Administering VMware

Aria Automation
October 2024
VMware Aria Automation 8.18
Administering VMware Aria Automation

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its
subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names, service
marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

1 Administering VMware Aria Automation 5

2 Administering users 6
How do I enable Active Directory groups for projects 7
How do I remove users in VMware Aria Automation 8
How do I edit user roles in VMware Aria Automation 8
How do I edit group role assignments in VMware Aria Automation 9
What are the VMware Aria Automation user roles 9
Active Directory sync and authentication with multiple domains 28
Display full names of users 29
Enable Department of Defense Notice and Consent Banner 29

3 Maintaining your appliance 31

Starting and stopping VMware Aria Automation 31
Scale out from one node to three nodes 33
Configure an anti-affinity rule and virtual machine group for a clustered Workspace ONE Access
instance 34
Configure anti-affinity rules 35
Configure an anti-affinity rule and virtual machine group for a clustered VMware Aria
Automation instance 35
Replacing an appliance node 36
Increase VMware Aria Automation appliance disk space 37
Update the DNS assignment 37
Change the IP address of a node or cluster 38
How do I enable time synchronization 39
How do I reset the root password 41

4 Using multi-organization tenant configurations in VMware Aria Automation 43

Set up multi-organization tenancy 46
Managing certificates and DNS configuration under single-node multi-organization
deployments 48
Managing certificate and DNS configuration in clustered VMware Aria Automation
deployments 49
Logging in to tenants and adding users in VMware Aria Automation 52
Using VMware Aria Automation Orchestrator with VMware Aria Automation multi-organization
deployments 53

5 Working with logs 55

How do I work with logs and log bundles 55

VMware by Broadcom 3
Administering VMware Aria Automation

How do I configure log forwarding to VMware Aria Operations for Logs 59

How do I create or update a syslog integration 64
How do I delete a syslog integration for logging 65
How do I work with VMware Aria Automation content packs 66

6 Participating in the Customer Experience Improvement Program 68

How do I join or leave the customer experience improvement programs (CEIP and Pendo CEIP)
68
How do I configure the data collection time for the program 70

7 Turning on the in-product feedback form 72

VMware by Broadcom 4
Administering VMware Aria
Automation 1
This guide describes how to monitor and manage critical infrastructure and user management
aspects of a VMware Aria Automation deployment.

The tasks described herein are vital to keeping a VMware Aria Automation deployment operating
appropriately. These tasks include user and group management, and monitoring system logs.

In addition, it describes how to configure and manage multi-organization deployments.

While some VMware Aria Automation administration tasks are completed from within VMware
Aria Automation, others require the use of related products such as VMware Aria Suite Lifecycle
and Workspace ONE Access. Users should familiarize themselves with these products and their
functionality before completing applicable tasks.

For example, for information about backup, restore, and disaster recovery, see the Backup and
Restore, and Disaster Recovery > 2019 section of vRealize Suite product documentation.

Note Disaster recovery is supported in VMware Aria Automation.

For information about working with VMware Aria Suite Lifecycle installation, upgrade, and
management, see VMware Aria Suite Lifecycle product documentation.

VMware by Broadcom 5
Administering Users and Groups
in VMware Aria Automation 2
VMware Aria Automation uses Workspace ONE Access, the VMware-supplied identity
management application to import and manage users and groups. After users and groups are
imported or created, you can manage the role assignments for single tenant deployments using
the Identity & Access Management page.

VMware Aria Automation is installed using VMware Aria Suite Lifecycle. When installing VMware
Aria Automation you must import an existing Workspace ONE Access instance, or deploy a new
one to support identity management. These two scenarios define your management options.

n If you deploy a new Workspace ONE Access instance, you can manage users and groups by
using VMware Aria Suite Lifecycle. During installation, you can set up an Active Directory
connection using Workspace ONE Access. Alternatively, you can view and edit some
aspects of users and groups within VMware Aria Automation using the Identity & Access
Management page as described herein.

n If you use an existing Workspace ONE Access instance, you import it for use with VMware
Aria Automation by using VMware Aria Suite Lifecycle during installation. In this case, you can
continue to use Workspace ONE Access to manage users and groups, or you can use the
management functions in VMware Aria Suite Lifecycle.

