong> decommission virtual machines, they are moved into the Archived<br />
Servers Department in uChargeback. This enables you to create historical reports, as<br />
needed. However, if you want to fully delete the virtual machines from uChargeback,<br />
see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />
11–2 3850 6804–007
11.3. Removing the Tenant Virtual Components in<br />
vCenter<br />
Removing Network Appliances <strong>and</strong> Load Balancers in vCenter<br />
Do the following to remove the tenant network appliances <strong>and</strong> load balancers:<br />
1. From a vSphere Client, connect to the vCenter Server using its current host name or IP<br />
address.<br />
2. Shut down <strong>and</strong> remove any VLAN network appliances. To do so<br />
a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a VLAN network<br />
appliance virtual machine, select Power, <strong>and</strong> then click Shut Down Guest.<br />
b. After the VLAN network appliance virtual machine is shut down, right-click it, <strong>and</strong><br />
select Delete from Disk.<br />
c. Click Yes in the confirmation dialog box.<br />
3. Shut down <strong>and</strong> remove any Load Balancer virtual machines. To do so<br />
a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a load balancer virtual<br />
machine, select Power, <strong>and</strong> then click Shut Down Guest.<br />
b. After the load balancer virtual machine is shut down, right-click it, <strong>and</strong> select<br />
Delete from Disk.<br />
c. Click Yes in the confirmation dialog box.<br />
Removing Stealth Infrastructure VMs from vCenter<br />
If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for the<br />
tenant, remove the tenant Stealth infrastructure VMs from each of the tenant Stealthenabled<br />
VLANs. There are five Stealth infrastructure VMs for each Stealth-enabled VLAN,<br />
<strong>and</strong> they are named using the following format:<br />
• SConfig<br />
• SProxy<br />
• SRelay<br />
• STM<br />
• VSG<br />
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
Removing Networking in vCenter<br />
Note: If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for<br />
the tenant, each Stealth-enabled VLAN consists of a pair of VLANs: a clear-text VLAN <strong>and</strong><br />
an encrypted VLAN. Be sure to remove both of these VLANs.<br />
Do the following to remove the tenant networking:<br />
3850 6804–007 11–3
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
1. From a vSphere Client, connect to the vCenter management VM using its current host<br />
name or IP address.<br />
2. Remove the distributed virtual network switch or virtual machine port groups. To do so<br />
For a distributed virtual network switch port group, do the following:<br />
a. In the Networking Inventory view, right-click the port group name, <strong>and</strong> then<br />
click Delete.<br />
b. Click Yes in the confirmation dialog box.<br />
For a virtual machine port group, do the following:<br />
a. In the Hosts <strong>and</strong> Clusters Inventory view, select a workload server.<br />
b. Select the Configuration tab, <strong>and</strong> then click Networking.<br />
c. Select Properties for a virtual switch.<br />
d. Select a port group, <strong>and</strong> then click Remove.<br />
e. Click Yes in the delete confirmation dialog box.<br />
f. Repeat these steps for each workload server.<br />
Removing Datastores, Resource Pools, <strong>and</strong> Templates in vCenter<br />
Do the following to remove datastores, resource pools, <strong>and</strong> templates:<br />
1. From a vSphere Client, connect to the vCenter management VM using its current host<br />
name or IP address.<br />
2. Ensure that datastores do not contain any of the tenant folders or virtual machines. To<br />
do so<br />
a. In the Datastores view, right-click the datastore name, <strong>and</strong> select Browse<br />
Datastore.<br />
b. Delete any folders or virtual machines belonging to the tenant.<br />
3. If you have certain datastores that were used only by the tenant you are deleting, then<br />
you should make the datastore unavailable to the tenant. For example, you can delete<br />
the datastore or rename it.<br />
To rename a datastore, do the following:<br />
a. In the Datastores view, right-click the datastore name, <strong>and</strong> click Rename.<br />
b. Type a new name for the datastore.<br />
To delete a datastore, do the following:<br />
a. In the Datastores view, right-click the datastore name, <strong>and</strong> click Delete.<br />
b. Click Yes in the confirmation dialog box.<br />
11–4 3850 6804–007
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
4. If you have certain resource pools that were used only by the tenant you are deleting,<br />
then delete those resource pools as follows:<br />
a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a resource pool name,<br />
<strong>and</strong> then click Remove.<br />
b. Click Yes in the confirmation dialog box.<br />
5. If you have certain templates that were used only by the tenant you are deleting, then<br />
delete those templates as follows:<br />
a. In the VMs <strong>and</strong> Templates view, right click a template name, <strong>and</strong> then click<br />
Delete from Disk.<br />
b. Click Yes in the confirmation dialog box.<br />
11.4. Removing Management-Side Tenant<br />
Infrastructure in vCenter<br />
Removing a Zone in uChargeback for a Tenant with no DNS<br />
During initial VLAN configuration, if a tenant did not have a DNS, or if the tenant DNS could<br />
not support non-secure dynamic DNS updates, the uChargeback management VM was<br />
configured to act as the tenant DNS server. Do the following to remove a zone in the<br />
uChargeback management VM, if it is acting as the tenant DNS:<br />
1. From a vSphere Client, open a console to the uChargeback management VM.<br />
2. Launch DNS Manager by clicking Start, pointing to Administrative Tools, <strong>and</strong><br />
then clicking DNS.<br />
3. If you created a unique forward lookup zone for this tenant, then in the Forward<br />
Lookup Zones node, right-click the tenant’s zone <strong>and</strong> click Delete.<br />
4. Click Yes in the confirmation dialog box.<br />
Removing Static Routes to Tenant VLANs<br />
Perform this procedure on the jump box management VM, the <strong>Cloud</strong> Orchestrator<br />
management VM, the uChargeback management VM, <strong>and</strong> (if Stealth for <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for the tenant) the Stealth Licensing<br />
management VM. Do the following to remove static routes to tenant VLANs:<br />
1. From a vSphere Client, open a console to the management VM.<br />
2. Open a comm<strong>and</strong> prompt, using the Run as Administrator option, <strong>and</strong> enter the<br />
following comm<strong>and</strong> to delete a static route for the VLAN:<br />
route -p delete <br />
3. Repeat the previous steps for the next management VM.<br />
3850 6804–007 11–5
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
Removing Tenant Information from a Virtual Management Network<br />
Appliance<br />
If your Management Network Appliance is virtual, do the following to remove the tenantspecific<br />
information.<br />
Note: If your Management Network Appliance is physical, skip this procedure, <strong>and</strong><br />
perform the following procedure.<br />
1. From a vSphere Client, open a console to the Management Network Appliance virtual<br />
machine.<br />
2. Log on.<br />
3. Enter the following comm<strong>and</strong>:<br />
configure<br />
4. To remove static routes to the tenant VLAN network appliance, do the following:<br />
a. Enter the comm<strong>and</strong> the following comm<strong>and</strong>, <strong>and</strong> note all routes to the tenant<br />
VLANs:<br />
show protocols static<br />
b. For each route to the tenant VLAN, enter the following comm<strong>and</strong>:<br />
delete protocols static route<br />
<br />
5. To remove tenant firewall rules, do the following:<br />
a. Enter the following comm<strong>and</strong>, <strong>and</strong> note all the network entries which contain<br />
VLAN information for the tenant:<br />
show firewall group network-group TARGET_VM<br />
b. For each network entry that includes tenant VLAN information, enter the<br />
following comm<strong>and</strong>:<br />
delete firewall group network-group TARGET_VM network<br />
<br />
6. Enter the following comm<strong>and</strong>s to commit <strong>and</strong> save the changes:<br />
commit<br />
save<br />
exit<br />
Removing Tenant Information from a Physical Management Network<br />
Appliance<br />
If your Management Network Appliance is physical, do the following to remove the tenantspecific<br />
information.<br />
11–6 3850 6804–007
Notes:<br />
• If your Management Network Appliance is virtual, do not perform this procedure;<br />
instead, perform the previous procedure.<br />
• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />
another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />
1. To remove tenant VLAN IDs, enter the following comm<strong>and</strong>:<br />
no vlan <br />
2. To remove tenant access lists, enter the following comm<strong>and</strong>:<br />
no access-list <br />
3. To remove tenant access groups on the Management Access Network VLAN, enter<br />
the following comm<strong>and</strong>s:<br />
interface <br />
no ip access-group in<br />
no ip access-group out<br />
4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter<br />
the following comm<strong>and</strong>s:<br />
interface <br />
switchport trunk allowed vlan remove <br />
5. To remove tenant routes, enter the following comm<strong>and</strong>:<br />
no ip route <br />
<br />
6. To remove any existing NAT rules, use no ip nat comm<strong>and</strong>s.<br />
Note: A physical switch must support NAT to perform these comm<strong>and</strong>s. Refer to the<br />
documentation for your switch for more information on NAT <strong>and</strong> the specific<br />
comm<strong>and</strong>s that apply.<br />
Remove the following rules:<br />
a. Remove the management access network VLAN interface as the network subject<br />
to inside NAT translation.<br />
b. Remove NAT rules that translate the <strong>and</strong> destination addresses to the address.<br />
7. Enter the following comm<strong>and</strong> to verify the configuration:<br />
show running-config<br />
8. Save the configuration by entering the following comm<strong>and</strong>:<br />
copy running-config startup-config<br />
You see the following: Destination Filename [startup-config]?<br />
9. Press Enter.<br />
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
You see the response [OK].<br />
3850 6804–007 11–7
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
11.5. Deleting Tenant Account Entities<br />
The following topics describe the steps required to delete a configured tenant account<br />
