In this blog post, I am going to show you how to enable the VMware Identity Manager GUI when it is located inside vRealize Automation. I am going to explain why you sometimes should and how the procedure is performed.
For some who don’t know, VMware vRealize Automation (vRA) is using under the covers VMware Identity Manager (vIDM). By default is the VMware Identity Manager GUI disabled after the vRealize Automation installation process. If you want to configure parts of vIDM you are configuring it through the vRealize Automation GUI.
Let’s get everybody on the same page: So you are talking about two GUIs the vRealize Automation GUI and the VMware Identity Manager GUI? Who is who, explain it to me!
Keep in mind: I’m not completely sure what will happen if you would configure items with the vIDM GUI. Because you are bypassing the default vRealize Automation GUI. I have done some tests and no problems were caused in my Lab environment but it might cause issues later on… So why do you enable it then? Because of the large amount of information provided throughout the vIDM GUI. The vRealize Automation GUI is only showing a small peace and not the big picture.
Product support: I have tested this procedure on vRealize Automation version 7.3 and vRealize Automation 7.3.1. I would expect it to work on newer and older vRealize Automation 7.X releases.
Enable the vIDM Interface
This procedure is for enabling the interface:
- Step 01: Connect with an SSH session to the vRealize Automation Appliance. Use for example Putty.
- Step 02: Login with the root credentials.
- Step 03: Run the following command to start the VMware Identity Manager Interface: (
vcac –vami horizonui enable). - Step 04: Open a web browser and navigate to the following URL:(https://%FQDN%/SAAS/admin/).
Disable the vIDM Interface
This procedure is for disabling the interface:
- Step 01: Connect with an SSH session to the vRealize Automation Appliance. Use for example Putty.
- Step 02: Login with the root credentials.
- Step 03: Run the following command to stop the VMware Identity Manager Interface: (
vcac –vami horizonui disable). - Step 04: When you navigate to the following URL no page should appear: (https://%FQDN%/SAAS/admin/).
Status of the vIDM Interface
This procedure is for viewing the vIDM Interface status:
- Step 01: Connect with an SSH session to the vRealize Automation Appliance. Use for example Putty.
- Step 02: Login with the root credentials.
- Step 03: Run the following command to view the current status of the VMware Identity Manager Interface: (
vcac –vami horizonui status). - Step 04: When you navigate to the following URL no page should appear: (https://%FQDN%/SAAS/admin/).
VMware Identity Manager URLs
The following URLs are available when the GUI is enabled (
- Main page: https://%vRA-Appliance-FQDN%:8443
- Tenant-specific page (Tenant vSphere.local): https://%vRA-Appliance-FQDN%/SAAS/t/vsphere.local
- Tenant-specific page (Tenant Production): https://%vRA-Appliance-FQDN%/SAAS/t/production
- Tenant-specific page (Tenant Development): https://%vRA-Appliance-FQDN%/SAAS/t/development
vRealize Automation Internal Proxy Explained
To explain what happens under the covers is the following: When you run the command to start or stop vIDM interface the reverse proxy configuration located in vRealize Automation Appliance (vRA) is changed. The command adds or removes some configuration files. Then the proxy daemon is reloaded to pick up the changes. At that point, the vIDM webpage becomes available or unavailable depending on the given command. Under the covers, vRealize Automation uses HAProxy for IT guys working in container or web hosting environments that might be a very
HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic websites and powers quite a number of the world’s most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it’s used when the admins report it.
https://www.haproxy.org/#desc
VMware Identity Manager GUI Advantages
The main advantages of enabling the GUI:
- You can view the currently logged in users in vRealize Automation.
- When logging into the default tenant in the vIDM GUI you can view the total amount of users and groups that are identified by vIDM (counters are from all tenants combined).
- You can view the health status of VMware Identity Manager (vIDM).
- You can view the user login history based on the last days and you have reporting functionality.
Final word
In this blog post, I explained how to enable and disable the VMware Identity Manager interface on a vRealize Automation Appliance. As noted before be careful! I personally only use this method for troubleshooting Identity Manager related problems with authentication and viewing user activity.
Content Update
The following items have been verified:
- 2020-09-24: This is still working on vRealize Automation 7.6.
I wanted to add a local user to vcoadmins@vsphere.local group but was unable (on vRA 7.5 appliance). I can search for both the local user and group but no luck so far. Is this possible? I logged in with administrator user.
Can you explain to me your question with more detail? On which item do you want to add the local user? (Business Group, Fabric Group or…)
I don’t use any external directory service in my lab, just using vsphere.local local users. I wanted to grant admin rights to a user to use with vRO so trying to add it to vcoadmins@vsphere.local (system) group by iDM (vcoadmins is the default admin group on vRO.
There is a group specified when configuring the vRO authentication with vRA IDM. That is the one you should look at.
Here is a lot of information about that subject: http://kaloferov.com/blog/skkb1037/