See Logging in to tenants and adding users in VMware Aria Automation for more information
about managing users under a multi-organization deployment.

VMware Aria Automation users must be assigned roles. Roles define access to features within
the application. When VMware Aria Automation is installed with a Workspace ONE Access
instance, a default organization is created and the installer is assigned the Organization Owner
role. All other VMware Aria Automation roles are assigned by the Organization Owner.

There are three types of roles in VMware Aria Automation: organization roles, service roles, and
project roles. For Automation Assembler, Automation Service Broker and Automation Pipelines,
user-level roles can typically use resources whereas admin-level roles are required to create
and configure resources. Organizational roles define permissions within the tenant; organizational
owners have admin-level permissions while organizational members have user-level permissions.
Organization owners can add and manage other users.

VMware by Broadcom 6
Administering VMware Aria Automation

Organization Roles Service Roles

n Organization Owner n Automation Assembler Administrator

n Organization Member n Automation Assembler User
n Automation Assembler Viewer
n Automation Service Broker Administrator
n Automation Service Broker User
n Automation Service Broker Viewer
n Automation Pipelines Administrator
n Automation Pipelines User
n Automation Pipelines Viewer

There are also project-level roles not shown in the table. These roles are assigned automatically
on a per project basis in Automation Assembler. These roles are somewhat fluid. The same user
can be an administrator on one project and a user on another project. For more information, see
What are the VMware Aria Automation user roles.

Read the following topics next:

n How do I enable Active Directory groups in VMware Aria Automation for projects

n How do I remove users in VMware Aria Automation

n How do I edit user roles in VMware Aria Automation

n How do I edit group role assignments in VMware Aria Automation

n What are the VMware Aria Automation user roles

n Active Directory sync and authentication with multiple domains

n Display full names of users

n Enable Department of Defense Notice and Consent Banner

How do I enable Active Directory groups in VMware Aria

Automation for projects
If a group is not available on the Add Groups page when you are adding users to projects, check
the Identity & Access Management page and add the group if it is available. If the group is not
listed on the Identity & Access Management page in VMware Aria Automation, the group may
not be synchronized in your Workspace ONE Access instance. You can verify that it has been
synchronized and then use this procedure to add the group as shown herein.

To add members of an Active Directory group to a project, you must ensure that the group is
synchronized with your Workspace ONE Access instance and that the group is added to the
organization.

VMware by Broadcom 7
Administering VMware Aria Automation

Prerequisites

If the groups are not synchronized, they are not available when you try to add them to a project.
Verify that you synchronized your Active Directory groups with your VMware Aria Suite Lifecycle
instance.

Procedure

1 Log in to VMware Aria Automation as a user from the same Active Directory domain that you
are adding. For example, @mycompany.com

2 In Automation Assembler, click Identity & Access Management in the header right navigation.

3 Click Enterprise Groups, and then click Assign Roles.

4 Use the search function to find the group that you are adding and select it.

5 Assign an organization role.

At a minimum, the group must have an Organization Member role. SeeWhat are the VMware
Aria Automation user roles for more information.

6 Click Add Service Access, add one or more services, and select a role for each.

7 Click Assign.

Results

You can now add the Active Directory group to a project.

How do I remove users in VMware Aria Automation

You can remove users as needed in VMware Aria Automation.

All users are listed by default and you cannot add users with the Identity and Access
Management page. You can delete users.

Procedure

1 Select the Active Users tab on the Identity & Access Management page.

2 Locate and select the users that you want to delete.

3 Click Remove Users.

Results

The selected users are removed.

How do I edit user roles in VMware Aria Automation

You can edit roles assigned to Workspace ONE Access users that have been imported into
VMware Aria Automation.

VMware by Broadcom 8
Administering VMware Aria Automation

Procedure

1 In Automation Assembler, click Identity & Access Management in the header right navigation.

2 Select the desired user on the Active Users tab and click Edit Roles.

3 You can edit the organization and service roles for the user.

n Select the drop down beside the Assign Organization Roles heading to change the user's
relationship with the organization.

n Click Add Service Access to add new service roles for the user.

n To remove user roles, click the X beside the applicable service.