from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. Using a browser connected to the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> portal, sign in using the Liferay Administrator credentials.<br />
To delete a tenant account, perform the procedures in this topic.<br />
Note: When you delete a tenant, project, or blueprint using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal, you must also delete that component from RBADB. See the following procedures<br />
for more information.<br />
11.5.1. Deleting Tenant Users <strong>and</strong> User Roles<br />
Deleting Tenant Users <strong>and</strong> User Roles from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal<br />
To delete tenant users, do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Users.<br />
The Users page appears with a list of active users.<br />
4. If you have not already deactivated the users you want to delete, do the following. If<br />
the users are already deactivated, skip to the next step.<br />
Do the following to deactivate users:<br />
a. Select the check boxes next to the users who you want to deactivate.<br />
b. Click Deactivate (at the top of the list of users) to deactivate the users.<br />
5. From the Active list, select No, <strong>and</strong> then click Search.<br />
Note: You might have to click Advanced under the Search button to view the<br />
Active list.<br />
A list of the deactivated users appears.<br />
6. Locate the users you want to delete, <strong>and</strong> select the check boxes next to the user<br />
names.<br />
7. Click Delete (at the top of the list of users) to delete the selected users.<br />
To delete a tenant user role, do the following.<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. In the left pane, under Portal, click Roles.<br />
11–8 3850 6804–007
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
The Roles page appears with a list of roles.<br />
4. Locate the tenant user role you want to delete, click the Actions button for that user<br />
role, <strong>and</strong> then click View Users.<br />
5. Verify that no users are associated with the role you are deleting.<br />
If any users are associated with the role, you should create a new role <strong>and</strong> reassign<br />
the users before continuing.<br />
6. Locate the tenant user role you want to delete, click the Actions button for that user<br />
role, <strong>and</strong> then click Delete.<br />
11.5.2. Removing a Tenant User Group from the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Portal<br />
To remove a tenant user group, do the following:<br />
1. From the Manage list (at the left of the top pane), click Control Panel.<br />
2. In the left pane, under Portal, click User Groups.<br />
The User Groups page appears with a list of user groups.<br />
3. Select the check box for a tenant user group you want to delete, <strong>and</strong> then click<br />
Delete.<br />
11.5.3. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Portal<br />
Note: To delete a blueprint, you must first decommission the resources that have been<br />
commissioned using the blueprint. You receive the following error message when you try<br />
to delete a blueprint that has resources tied to it:<br />
There has been a problem processing your request.<br />
To delete a blueprint from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />
2. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />
3. Under Manage Blueprints, select the tenant folder.<br />
The Blueprint pane is updated to list all blueprints associated with the tenant.<br />
4. Under Blueprints, select the blueprint that you want to delete, <strong>and</strong> then click<br />
Delete Blueprint.<br />
A confirmation message appears.<br />
5. Confirm that you want to delete the blueprint.<br />
The blueprint is deleted from the tenant <strong>and</strong> from all tenant projects with which it is<br />
associated.<br />
3850 6804–007 11–9
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract <strong>and</strong><br />
Deleting a Blueprint.<br />
11.5.4. Deleting a Tenant Organization<br />
To delete a tenant organization, do the following.<br />
Note: Before you delete a tenant organization, you must delete any associated users,<br />
user roles, <strong>and</strong> user groups.<br />
1. From the Manage list (at the left of the top pane), click Control Panel.<br />
2. In the left pane, under Portal, click Organizations.<br />
The Organizations page appears with a list of tenants.<br />
3. Select the check box for the tenant organization that you want to delete, <strong>and</strong> then click<br />
Delete.<br />
11.6. Removing a Tenant Contract <strong>and</strong> Tenant from<br />
RBADB<br />
A tenant cannot be deleted if it is associated with a contract. To delete a tenant contract<br />
<strong>and</strong> then delete a tenant from RBADB, do the following:<br />
1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />
2. Log in with the RBADB Administrator credentials in Table 2–1.<br />
3. Click Contracts in the left pane.<br />
4. Select the contract for the tenant.<br />
You see the Contracted Resources page, which includes a table of associated<br />
blueprints.<br />
5. Verify that there are no commissioned resources associated with the contract (that the<br />
values in the Deployed column are all 0). See Verifying that Commissioned<br />
Resources Are Not Associated with Tenants, Projects, or Blueprints.<br />
6. Click Edit in the upper right of the screen.<br />
7. Click Delete.<br />
8. Click OK to confirm that you want to delete the contract.<br />
9. Click Accounts in the left pane.<br />
10. Select the tenant you want to delete.<br />
11. Click Delete.<br />
12. Click OK to confirm that you want to delete the tenant.<br />
The tenant is deleted, <strong>and</strong> any projects associated with the tenant are also<br />
automatically deleted.<br />
13. Delete the blueprints associated with the tenant you deleted, as described in<br />
11–10 3850 6804–007
Removing a Blueprint from a Contract <strong>and</strong> Deleting a Blueprint.<br />
11.7. Removing Tenants from uOrchestrate<br />
To remove a tenant from uOrchestrate, do the following:<br />
1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />
2. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />
URL in Table 2–2.<br />
3. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />
4. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />
5. In the Service Organization pane on the left, click the Registration service.<br />
6. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />
7. Under All Effectors, click removeTenantStructure.<br />
This effector removes a tenant <strong>and</strong> all associated projects. Type the name of the<br />
tenant that you want to delete in the tenant box.<br />
8. Click Execute.<br />
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
9. Check the result in the result pane.<br />
You should see the message “Success” when the process is complete.<br />
10. If there were any errors encountered attempting to delete the tenant or project,<br />
resolve them, <strong>and</strong> then rerun the effector.<br />
For example, if you see an error message that states that a folder cannot be deleted<br />
because a resource is associated with it, delete the resource, <strong>and</strong> then rerun the<br />
effector.<br />
11.8. Removing Tenant Resources <strong>and</strong> Departments<br />
from uChargeback<br />
Note: The following procedure explains how to fully delete tenant resources <strong>and</strong><br />
departments from uChargeback. However, if you want to archive projects (rather than<br />
deleting them) to ensure that you can continue to create historical reports, perform the<br />
procedure in 10.9.4 Archiving Projects in uChargeback.<br />
To remove tenant resources <strong>and</strong> departments from uChargeback, do the following:<br />
1. From a vSphere Client, open a console to the uChargeback management VM, <strong>and</strong> log<br />
in using the domain uChargeback administrator account from Table 1–10.<br />
2. Access the uChargeback Administrator from the Start menu by pointing to All<br />
Programs, pointing to Unisys, pointing to uChargeback,, <strong>and</strong> then clicking<br />
Administrator.<br />
3. In the Object Browser tree in the left pane, exp<strong>and</strong> the Departments tree, <strong>and</strong><br />
then select Archived Servers.<br />
3850 6804–007 11–11
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
All of the tenant servers that have been decommissioned using the <strong>Cloud</strong><br />
Orchestrator portal should be located in this department.<br />
4. In the right pane, highlight the entire row for the server to be deleted by selecting the<br />
arrow in the far-left column.<br />
5. Right-click on the row, <strong>and</strong> select Delete Server.<br />
6. Click Yes to confirm that you want to delete the server.<br />
7. Repeat the previous three steps for each server you want to delete.<br />
8. Ensure there are no other servers that belong to the tenant, by doing the following:<br />
a. In the Object Browser tree in the left pane, exp<strong>and</strong> the Managed Servers<br />
tree <strong>and</strong> view the list of servers.<br />
b. If there are any servers assigned to departments that belong to the tenant, rightclick<br />
on the server name <strong>and</strong> select Delete Server.<br />
9. Delete the tenant departments from uChargeback by doing the following:<br />
a. Exp<strong>and</strong> the Departments tree <strong>and</strong> locate the tenant departments.<br />
b. Right-click a department name, <strong>and</strong> select Delete Department.<br />
c. In the delete confirmation dialog box, select Yes.<br />
10. Close the uChargeback Administrator.<br />
11.9. Removing a Stealth-Enabled VLAN from the<br />
Tenant Infrastructure<br />
The procedures in this topic describe how to remove a single Stealth-enabled VLAN from a<br />
tenant infrastructure, while maintaining the tenant infrastructure as a whole. If you are<br />
removing a tenant in its entirety, perform the procedures in 11.1 Stopping <strong>and</strong><br />
Decommissioning Virtual Machines through 11.8 Removing Tenant Resources <strong>and</strong><br />
Departments from uChargeback.<br />
Note: You cannot remove Stealth from commissioned Stealth-enabled virtual machines<br />
or existing Stealth-enabled VLANs, <strong>and</strong> you cannot add Stealth to already-commissioned<br />
virtual machines or existing VLANs that include resources. Note the following:<br />
• If you want to remove Stealth from any component, delete the current component <strong>and</strong><br />
recreate it using the appropriate template.<br />
• If you want to add Stealth to an already-commissioned virtual machine, delete the<br />
virtual machine <strong>and</strong> recreate it using the appropriate template.<br />