4 Click Save.

Results

The user role assignment is updated as specified.

How do I edit group role assignments in VMware Aria

Automation
You can edit role assignments for groups in VMware Aria Automation

Prerequisites

Users and groups have been imported from a valid Workspace ONE Access instance that is
associated with your VMware Aria Automation deployment.

Procedure

1 In Automation Assembler, click Identity & Access Management in the header right navigation.

2 Select the Enterprise Groups tab.

3 Enter the name of the group for which you want to edit role assignments in the search field.

4 Edit the role assignments for the selected group. You have two options.

n Assign Organization Roles

n Assign Service Roles

5 Click Assign.

Results

Role assignments are updated as specified.

What are the VMware Aria Automation user roles

As a organization owner, you can assign users organization roles and service roles in VMware
Aria Automation. The roles determine what users can do or see. Then, in the services, the service

VMware by Broadcom 9
Administering VMware Aria Automation

administrator can assign project roles. To determine the role that you want to assign, evaluate
the tasks in the following tables.

Assembler Service Roles

The Automation Assembler service roles determine what you can see and do in Automation
Assembler. These service roles are defined in the console by an organization owner.

Table 2-1. Automation Assembler Service Role Descriptions

Role Description

Assembler Administrator A user who has read and write access to the entire user
interface and API resources. This is the only user role that
can see and do everything, including add cloud accounts,
create new projects, and assign a project administrator.

Assembler User A user who does not have the Assembler Administrator
role.
In an Automation Assembler project, the administrator
adds users to projects as project members,
administrators, or viewers. The administrator can also add
a project administrator.

Assembler Viewer A user who has read access to see information but cannot
create, update, or delete values. This is a read-only role
across all projects in all the services.
Users with the viewer role can see all the information that
is available to the administrator. They cannot take any
action unless you make them a project administrator or
a project member. If the user is affiliated with a project,
they have the permissions related to the role. The project
viewer would not extend their permissions the way that
the administrator or member role does.

In addition to the service roles, Automation Assembler has project roles. Any project is available
in all of the services.

The project roles are defined in Automation Assembler and can vary between projects.

In the following tables, which tells you what the different service and project roles can see
and do, remember that the service administrators have full permission on all areas of the user
interface.

The descriptions of project roles will help you decide what permissions to give your users.

n Project administrators leverage the infrastructure that is created by the service administrator
to ensure that their project members have the resources they need for their development
work.

n Project members work within their projects to design and deploy cloud templates. Your
projects can include only resources that you own or resources that are shared with other
project members.

VMware by Broadcom 10
Administering VMware Aria Automation

n Project viewers are restricted to read-only access, except in a few cases where they can do
non-destructive things like download cloud templates.

n Project supervisors are approvers in Automation Service Broker for their projects where an
approval policy is defined with a project supervisor approver. To provide the supervisor with
context for approvals, consider also granting them the project member or viewer role.

Table 2-2. Automation Assembler service roles and project roles

Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Access
Assembler

Console In the Automation Yes Yes Yes Yes Yes Yes

console, you can
see and open
Assembler

Infrastructure

See and open the Yes Yes Yes Yes Yes Yes
Infrastructure tab

Administration Create projects Yes

- Projects

Update, or delete Yes

values from
project summary,
provisioning,
Kubernetes,
integrations, and
test project
configurations.

Add users and Yes Yes. Your

groups, and projects.
assign roles in
projects.

View projects Yes Yes Yes. Your Yes. Yes. Yes. Your
projects Your Your projects
projects projects

Administration View the users Yes

- Users and and groups
Groups assigned to
custom roles.

Administration Create custom Yes

- Custom user roles and
Roles assign them to
users and groups.

VMware by Broadcom 11
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Administration Create custom Yes

- Custom resource names.
Names

Administration Create and delete Yes

- Secrets secret reusable
properties.

Administration Turn on or off Yes

- Settings internal settings.

Configure - Create, update, Yes

Cloud Zones or delete cloud
zones

View cloud zones Yes Yes

View cloud Yes Yes

zone Insights
dashboard

View cloud zones Yes Yes

alerts

Configure - Create, update, Yes

Kubernetes or delete
Zones Kubernetes zones

View Kubernetes Yes Yes

zones

Configure - Create, update, Yes

Flavors or delete flavors

View flavors Yes Yes

Configure - Create, update, Yes

Image or delete image
Mappings mappings

View image Yes Yes

mappings

Configure - Create, update, Yes

Network or delete network
Profiles profiles

View image Yes Yes

network profiles

Configure - Create, update, Yes

Storage or delete storage
Profiles profiles

VMware by Broadcom 12
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

View image Yes Yes

storage profiles

Configure - Create, update, Yes

Pricing Cards or delete pricing
cards

View the pricing Yes Yes

cards

Configure - Create, update, Yes

Tags or delete tags

View tags Yes Yes

Resources - Add tags Yes

Compute to discovered
compute
resources

View discovered Yes Yes

compute
resources

Resources - Modify network Yes

Networks tags, IP ranges, IP
addresses

View discovered Yes Yes

network
resources

Resources - Add tags Yes

Security to discovered
security groups

View discovered Yes Yes

security groups

Resources - Add tags Yes

Storage to discovered
storage

View storage Yes Yes

Resources - Deploy or Yes

Kubernetes add Kubernetes
clusters, and
create or add
namespaces

VMware by Broadcom 13
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

View Kubernetes Yes Yes Yes. Your Yes. Yes.

clusters and projects Your Your
namespaces projects projects

Activity - Delete Yes

Requests deployment
request records

View deployment Yes Yes Yes. Your Yes. Yes.

request records projects Your Your
projects projects

Activity - View event logs Yes Yes Yes. Your Yes. Yes.
Event Logs projects Your Your
projects projects

Connections - Create, update, Yes

Cloud or delete cloud
Accounts accounts

View cloud Yes Yes

accounts

Connections - Create, update, Yes

Integrations or delete
integrations

View integrations Yes Yes

Onboarding Create, update, Yes

or delete
onboarding plans

View onboarding Yes Yes.

plans Your
projects

Extensibility

See and open the Yes Yes Yes

Extensibility tab

Events View extensibility Yes Yes

events

Subscriptions Create, update, Yes

or delete
extensibility
subscriptions

Deactivate Yes
subscriptions

VMware by Broadcom 14
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

View Yes Yes

subscriptions

Library - Event View event topics Yes Yes

topics

Library - Create, update, Yes

Actions or delete
extensibility
actions

View extensibility Yes Yes

actions

Library - View extensibility Yes Yes

Workflows workflows

Activity - Cancel or delete Yes

Action Runs extensibility
action runs

View extensibility Yes Yes Yes.

action runs Your
projects

Activity - View extensibility Yes Yes

Workflow workflow runs
Runs

Design

Design Open the Design Yes Yes Yes. Yes. Yes. Yes
tab

Cloud Create, update, Yes Yes. Your Yes.

Templates and delete cloud projects Your
templates projects

View cloud Yes Yes Yes. Your Yes. Yes.

templates projects Your Your
projects projects

Download cloud Yes Yes Yes. Your Yes. Yes.

templates projects Your Your
projects projects

Upload cloud Yes Yes. Your Yes.

templates projects Your
projects

Deploy cloud Yes Yes. Your Yes.

templates projects Your
projects

VMware by Broadcom 15
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Version and Yes Yes. Your Yes.

restore cloud projects Your
templates projects

Release cloud Yes Yes. Your Yes.

templates to the projects Your
catalog projects

Custom Create, update Yes

Resources or delete custom
resources

View custom Yes Yes Yes. Your Yes. Yes.

resources projects Your Your
projects projects

Custom Create, update, Yes

Actions or delete custom
actions

View custom Yes Yes Yes. Your Yes. Yes.