• If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling<br />
Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN <strong>and</strong><br />
then Stealth-enable the VLAN.<br />
Updating the Tenant Worksheet<br />
Update the tenant worksheet to remove the Stealth-enabled VLAN. Also remove the<br />
VLAN from any virtual machine blueprints. Then, export the tenant worksheet to the jump<br />
11–12 3850 6804–007
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
box management VM, as described in 1.1.6 Exporting the Data.<br />
Stopping <strong>and</strong> Decommissioning Virtual Machines<br />
Decommission all virtual machines that were deployed on the Stealth-enabled VLAN, as<br />
described in 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines.<br />
Removing the Stealth Infrastructure VMs from vCenter<br />
1. From a vSphere Client connected to the vCenter Server, locate the Stealth<br />
Infrastructure VMs for the Stealth-enabled VLAN you are removing. The Stealth<br />
Infrastructure VMs are named using the following format:<br />
• SConfig<br />
• SProxy<br />
• SRelay<br />
• STM<br />
• SVSG<br />
2. Shut down each infrastructure VM, <strong>and</strong> then delete each infrastructure VM.<br />
Removing Stealth-Enabled VLAN Networking in vCenter<br />
1. Configure the tenant VLAN network appliance’s network setting so that the network<br />
adapter connected to the associated clear text VLAN is set to the <br />
Interconnect network label.<br />
2. Verify that the Connected <strong>and</strong> Connect at power on check boxes for the<br />
network adapter are cleared.<br />
3. Remove the virtual machine port groups or the distributed virtual network switch port<br />
group associated with the Stealth-enabled VLAN.<br />
Each Stealth-enabled VLAN consists of a pair of VLANs: a clear text VLAN <strong>and</strong> an<br />
encrypted VLAN. Be sure to remove the virtual machine port groups or distributed<br />
virtual network switches associated with both of these VLANs from each workload<br />
server.<br />
Removing Management-Side Tenant VLAN Infrastructure<br />
Perform this procedure on the jump box management VM, the <strong>Cloud</strong> Orchestrator<br />
management VM, the uChargeback management VM, <strong>and</strong> the Stealth Licensing<br />
management VM. Do the following to remove static routes to tenant VLANs:<br />
1. From a vSphere Client, open a console to the management VM.<br />
2. Open a comm<strong>and</strong> prompt, using the Run as Administrator option, <strong>and</strong> enter the<br />
following comm<strong>and</strong> to delete the static route for the tenant VLAN that you are<br />
deleting:<br />
route –p delete <br />
3. Repeat the previous steps for the next management VM.<br />
3850 6804–007 11–13
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
Removing VLAN Information from a Virtual Management Network<br />
Appliance<br />
If your Management Network Appliance is virtual, do the following to remove the tenantspecific<br />
VLAN information.<br />
Note: If your Management Network Appliance is physical, skip this procedure, <strong>and</strong><br />
perform the following procedure.<br />
1. From a vSphere Client, open a console to the Management Network Appliance virtual<br />
machine.<br />
2. Log on.<br />
3. Enter the following comm<strong>and</strong>:<br />
configure<br />
4. To remove static routes to the tenant VLAN network appliance, do the following:<br />
a. Enter the comm<strong>and</strong> the following comm<strong>and</strong>, <strong>and</strong> note all routes to the tenant<br />
VLANs:<br />
show protocols static<br />
b. For each route to the tenant VLAN, enter the following comm<strong>and</strong>:<br />
delete protocols static route<br />
<br />
5. To remove tenant firewall rules, do the following:<br />
a. Enter the following comm<strong>and</strong>, <strong>and</strong> note all the network entries which contain<br />
VLAN information for the tenant:<br />
show firewall group network-group TARGET_VM<br />
b. For each network entry that includes tenant VLAN information, enter the<br />
following comm<strong>and</strong>:<br />
delete firewall group network-group TARGET_VM network<br />
<br />
6. Enter the following comm<strong>and</strong>s to commit <strong>and</strong> save the changes:<br />
commit<br />
save<br />
exit<br />
Removing VLAN Information from a Physical Management Network<br />
Appliance<br />
If your Management Network Appliance is physical, do the following to remove the tenantspecific<br />
VLAN information.<br />
11–14 3850 6804–007
Notes:<br />
• If your Management Network Appliance is virtual, do not perform this procedure;<br />
instead, perform the previous procedure.<br />
• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />
another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />
1. To remove tenant VLAN IDs, enter the following comm<strong>and</strong>:<br />
no vlan <br />
2. To remove tenant access lists, enter the following comm<strong>and</strong>:<br />
no access-list <br />
3. To remove tenant access groups on the Management Access Network VLAN, enter<br />
the following comm<strong>and</strong>s:<br />
interface <br />
no ip access-group in<br />
no ip access-group out<br />
4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter<br />
the following comm<strong>and</strong>s:<br />
interface <br />
switchport trunk allowed vlan remove <br />
5. To remove tenant routes, enter the following comm<strong>and</strong>:<br />
no ip route <br />
<br />
6. To remove any existing NAT rules, use no ip nat comm<strong>and</strong>s.<br />
Note: A physical switch must support NAT to perform these comm<strong>and</strong>s. Refer to the<br />
documentation for your switch for more information on NAT <strong>and</strong> the specific<br />
comm<strong>and</strong>s that apply.<br />
Remove the following rules:<br />
a. Remove the management access network VLAN interface as the network subject<br />
to inside NAT translation.<br />
b. Remove NAT rules that translate the <strong>and</strong> destination addresses to the<br />
address.<br />
7. Enter the following comm<strong>and</strong> to verify the configuration:<br />
show running-config<br />
8. Save the configuration by entering the following comm<strong>and</strong>:<br />
copy running-config startup-config<br />
You see the following: Destination Filename [startup-config]?<br />
9. Press Enter.<br />
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
You see the response [OK].<br />
3850 6804–007 11–15
Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />
Removing the Tenant VLAN Definition in RBADB<br />
1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />
2. Log in using the RBADB administrator credentials.<br />
3. Select Accounts in the left pane.<br />
4. Locate the tenant whose VLAN you are removing, <strong>and</strong> click the VLANs link for that<br />
tenant.<br />
5. Locate the Stealth-enabled VLAN that you are removing, <strong>and</strong> click the Edit VLAN link<br />
for that VLAN.<br />
6. On the VLAN page, click Delete to delete the VLAN definition from the tenant.<br />
Updating Blueprints Associated with the VLAN<br />
Using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, delete or edit each blueprint that references the<br />
VLAN you are removing (so that the VLAN cannot be used for virtual machines<br />
commissioned from the blueprint).<br />
11–16 3850 6804–007
Section 12<br />
Troubleshooting<br />
Use the procedures in this section to troubleshoot your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />
12.1. Troubleshooting Errors When Using a <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Workbook<br />
Error messages that are similar to the following can appear when you are working with a<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook:<br />
Could not load an object because it is not available on<br />
this machine.<br />
Object Library invalid or contains references to object<br />
definitions that could not be found.<br />
Compile error in hidden module.<br />
Microsoft Office Excel has encountered a problem <strong>and</strong> needs<br />
to close.<br />
Error messages can appear at the following times:<br />
• After opening a workbook<br />
• After enabling macros while a workbook is open<br />
• When hovering the cursor over a button in the workbook<br />
These errors can occur when the locally cached versions of controls for Microsoft Office<br />
Excel become unusable after you receive new software security updates or other updates<br />
from Microsoft Corporation. For more information, refer to the Microsoft article titled ″EXD<br />
files are created when you insert controls″ at the following URL:<br />
http://support.microsoft.com/kb/290537<br />
An example of a security update that can cause this problem is MS12-027: Security<br />
Update for Office 2010: April 10, 2012, as described at the following URL:<br />
http://support.microsoft.com/kb/2598039<br />
3850 6804–007 12–1
Troubleshooting<br />
Resolution:<br />
1. Close the workbook without saving changes.<br />
Caution<br />
It is important not to save changes, or the controls in the workbook might be<br />
deleted automatically.<br />
2. Close any copies of Excel or other Microsoft Office programs that are currently<br />
running.<br />
3. Search for <strong>and</strong> delete all *.exd files on your hard disk, as follows:<br />
Note: The following steps are for Windows 7 environments. If you have a different<br />
Windows environment, modify the steps as needed.<br />
a. Open File Explorer, <strong>and</strong> click Folder <strong>and</strong> Search Options on the Organize<br />
menu.<br />
The Folder Options dialog box opens.<br />
b. Select the Search tab, <strong>and</strong> then select the Include system directories check<br />
box under the When searching non-indexed locations heading.<br />
c. Select the View tab <strong>and</strong> do the following in the Advanced settings list:<br />
• Select the Show Hidden Files, Folders, <strong>and</strong> Drives option under the<br />
Hidden Files <strong>and</strong> Folders heading.<br />
• Clear the Hide Extensions for Known File Types check box.<br />
d. Click OK.<br />
e. In the left pane, exp<strong>and</strong> Computer <strong>and</strong> double-click the name of your hard drive.<br />
The hard drive name <strong>and</strong> identifier (such as C:) appears in the address field at the<br />
top of the window.<br />
f. Click the search box at the upper right of the window, enter the following, <strong>and</strong><br />
press Enter:<br />
*.exd<br />
The search begins, <strong>and</strong> a progress bar monitors the search process. A list<br />
appears containing files that meet the search criteria.<br />
g. Delete all the *.exd files in the search list.<br />
Note: For the specific paths to *.exd files, refer to the knowledge base article at the<br />
following URL:<br />
http://support.unisys.com/common/ShowWebPage.aspx?id=5896&pla=SPC&nav=SPC<br />
12–2 3850 6804–007
12.2. Troubleshooting Signing In to the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal<br />
The first time you sign into the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you might see an error<br />
message about a security certificate in your browser window. The specific message <strong>and</strong><br />
your response depend on your specific browser, as follows:<br />
• Internet Explorer version 8 displays an error message in red on the right of the address<br />
line that states there is no certificate. Click Certificate Error to view <strong>and</strong> install the<br />
certificate.<br />
• Mozilla Firefox versions 3.6 <strong>and</strong> higher display a message about the lack of a security<br />
certificate <strong>and</strong> provide a link to add an exception. Click the link <strong>and</strong> identify the<br />
certificate.<br />
If you continue to see an error message on the address line, ignore it as long as you can<br />
sign into the portal. After you satisfy the certificate error issue, the Sign In dialog box<br />
appears.<br />
12.3. H<strong>and</strong>ling Suspended, Failed, <strong>and</strong> Aborted Jobs<br />
Underst<strong>and</strong>ing Failed Requests<br />
If a user requests an action for a virtual machine or a physical server, <strong>and</strong> if that task fails,<br />
you receive a message (by e-mail, by Remedy ITSM ticket, or by both) that there has been<br />
a failed job. The user sees the status of the failed job in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. To<br />
see details, you can sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the credentials of the<br />
user who made the original request.<br />
There is no requirement to delete failed or aborted jobs; however, you should review the<br />
status of the job using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to try to determine why the failure<br />
occurred. After the problem has been resolved, you might need to direct the user to<br />
perform the same action again.<br />
H<strong>and</strong>ling Suspended Build Requests for Virtual Machines<br />
If a user submits a request for a new virtual machine, <strong>and</strong> if there is not enough space<br />
available in the datastore, the build request is suspended, <strong>and</strong> you receive a message (by<br />
e-mail, by Remedy ITSM ticket, or by both) notifying you of the problem. Do the following:<br />
1. Define a new datastore or increase the size of the existing datastore using VMware<br />
vCenter.<br />
Detailed instructions on how to complete these procedures are explained in the<br />
VMware documentation.<br />
2. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />
3. Locate the pending authorization, <strong>and</strong> accept the request.<br />
Troubleshooting<br />
3850 6804–007 12–3
Troubleshooting<br />
If you performed the operation to define a new datastore or increase the existing<br />
datastore, the request should be processed. If you did not define a new datastore, or if<br />
the datastore you defined was not sufficient, you are notified by e-mail, by Remedy<br />
ITSM ticket, or by both.<br />
If you cannot define a new datastore or adjust the existing datastore, you can decline<br />
the user request, <strong>and</strong> the new virtual machine is not created.<br />
12.4. Troubleshooting Machine Names<br />
During the initial planning of your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you were prompted<br />
to determine how virtual machine <strong>and</strong> physical server host names should be configured.<br />
The two configuration options are as follows:<br />
• Use the host name provided by the user in the machine request.<br />
• Use an automatically generated host name (up to 11 characters, customized for your<br />
environment, followed by a four-digit, leading-zero-filled number).<br />
Enabling users to provide their own virtual machine <strong>and</strong> physical server host names<br />
improves usability <strong>and</strong> provides flexibility for users to determine host names as they<br />
desire. However, this method also increases the likelihood that users might experience<br />
errors when requesting new machines, because the host names must meet all of the<br />
following requirements:<br />
• Must contain between one <strong>and</strong> 15 characters.<br />
• Must include only letters, numbers, <strong>and</strong> hyphens (-); however, cannot begin or end<br />
with a hyphen.<br />
• Must not consist entirely of numbers.<br />
• Must not already exist in the workload environment.<br />
• Must not already exist in DNS at the time that the system is commissioned.<br />
The Unisys service consultant configures this global setting. You can override this setting<br />
on a blueprint-specific basis using the Machine Name attribute when you configure<br />
blueprints. Refer to Table 6–5 for more information.<br />
12.5. Troubleshooting Physical Server Resources<br />
When a user requests that you commission a physical server for his or her use, he or she<br />
has no way to know if physical server resources of the type requested are available. You<br />
can verify whether physical servers are available using uAdapt.<br />
If all of your physical servers are currently in use, you can do the following:<br />
• Decommission one of the current physical servers in use <strong>and</strong> reallocate the server<br />
resources to a new user. See 10.4.3 Decommissioning Physical Servers (Releasing<br />
Physical Server Resources) for more information.<br />
• Request that your Unisys service consultant exp<strong>and</strong> your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
configuration to add additional server resources.<br />
12–4 3850 6804–007
12.6. Configuring the Virtual Management Network<br />
Appliance with a VMware License Restriction<br />
If you are not able to configure the virtual Management Network Appliance—as described<br />
in 5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN or<br />
8.5.5 Configuring the Management Network Appliance to Use a New Intercom Network IP<br />
Address—due to VMware license restriction, this topic provides an alternative<br />
configuration method.<br />
This procedures in this topic use an active network connection between the jump box<br />
management VM <strong>and</strong> the Management Network Appliance; therefore, you might be<br />
required to temporarily change the jump box management VM network configuration.<br />
12.6.1. Configuring the Virtual Management Network<br />
Appliance for a New VLAN (with a VMware License<br />
Restriction)<br />
This procedure performs the same function as 5.4.1 Configuring the Virtual Management<br />
Network Appliance for a New VLAN. If you are unable to complete the procedure in<br />
5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN due to a<br />
VMware license restriction, perform the following steps:<br />
1. Access the console for the jump box management VM.<br />
2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,<br />
pointing to Accessories, pointing to Windows PowerShell, <strong>and</strong> clicking<br />
Windows PowerShell (x86).<br />
3. Enter the following comm<strong>and</strong> to determine if the current IP address on the jump box<br />
management VM is compatible with the current IP address of the Management<br />
Network Appliance on the Intercom Network:<br />
ping <br />
4. If you do not receive a response from the ping, temporary assign the jump box<br />
management VM an IP address for the Intercom Network connection that is<br />
compatible with the current IP address of the Management Network Appliance.<br />
5. Enter the following comm<strong>and</strong>:<br />
.\Config-TenantOnMNA.ps1 –usePutty $true<br />
–tenantXML “”<br />
Where is the XML file name for the tenant<br />
workbook. Be sure to include the .xml extension in the name.<br />
If necessary, include the following parameters in the comm<strong>and</strong>:<br />
• If the root user on the Management Server is using an updated password,<br />
include<br />
-hostUserPw <br />
Troubleshooting<br />
• If the vyatta user on the Management Network Appliance is using an updated<br />
password, include<br />
3850 6804–007 12–5
Troubleshooting<br />
-vmUserPw <br />
For example, enter the following for a tenant named Example with updated<br />
credentials for the vyatta user on the Management Network Appliance:<br />
.\Config-TenantOnMNA.ps1 –usePutty $true –tenantXML “Tenant-Example.xml”<br />
–vmUserPw myNewPw<br />
6. If you changed the jump box management VM IP address, reset it to the previous IP<br />
address in Table 1–5.<br />
7. Return to 5.4.1 Configuring the Virtual Management Network Appliance for a New<br />
VLAN, <strong>and</strong> perform the CHECKPOINT.<br />
12.6.2. Configuring the Virtual Management Network<br />
Appliance to Use a New Intercom Network IP Address<br />
(with a VMware License Restriction)<br />
This procedure performs the same function as 8.5.5 Configuring the Management<br />
Network Appliance to Use a New Intercom Network IP Address. If you are unable to<br />
complete the procedure in 8.5.5 Configuring the Management Network Appliance to Use<br />
a New Intercom Network IP Address due to a VMware license restriction, perform the<br />
following steps:<br />
1. Access the console for the jump box management VM.<br />
2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,<br />
pointing to Accessories, pointing to Windows PowerShell, <strong>and</strong> clicking<br />
Windows PowerShell (x86).<br />
3. Enter the following comm<strong>and</strong> to determine if the current IP address on the jump box<br />
management VM is compatible with the default IP address of the Management<br />
Network Appliance on the Intercom Network:<br />
ping 172.31.1.200<br />
4. If you do not receive a response from the ping, temporary assign the jump box<br />
management VM an IP address for the Intercom Network connection that is<br />
compatible with the default IP address of the Management Network Appliance.<br />
Note: The default IP address of the Management Network Appliance is<br />
172.31.1.200.<br />
5. Enter the following comm<strong>and</strong>:<br />
.\Config-MNAicom.ps1 –usePutty $true<br />
If the vyatta user on the Management Network Appliance is using an updated<br />
password, include the following parameter:<br />
-vmUserPw <br />
For example, enter<br />
.\Config-MNAicom.ps1 –usePutty $true –vmUserPw myNewPw<br />
6. Open a console to the Management Network Appliance <strong>and</strong> sign in using the vyatta<br />
user credentials from Table 2–1.<br />
12–6 3850 6804–007
7. Enter the following comm<strong>and</strong>:<br />
Config-MNAicom.sh<br />
8. If you changed the jump box management VM IP address, reset it to the previous IP<br />
address in Table 1–5.<br />
9. Return to 8.5.5 Configuring the Management Network Appliance to Use a New<br />
Intercom Network IP Address, <strong>and</strong> perform the CHECKPOINT.<br />
12.7. Troubleshooting Onboarding Tenants <strong>and</strong><br />
Users<br />
Perform the procedures in this topic if you have any problems onboarding tenants <strong>and</strong><br />
users.<br />
12.7.1. Troubleshooting Sign In Problems Due to an Unknown<br />
E-mail Suffix<br />
When a new user signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the first time, the<br />
credentials are validated using Active Directory, <strong>and</strong> then the user is assigned to the<br />
default user role for the organization (based on the e-mail address suffix used to sign in).<br />
For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured<br />
in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically<br />
assigned to the default cloud provider user role.<br />
New tenant users who sign in to the portal for the first time are assigned to the default role<br />
for their tenant organization in the same way, based on the tenant e-mail suffix in<br />
Table 1–24.<br />
If a user signs in <strong>and</strong> his or her e-mail suffix is not recognized, do the following to assign<br />
that user to the appropriate organization:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Users.<br />
The Users page appears.<br />
5. Using the First Name, Last Name, or Email Address boxes, search for the user<br />
who does not have an organization assigned to him.<br />
Note: You might have to click Advanced to see all available search fields.<br />
6. When you locate the user, click the user name.<br />
The Details page appears containing the details of the user.<br />
Troubleshooting<br />
3850 6804–007 12–7
Troubleshooting<br />
7. In the right pane, click Organizations.<br />
8. Click Select to assign the user to an organization.<br />
The Organizations window appears.<br />
9. Select one of the listed organizations.<br />
Note: You can search for an organization, if required.<br />
10. At the bottom of the right pane, click Save.<br />
12.7.2. Verifying <strong>and</strong> Updating the E-mail Suffixes for an<br />
Organization<br />
Use this procedure to verify, <strong>and</strong> if necessary update, the e-mail suffixes for an<br />
organization. (Users are automatically assigned to the appropriate organization based on<br />
their e-mail address suffix.) Do the following:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Organizations.<br />
The Organizations page appears.<br />
5. Click <strong>Cloud</strong> to update the e-mail suffixes for your cloud organization, or click a tenant<br />
name to update the e-mail suffixes for that tenant.<br />
6. On the organization page, in the right pane, click Custom Fields.<br />
The Custom Fields page appears.<br />
7. In the Organization Alias box, verify the existing e-mail suffixes.<br />
8. If required, type one or more additional e-mail suffixes.<br />
Separate the new suffixes with a comma or add each new suffix on a new line.<br />
9. At the bottom of the right pane, click Save.<br />
12.7.3. Verifying <strong>and</strong> Updating the Default Role for an<br />
Organization<br />
Use this procedure to verify, <strong>and</strong> if necessary update, the default role for an organization.<br />
(Users are automatically assigned to a default role in an organization based on their e-mail<br />
address suffix.) Do the following:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
12–8 3850 6804–007
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Organizations.<br />
The Organizations page appears.<br />
5. Click <strong>Cloud</strong> to update the e-mail suffixes for your cloud organization, or click a tenant<br />
name to update the default role for that tenant.<br />
6. On the organization page, in the right pane, click Custom Fields.<br />
The Custom Fields page appears.<br />
7. In the Default Role Name box, verify the current default role.<br />
8. If required, enter a new default role name, as follows:<br />
• _Administrators<br />
• _Operators<br />
• _Users<br />
Caution<br />
Users who sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using an e-mail address<br />
suffix associated with an organization are automatically assigned to the default<br />
role for that organization. Be very careful before reassigning the default role to<br />
Administrator or Operator, as this can give new users the ability to change<br />
portal settings <strong>and</strong> resources.<br />
9. At the bottom of the right pane, click Save.<br />
12.7.4. Updating the Default Project for a Tenant<br />
Note: This procedure applies only to tenant organizations. <strong>Cloud</strong> administrators <strong>and</strong><br />
cloud operators are not assigned to projects, because they are able to administer all<br />
tenants <strong>and</strong> projects.<br />
Use this procedure to verify, <strong>and</strong> if necessary update, the default project for a tenant.<br />
(Users are automatically assigned to a default project in an organization based on their<br />
e-mail address suffix.) Do the following:<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane, under Portal, click Organizations.<br />
Troubleshooting<br />
3850 6804–007 12–9
Troubleshooting<br />
The Organizations page appears.<br />
5. Click a tenant name to update the default project for that tenant.<br />
6. On the organization page, in the right pane, click Custom Fields.<br />
The Custom Fields page appears.<br />
7. In the Default Project Name box, verify the current default project.<br />
8. If required, enter a new default project name. The default project must exist in<br />
Table 1–40.<br />
9. At the bottom of the right pane, click Save.<br />
12.7.5. Troubleshooting Tenant Permissions in the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> Portal<br />
Tenant user roles are automatically assigned permissions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal, <strong>and</strong> tenant personnel can access applications <strong>and</strong> data based on the permissions<br />
defined for the user role to which they are assigned. If you need to verify that these roles<br />
are correct or change them, do the following.<br />
Caution<br />
Be very careful when viewing <strong>and</strong> changing permissions. If you change<br />
permissions for your cloud personnel <strong>and</strong> remove editing privileges from all<br />
users, you could make your cloud environment completely unusable. If you<br />
change permissions for tenant personnel, you could compromise security if<br />
tenant users are allowed to see other tenants’ components.<br />
Do NOT make any permissions changes unless you are certain how these<br />
changes will impact your cloud environment <strong>and</strong> your tenants.<br />
1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />
administrator credentials from Table 2–1.<br />
2. Click OK when you receive one or more errors that there has been an error processing<br />
your request or that you do not have permission to view requests.<br />
3. At the top of the window, directly below the browser address bar, select Manage,<br />
<strong>and</strong> then click Control Panel.<br />
4. In the left pane of the Control Panel, under Portal, click Roles.<br />
5. Click Actions next to each role name, <strong>and</strong> then click Define Permissions to verify<br />
that the permissions for the selected role are defined correctly.<br />
The permissions for each role are defined in Table 12–1.<br />
6. If you want to remove a permission, click Delete in the permission role.<br />
7. If you want to add additional permissions, click a permission type in the Resource<br />
Set column, <strong>and</strong> then select one or more check boxes to add permissions.<br />
12–10 3850 6804–007
For example, if you want your Tenant Administrators to be able to add Help content,<br />
click Help under Resource Set, <strong>and</strong> then select the Add to Page check box.<br />
Alternatively, from the roles page on the Define Permissions tab, you can select a<br />
permission type under the Applications group from the Add Permissions list,<br />
<strong>and</strong> then select one or more check boxes to add permissions.<br />
8. Click Save to save your changes.<br />
Table 12–1. Tenant Role Permissions<br />
Resource Set Action Machine Owner<br />
Tenant<br />
Administrators<br />
Tenant<br />
Operators Tenant Users<br />
Help Add to Page Not applicable No No No<br />
Request<br />
Details<br />
Request<br />
Overview<br />
Request<br />
Status<br />
Resource<br />
Details<br />
Configuration Not applicable No No No<br />
View Not applicable Yes Yes Yes<br />
Add to Page Not applicable No No No<br />
Configuration Not applicable No No No<br />
Preferences Not applicable No No No<br />
View Not applicable Yes Yes Yes<br />
Add to Page No No No No<br />
Configuration No No No No<br />
Preferences Yes Yes Yes Yes<br />
View No Yes Yes Yes<br />
View Requests Yes Yes Yes No<br />
Add to Page Not applicable No No No<br />
Configuration Not applicable No No No<br />
View Not applicable Yes Yes Yes<br />
Add to Page Not applicable No No No<br />
Configuration Not applicable No No No<br />
Preferences Not applicable No No No<br />
View Not applicable Yes Yes Yes<br />
Troubleshooting<br />
3850 6804–007 12–11
Troubleshooting<br />
Table 12–1. Tenant Role Permissions (cont.)<br />
Resource Set Action Machine Owner<br />
Resource<br />
Overview<br />
Commission<br />
Resources<br />
Role<br />
Membership<br />
Tenant<br />
Administrators<br />
Tenant<br />
Operators Tenant Users<br />
Add to Page No No No No<br />
Change Lease Yes Yes Yes No<br />
Change Owner No Yes No No<br />
Configuration No No No No<br />
Create Snapshot Yes Yes Yes No<br />
Decommission<br />
Resource<br />
Yes Yes Yes No<br />
Delete Snapshot Yes Yes Yes No<br />
Detach Resource No No No No<br />
Preferences Yes Yes Yes Yes<br />
Revert Snapshot Yes Yes Yes No<br />
Start Resource Yes Yes Yes No<br />
Stop Resource Yes Yes Yes No<br />
Suspend Resource Yes Yes Yes No<br />
View No Yes Yes Yes<br />
View Resources Yes Yes Yes No<br />
Add to Page No No No No<br />
Commission Not applicable Yes No Yes<br />
Configuration No No No No<br />
Delete Blueprint Not applicable No No No<br />
Edit Blueprint Not applicable No No No<br />
View Not applicable Yes Yes Yes<br />
View Tenants <strong>and</strong><br />
Projects<br />
View Role<br />
membership<br />
Yes Yes Yes Yes<br />
Not applicable Yes No No<br />
Assign Project Not applicable Yes No No<br />
Assign Role Not applicable Yes No No<br />
Assign Project Not applicable Yes No No<br />
Assign Role Not applicable Yes No No<br />
View Not applicable Yes No No<br />
12–12 3850 6804–007
12.8. Resolving <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />
Messages<br />
This section describes messages you might receive when using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
portal <strong>and</strong> how to resolve them.<br />
Error Message:<br />
Out of Memory at line: x<br />
Resolution:<br />
Restart the browser.<br />
Error Message:<br />
Rejected Commission Request. Approval Denied<br />
(Blueprint is not a Contracted Resource)<br />
This error message occurs when a cloud administrator attempts to commission a blueprint<br />
for one tenant using the project for another tenant.<br />
Resolution:<br />
When commissioning resources for testing purposes, cloud administrators should ensure<br />
that they use a blueprint <strong>and</strong> a project associated with the same tenant.<br />
Note: This error only occurs for cloud administrators, who can view multiple tenant<br />
blueprints <strong>and</strong> projects, <strong>and</strong> should never appear to tenant end users.<br />
Error Message:<br />
Approval Denied. (Project contracted limits exceeded.)<br />
The message occurs when the contract limit for the project is exceeded.<br />
Resolution:<br />
Increase the tenant contract limit or the project contract limit by updating the workbook<br />
<strong>and</strong> then running the Populator effector. See 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant<br />
Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment for additional information.<br />
Error Message:<br />
User does not have permission to view<br />
Requests/Resources/Operator Prompts<br />
Troubleshooting<br />
This message occurs when the user’s role does not have permission to view requests,<br />
view resources, or view operator prompts.<br />
3850 6804–007 12–13
Troubleshooting<br />
Resolution:<br />
Assign the user a role with greater privileges.<br />
See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , <strong>and</strong><br />
12.7.5 Troubleshooting Tenant Permissions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal for<br />
additional information.<br />
Error Message:<br />
Unique User ID Custom Field Value is missing.<br />
This message occurs when the Uniqueuserid field is empty for the user in the Control<br />
Panel. This could happen if the users uniqueuserid were accidentally removed from the<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Control Panel.<br />
Resolution:<br />
Enter the value for the Uniqueuserid field by doing the following:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Manage list (at the left of the top pane), click Control Panel.<br />
3. Click Users under Portal in the left pane.<br />
The Users page appears.<br />
4. Click Actions next to a user name corresponding to the user for which you want to<br />
verify the Uniqueuserid value, <strong>and</strong> then click Edit.<br />
The Details page appears.<br />
5. Make a note of the value in the Screen Name box.<br />
6. Click Custom Fields under Miscellaneous in the left pane.<br />
7. Type the following in the Uniqueuserid box, based on the user’s organization:<br />
• For cloud administrators <strong>and</strong> operators, type SPC_<br />
• For tenant administrators, operators, <strong>and</strong> users, type<br />
_.<br />
For example, if John J Smith is an SPC administrator <strong>and</strong> his Screen Name is smithjj1,<br />
type SPC_smithjj1.<br />
8. Click Save.<br />
See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , for additional<br />
information.<br />
Error Message:<br />
Department Custom Field Value is missing.<br />
The message occurs when the Department field is empty for the user in the Control Panel.<br />
12–14 3850 6804–007
Resolution:<br />
Enter the value for the user in the Department field.<br />
See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , for additional<br />
information.<br />
Error Message:<br />
REASON FOR FAILURE: Commission postAction failed;<br />
consult the message log for details<br />
The message occurs when the commissioning of a resource (virtual machine) fails.<br />
Go to the operator prompt for the request. The following message appears in the<br />
Request Details pane:<br />
new Axis Fault: (403)Forbidden<br />
On the <strong>Cloud</strong> Orchestrator management VM, the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO<br />
service failed to add the new resource to uChargeback because of a problem with the<br />
uChargeback credentials. In Table 1–10, the credentials are referred to as the uChargeback<br />
Service credentials <strong>and</strong> <strong>Cloud</strong> Orchestration Runbook credentials.<br />
The following problems might exist:<br />
• The passwords might have expired.<br />
• The <strong>Cloud</strong> Orchestrator management VM might have been configured with incorrect<br />
user names or passwords for these accounts. This could happen, for example, if you<br />
changed the credentials for the cloud <strong>and</strong> later upgraded the cloud to a new software<br />
level without first updating the <strong>Cloud</strong>Provider.xml on the jump box management VM.<br />
To troubleshoot the problem, perform the following steps on the <strong>Cloud</strong> Orchestrator<br />
management VM:<br />
1. Open the following file in Notepad:<br />
C:\Program Files (x86)\Apache Software Foundation<br />
\Tomcat 6.0\webapps\platform\WEB-INF\classes<br />
\platformapi-config.properties<br />
2. Make a note of the values listed for the following items (the credentials for the<br />
uChargeback service):<br />
• provider.metric.domain<br />
• provider.metric.user<br />
• provider.metric.pass<br />
3. Open the following file in Notepad:<br />
C:\Unisys\UCO\conf\uChargebackSecurityConfig.xml<br />
Troubleshooting<br />
3850 6804–007 12–15
Troubleshooting<br />
4. Make a note of the values listed for the following items (the credentials for the <strong>Cloud</strong><br />
Orchestration Runbook account):<br />
• ems:Request username<br />
• ems:HttpAuthentication password<br />
5. Log out of Windows.<br />
6. Try to log in using the uChargeback service credentials, making a note of any problems<br />
that occur.<br />
• If the log in fails, then you know that the user name or password is incorrect.<br />
• If the log in succeeds but Windows prompts you to enter a new password, then<br />
you know that the password has expired.<br />
7. Try to log in using the <strong>Cloud</strong> Orchestration Runbook credentials, making a note of any<br />
problems that occur.<br />
• If the log in fails, then you know that the user name or password is incorrect.<br />
• If the log in succeeds but Windows prompts you to enter a new password, then<br />
you know that the password has expired.<br />
Resolution:<br />
You can resolve an incorrect user name or password, as follows:<br />
1. Open the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook, using Excel.<br />
2. Inspect the values for the uChargeback Service credentials <strong>and</strong> <strong>Cloud</strong> Orchestration<br />
Runbook credentials in Table 1–10, <strong>and</strong> change these values if desired.<br />
3. Click Export on the Table of Contents to export the <strong>Cloud</strong> Provider worksheet as<br />
<strong>Cloud</strong>Provider.xml.<br />
4. In the domain controller for your cloud, modify the existing accounts to match the user<br />
name <strong>and</strong> password that you entered in the workbook.<br />
5. Upload the new version of the <strong>Cloud</strong>Provider.xml file to the following location on the<br />
jump box management VM:<br />
C:\ProgramData\Unisys\SPC-Automation\xml<br />
6. Open the PowerShell prompt <strong>and</strong> run the following script:<br />
Config-UCO-SystemProp.ps1<br />
7. Restart the following services on the <strong>Cloud</strong> Orchestrator management VM.<br />
Caution<br />
Before restarting these services, ensure that no commissioning requests are in<br />
progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />
in-progress commissioning requests to be completed.<br />
12–16 3850 6804–007
• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO<br />
• Apache Tomcat 6<br />
You can resolve expired passwords in either of the following ways:<br />
• Use the domain controller to mark the password as not expired, as follows:<br />
1. When Windows prompts you to enter a new password on the <strong>Cloud</strong> Orchestrator<br />
management VM, click Cancel to ab<strong>and</strong>on your login attempt.<br />
2. On the domain controller, run the Active Directory Users <strong>and</strong> Computers<br />
tool.<br />
3. Open the properties for the expired account <strong>and</strong> enable the following options:<br />
- Password never expires<br />
- Unlock account<br />
• Update the cloud to use a revised password, as follows:<br />
1. Update the account password when prompted by Windows.<br />
2. Perform the previous procedure for resolving an incorrect user name or password.<br />
12.9. Restoring a Closed Pane in the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Portal<br />
If you close one of the open panes in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following to<br />
restore it:<br />
1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />
using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />
2. From the Add list (at the left of the top pane), click More.<br />
3. Click Unisys SPC Portal, <strong>and</strong> then select the pane (portlet) you want to restore.<br />
4. Drag <strong>and</strong> drop the pane onto the page, or click Add next to the pane name.<br />
12.10. Log Files Maintenance<br />
Troubleshooting<br />
Log files are automatically written to the \logs directory. The is typically<br />
\liferay-portal-x.x.x\tomcat-x.x.x\ where x.x.x represents the software version.<br />
Each file includes a timestamp, so you can clearly see when each was created. As part of<br />
general maintenance, you should delete older log files on a monthly basis.<br />
3850 6804–007 12–17
Troubleshooting<br />
12.11. Reporting Problems to Unisys<br />
If you need to report a problem to Unisys, you do so using a User Communication Form<br />
(UCF). Enter the product name SECPRIVATECLOUD, <strong>and</strong> then list the specific<br />
component with which you are experiencing an issue; for example, uAdapt or the Unisys<br />
<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />
You are prompted to provide specific details <strong>and</strong> gather diagnostics information, if<br />
applicable.<br />
12.12. Troubleshooting Datastore Filter <strong>and</strong><br />
ResourcePoolFilter Constants<br />
The Datastore Filter <strong>and</strong> ResourcePoolFilter constants in the blueprint are case-sensitive<br />
<strong>and</strong> must match exactly the values in vCenter.<br />
If an error occurs in finding a datastore, an e-mail notification is sent to the operator with<br />
the subject title “Insufficient Disk Space Approval Notification.”<br />
12.13. Disconnecting Users from the <strong>Secure</strong> <strong>Private</strong><br />
<strong>Cloud</strong> Portal <strong>and</strong> Enabling Maintenance<br />
Mode<br />
If you need to disconnect all users from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal—for example,<br />
before changing credentials, before updating software, or if you are diagnosing a problem<br />
with the environment—perform the procedure in 9.2 Prerequisites to Changing<br />
Credentials.<br />
To allow users to reconnect when you have finished the required maintenance, perform<br />
the procedure in 9.4 Restoring Users’ Connection to the Portal After Credentials Have<br />
Been Changed.<br />
12.14. Troubleshooting Configuring Stealth-<br />
Enabled VLANs<br />
In 6.2 Configuring Stealth-Enabled VLANs, you configure Stealth-enabled VLANs. The<br />
process of onboarding a new Stealth-enabled VLAN takes about one <strong>and</strong> a half hours to<br />
complete. If you experience problems due to a configuration error or a problem with the<br />
vCenter server, perform the procedures in this topic.<br />
12–18 3850 6804–007
During onboarding, a transcript is produced that indicates the progress of the “job<br />
groups,” including which job group is running <strong>and</strong> its status. If a failure occurs, the process<br />
of Stealth onboarding can be restarted from the last successful step. Almost any failed job<br />
group can be restarted, with the following two exceptions:<br />
• If the Stealth on-boarding fails during the “Provision VSG” job group, the Virtual<br />
Stealth Gateway <strong>and</strong> Stealth Configuration Machine infrastructure VMs have probably<br />
been left in unknown states. Therefore, if the “Provision VSG” job group fails, you<br />
must restore the VM snapshot, <strong>and</strong> restart the previous job group (“Create Config<br />
Machine”) so that the previous snapshots of the infrastructure VMs are used. See the<br />
procedure later in this topic for more information.<br />
• Failure to activate a Microsoft license on the Stealth Configuration Machine, Stealth<br />
Proxy Server, or Stealth Relay Server infrastructure VMs is not considered fatal <strong>and</strong><br />
does not halt the onboarding process. Therefore, you do not have to restart these jobs<br />
if they fail. See the procedure later in this topic for information on activating these<br />
licenses in case of failure.<br />
Job Group Order<br />
(Note that failure to activate a Microsoft license on the Virtual Stealth Gateway<br />
infrastructure VM is considered fatal <strong>and</strong> does stop the onboarding process, because<br />
there is no way to activate the license manually or through automation after the Virtual<br />
Stealth Gateway has been configured. In this case, you must restart the onboarding<br />
process from the previous successful step.)<br />
The Stealth job groups occur in the following order:<br />
• Create Transfer Machine<br />
• Create VSG<br />
• Activate VSG License<br />
• Deploy VSG<br />
• Create Config Machine<br />
• Provision VSG<br />
• Activate Config Machine License<br />
• Create Proxy Server<br />
• Provision Proxy Server<br />
• Activate Proxy Server License<br />
• Create Relay Server<br />
• Provision Relay Server<br />
• Activate Relay Server License<br />
• Delete All Snapshots<br />
Troubleshooting<br />
3850 6804–007 12–19
Troubleshooting<br />
Underst<strong>and</strong>ing Error Conditions<br />
If you see “Automation step failed,” this indicates that a step in one of the tasks of a job<br />
group failed. When there is a job group failure, the Stealth onboarding process will stop.<br />
(The only exception, as stated previously, is Windows license activation failures for the<br />
Stealth Configuration Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure<br />
VMs, which will not cause the onboarding to stop.)<br />
The details of the error message appear immediately above the “Automation step failed”<br />
error. You might see various virtual machine configuration errors or <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
configuration errors. vCenter errors are enclosed in brackets {}.<br />
Read the error condition details, <strong>and</strong> resolve the error condition based on the information<br />
provided. If you need assistance, see 12.16 Troubleshooting Articles on the Unisys<br />
Product Support Web Site, <strong>and</strong> access the Troubleshooting article on Stealth onboarding.<br />
After the error condition is resolved, perform the following procedure to restart the failed<br />
job group.<br />
Note: If the Windows license activation fails for the Stealth Configuration Machine,<br />
Stealth Proxy Server, or Stealth Relay Server infrastructure VMs, perform the procedure to<br />
activate a failed license rather than the procedure to restart a failed job group.<br />
Restarting a Failed Job Group<br />
To restart a failed job group, do the following:<br />
1. If the failed job is any other job other than Provision VSG, skip to the next step.<br />
If the failed job is Provision VSG, do the following:<br />
a. Using the vSphere Client, connect to the vCenter server that is managing the<br />
workoad servers.<br />
b. Locate the Virtual Stealth Gateway infrastructure VM whose provisioning job<br />
failed. The Virtual Stealth Gateway infrastructure VM name is in Table 1–31 of the<br />
tenant worksheet.<br />
c. Right-click the infrastructure VM, point to Snapshot, <strong>and</strong> then click Revert to<br />
Current Snapshot.<br />
d. After the snapshot is restored, restart the infrastructure VM.<br />
e. Perform the remaining steps in this procedure, rerunning the Create Config<br />
Machine job (rather than the Provision VSG job).<br />
2. If a console to the jump box management VM is not already available, open a console<br />
to the jump box management VM.<br />
3. Enter the following comm<strong>and</strong> in the Powershell comm<strong>and</strong> window:<br />
Java –jar AutomationClient.jar<br />
C:\Unisys\Stealth\_\<br />
StealthOnBoardingJobs-restartable.xml “”<br />
12–20 3850 6804–007
The StealthOnBoardingJobs-restartable.xml is located in the<br />
C:\Unisys\Stealth\_ folder, where is the<br />
name of the tenant being onboarded from Table 1–24 <strong>and</strong> the is the<br />
identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.<br />
Activating Failed Licenses<br />
After the onboarding process is complete, review the transcript <strong>and</strong> note any license<br />
activation failures. Failure to activate a Microsoft license on the Stealth Configuration<br />
Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure VMs is not<br />
considered fatal <strong>and</strong> does not halt the onboarding process. However, you must do the<br />
following to activate these licenses:<br />
1. If a console to the jump box management VM is not already available, open a console<br />
to the jump box management VM.<br />
2. Enter the following comm<strong>and</strong> in the Powershell comm<strong>and</strong> window:<br />
Java –jar AutomationClient.jar<br />
C:\Unisys\Stealth\_\<br />
StealthOnBoardingJobs-restartable.xml “” 1<br />
The StealthOnBoardingJobs-restartable.xml is located in the<br />
C:\Unisys\Stealth\_ folder, where is the<br />
name of the tenant being onboarded from Table 1–24 <strong>and</strong> the is the<br />
identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.<br />
The Job Group Name should be one of the following:<br />
• Activate Config Machine License<br />
• Activate Proxy Server License<br />
• Activate Relay Server License<br />
1 indicates that only the given job is executed.<br />
12.15. Identifying the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />
Software Version<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software version is listed on the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />
under the Help menu. For example, version 2.0 of the software is listed as “Unisys <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong> v.2.0.”<br />
You can also identify the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software version used to commission a<br />
virtual machine by navigating to one of the following text files on any of the Unisys<br />
supplied virtual machines:<br />
• For Windows virtual machines<br />
C:\ProgramData\Unisys\SPC Version.txt<br />
• For Linux virtual machines<br />
/etc/Unisys/SPC-Version.txt<br />
Troubleshooting<br />
3850 6804–007 12–21
Troubleshooting<br />
12.16. Troubleshooting Articles on the Unisys<br />
Product Support Web Site<br />
The Unisys Product Support Web site includes troubleshooting articles for the <strong>Secure</strong><br />
<strong>Private</strong> <strong>Cloud</strong>. To locate these articles<br />
1. Log on to the Unisys Product Support Web site at www.support.unisys.com.<br />
2. Click <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> in the Infrastructure Management platform list.<br />
The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Support Site opens.<br />
3. Click TroubleShooting on the left pane under the Support Options heading.<br />
A list of troubleshooting articles appears.<br />
Select the article you want to review. You can also use the Search capability at the top of<br />
the page.<br />
12–22 3850 6804–007
Appendix A<br />
Incorporating an External Server into<br />
the <strong>Cloud</strong> Management Environment<br />
If your environment includes a external server (such as an Active Directory server, vCenter<br />
server, patch management system, Nagios collector or other value-add component) that is<br />
not reachable on the cloud management network, perform the steps in this appendix to<br />
connect that server to your cloud management environment.<br />
A.1. Requirements for Incorporating an External<br />
Server<br />
Keep the following requirements in mind when incorporating an external server in the<br />
<strong>Cloud</strong> Management Environment:<br />
• The external server must connect to the management server using the Intercom<br />
Network or the <strong>Cloud</strong> Management Network. (It is recommended that the external<br />
server connects using the Intercom Network.)<br />
If necessary, add an additional network adapter to the server.<br />
• For the management VMs to be able to communicate with the external server over<br />
the Intercom Network, the Intercom Network on the management server must be<br />
configured to use a physical network adapter. Determine which network adapter on<br />
the management server the Intercom Network uses. If the network adapter on the<br />
management server is shared using VLAN tagging, also determine the VLAN ID to<br />
use.<br />
• To verify communication with other management VMs, make sure the external server<br />
responds to a ping comm<strong>and</strong> over the Intercom Network.<br />
A.2. Configuring the Management Server Intercom<br />
Network Connection to Communicate with<br />
External Servers<br />
In a Non-HA Configuration<br />
Use the procedure in either A.2.1 Using a Dedicated Network Adapter or A.2.2 Using a<br />
Shared Network Adapter to configure the Intercom Network on the management server<br />
so that management VMs can communicate with an external server that is not a virtual<br />
machine running on the management server.<br />
3850 6804–007 A–1
Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />
Skip this procedure if the external server has already been incorporated into the <strong>Cloud</strong><br />
Management Environment.<br />
In an HA Configuration<br />
Note: Do not perform the procedures in this section if the management server is set up<br />
for HA.<br />
If the management server is already set up in an HA configuration, the Unisys service<br />
representative completes all necessary network changes required on the Intercom<br />
Network after configuring High Availability on the management server. No additional<br />
configuration is required on the management server to set up the Intercom Network to<br />
use a physical adapter.<br />
A.2.1. Using a Dedicated Network Adapter<br />
Perform the following procedure if a dedicated network adapter on the management<br />
server enables the management VMs <strong>and</strong> the external server to communicate using the<br />
Intercom Network.<br />
1. Connect a network cable from the network adapter to be used for the Intercom<br />
Network to the external switch.<br />
2. From the vSphere Client connected to the management server, select the<br />
management server node in the left pane.<br />
3. Select the Configuration tab, <strong>and</strong> click Networking under Hardware.<br />
4. Click Properties for the Intercom Network virtual machine port group (vSwitch4).<br />
The vSwitch4 Properties window opens.<br />
5. Select the Network Adapters tab, <strong>and</strong> click Add.<br />
6. Select the check box for the entry that corresponds to the network adapter from step<br />
1.<br />
7. Click Next several times, <strong>and</strong> then click Finish.<br />
A.2.2. Using a Shared Network Adapter<br />
Perform the following procedure if the network adapter for the Intercom Network on the<br />
management server is shared using VLAN tagging. For example, use this procedure if the<br />
same network adapter is used for the Intercom Network <strong>and</strong> the Management Access<br />
Network (if a tenant VLAN is enabled) using VLAN IDs.<br />
1. Make sure the physical switch used by the physical adapter on the management<br />
server is configured to support the VLAN ID for the Intercom Network.<br />
2. Launch the vSphere Client, connect to the management server, <strong>and</strong> log in, using the<br />
root user from Table 2–1.<br />
3. Select the Configuration tab, <strong>and</strong> click Networking under Hardware.<br />
4. Locate the Intercom Network virtual machine port group (vSwitch4).<br />
A–2 3850 6804–007
Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />
5. Identify all the virtual machines that are using the Intercom Network port group, <strong>and</strong><br />
disconnect them, as follows:<br />
Note: You must disconnect all virtual machines that are powered on from the<br />
Intercom Network before you can delete the Intercom Network port group in the next<br />
step.<br />
a. Open the VM Properties dialog box for a virtual machine.<br />
b. Clear the Connected option under Device Status for the network adapter<br />
configured for the Intercom Network.<br />
Caution<br />
Do not power off the virtual machine; do not clear the Connect at power on<br />
option.<br />
c. Repeat for the next virtual machine.<br />
6. Click Remove for the Intercom Network virtual machine port group (vSwitch4), <strong>and</strong><br />
then click Yes to confirm removing the port group.<br />
7. Locate the virtual switch associated with the network adapter being shared, <strong>and</strong><br />
select Properties for the virtual switch.<br />
The vSwitch Properties window opens.<br />
8. Select the Ports tab, <strong>and</strong> click Add.<br />
9. Select Virtual Machine, <strong>and</strong> click Next.<br />
10. Type Intercom Network in the Network Label box.<br />
11. Type the VLAN ID for the Intercom Network in the VLAN ID box, using the value from<br />
Table 2–1.<br />
12. Click Next <strong>and</strong> then Finish.<br />
13. Reconnect the Intercom Network connection for each virtual machine that was<br />
disconnected from the Intercom Network.<br />
A.3. Updating the Hosts File on All Management<br />
VMs <strong>and</strong> External Servers Running Windows<br />
Perform the following procedure for each management VM running Windows <strong>and</strong> marked<br />
InUse in Table 1–5 <strong>and</strong> for other external servers running Windows that are incorporated<br />
into the <strong>Cloud</strong> Management Environment.<br />
Note: For the vCenter management VM, perform this procedure only if it is supplied by<br />
Unisys. Do not perform this procedure on a customer-supplied vCenter management VM.<br />
3850 6804–007 A–3
Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />
1. Launch Notepad using the Run as administrator option.<br />
2. In Notepad, open the file c:\windows\system32\drivers\etc\hosts.<br />
3. Insert an entry for the external server’s IP address on the Intercom Network. Use the<br />
same naming convention for assigning an “internal hostname” for the server.<br />
4. Save the file <strong>and</strong> close Notepad.<br />
5. Repeat the procedure on the next management VM or external server running<br />
Windows (except a customer-supplied vCenter management VM, as noted).<br />
A.4. Updating the Hosts File on uAdapt<br />
Management VM <strong>and</strong> External Servers Running<br />
Linux<br />
Note: Skip this procedure if you are not incorporating an external server.<br />
Perform the following procedure for the uAdapt management VM <strong>and</strong> on other external<br />
servers running Linux that are incorporated in the <strong>Cloud</strong> Management Environment.<br />
1. Log in to the server using a user that has root user privileges.<br />
2. Edit the file /etc/hosts using a text editor.<br />
3. Insert an entry for the external server’s IP address on the Intercom Network. Use the<br />
same naming convention for assigning an “internal hostname” for the server.<br />
4. Save the file <strong>and</strong> close the editor.<br />
5. Repeat the procedure on other external servers running Linux.<br />
A.5. Configuring External Servers<br />
Note: Skip this procedure if you are not incorporating an external server.<br />
Perform the procedure in this section on each external server:<br />
1. Connect the external server to the Intercom Network.<br />
a. Connect a network cable from the network adapter to be used for the Intercom<br />
Network to the external switch.<br />
b. Locate the network connection for the Intercom Network.<br />
c. Assign a static IP address for the network connection. The IP address must be<br />
within the allowable IP range on the Intercom Network. See Table 1–4.<br />
2. Configure the hosts file.<br />
If the external server is running<br />
• Windows. Copy the contents of the hosts file from the jump box management VM<br />
to the external server’s hosts file.<br />
• Linux. Copy the contents of the hosts file from the uAdapt management VM or the<br />
A–4 3850 6804–007
Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />
Management Network Appliance to the external server’s hosts file. If neither are<br />
InUse, use the contents of the hosts file on the jump box management VM as<br />
input.<br />
3. Configure the static routes.<br />
If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is configured to use VLANs for tenant<br />
isolation <strong>and</strong> the external server requires communication with commissioned tenant<br />
resources on the tenant VLANs, add static route statements on the external server to<br />
properly route traffic to the tenant VLANs using the Management Network Appliance<br />
as the gateway.<br />
Skip this step if the external server does not require communication with tenant<br />
resources.<br />
Procedure for Windows External Servers<br />
a. Start the Windows Comm<strong>and</strong> Prompt using the Run as administrator option.<br />
b. Enter the follow comm<strong>and</strong> to add static routes:<br />
route -p add mask <br />
where<br />
is the management-side tenant VLAN subnet from Table 1–26.<br />
is the VLAN netmask from Table 1–26.<br />
is the management network appliance IP address on the<br />
Intercom Network from Table 1–5.<br />
c. Repeat this comm<strong>and</strong> for each tenant VLAN as required.<br />
Example<br />
route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200<br />
4. Configure the DNS resolver.<br />
If the external server requires communication with commissioned tenant resources<br />
using FQDN, configure the server to use the appropriate DNS server so the tenant<br />
resource’s FQN is resolved to the correct IP address.<br />
If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not configured to use VLANs for tenant isolation, the<br />
external server uses the same DNS servers as the <strong>Cloud</strong> Orchestrator management<br />
VM.<br />
If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is configured to use VLAN for tenant isolation, the<br />
external server communicates with commissioned tenant resources on the tenant<br />
VLANs using the management side hostname. Configure the server’s DNS so that it<br />
resolves the tenant resource’s management side hostname (fully qualified name) to<br />
the management side IP address.<br />
For example, tenant resource tenant tenant-0003.managed.spc.local is resolved to<br />
10.3.1.15.<br />
3850 6804–007 A–5
Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />
CHECKPOINT:<br />
1. Verify that the external server responds to a ping comm<strong>and</strong> from the jump box<br />
management VM using the “internal hostname”. That is, ping the external server<br />
using its IP address on the Intercom Network.<br />
2. Verify that the external server can ping the jump box management VM using the<br />
“internal hostname”. That is, ping the jump box management VM using its IP address<br />
on the Intercom Network.<br />
3. Verify that the external server can communicate with a tenant resource on the tenant’s<br />
VLAN using the FQDN of the tenant resource. If a tenant VLAN is configured, use the<br />
management side FQN of the tenant resource. For example, ping tenant-<br />
0003.managed.spc.local.<br />
A–6 3850 6804–007
© 2012 Unisys Corporation.<br />
All rights reserved.<br />
*38506804-007*<br />
3850 6804–007