actions projects Your Your
projects projects

Resources

See and open the Yes Yes Yes Yes Yes Yes
Resources tab

Deployments View Yes Yes Yes. Your Yes. Yes.

deployments projects Your Your
including projects projects
deployment
details,
deployment
history, price,
monitor, alerts,
optimize, and
troubleshooting
information

Manage alerts Yes Yes. Your Yes.

projects your
projects

Run day 2 actions Yes Yes. Your Yes.

on deployments projects Your
based on policies projects

Resources - View all Yes Yes

All Resources discovered
resources

VMware by Broadcom 16
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Run day 2 actions Yes

on discovered
resources.
Actions available
only on machines
and limited to
power on and
off for all
machines, and
remote console
for vSphere
machines.

Resources - View deployed, Yes Yes Yes. Your Yes. Yes.

All Resources onboarded, projects. Your Your
migrated projects. projects.
resources

Run Day 2 actions Yes Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
resources based
on policies

Resources - View discovered Yes Yes

Virtual machines
Machines

Run day 2 actions Yes

on discovered
machines.
Actions are
limited to power
on and off, and
remote console
for vSphere
machines.

VMware by Broadcom 17
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Create New VM Yes Yes. Your Yes. Your Yes.

This option is projects. projects. Your
available to projects.
administrators.
However, if
an administrator
turns on the
setting, then it
is available to
the other users
roles. To activate
the option, select
Infrastructure >
Administration >
Settings and turn
on Create new
resource.
By activating
the option,
Automation
Service Broker
users can create
VMs based
on any image
and any flavor
even though
they are not
administrators
themselves.
To avoid
the potential
overconsumption
of resources,
administrators
can create
approval policies
to reject
or approve
any deployment
requests based
on the image
used or the flavor
or size requested.

VMware by Broadcom 18
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

View deployed, Yes Yes. Your Yes. Yes.

onboarded, projects. Your Your
and migrated projects. projects.
resources.

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
resources based
on policies

Resources - View discovered Yes Yes

Volumes volumes

No day 2 actions
available

View deployed, Yes Yes Yes. Your Yes. Yes.

onboarded, and projects. Your Your
migrated volumes projects. projects.

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, and projects.
migrated volumes
based on policies

Resources - View discovered Yes Yes

Networkin and networks, load
Security balancers, and
security groups

No day 2 actions
available

View deployed, Yes Yes Yes. Your Yes. Yes.

onboarded, projects. Your Your
and migrated projects. projects.
networks, load
balancers, and
security groups

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
networks, load
balancers, and
security groups
based on policies

VMware by Broadcom 19
Administering VMware Aria Automation

Table 2-2. Automation Assembler service roles and project roles (continued)
Assembler User
Assembler Assembler User must be a project administrator or member
UI Context Task Administrator Viewer to see and do project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Alerts

See and open the Yes Yes Yes Yes Yes

Alerts tab

Manage alerts Yes Yes. Your Yes.

projects Your
projects

View alerts Yes Yes Yes. Your Yes. Yes.

projects Your Your
projects projects

Service Broker Service Roles

The Automation Service Broker service roles determine what you can see and do in Automation
Service Broker. These service roles are defined in the console by an organization owner.

Table 2-3. Service Broker Service Role Descriptions

Role Description

Service Broker Administrator Must have read and write access to the entire user
interface and API resources. This is the only user role that
can perform all tasks, including creating a new project and
assigning a project administrator.

Service Broker User Any user who does not have the Automation Service
Broker Administrator role.
In an Automation Service Broker project, the
administrator adds users to projects as project members,
administrators, or viewers. The administrator can also add
a project administrator.

Service Broker Viewer A user who has read access to see information but cannot
create, update, or delete values. This is a read-only role
across all projects in all the services.
Users with the viewer role can see all the information that
is available to the administrator. They cannot take any
action unless you make them a project administrator or
a project member. If the user is affiliated with a project,
they have the permissions related to the role. The project
viewer would not extend their permissions the way that
the administrator or member role does.

In addition to the service roles, Automation Service Broker has project roles. Any project is
available in all of the services.

VMware by Broadcom 20
Administering VMware Aria Automation

The project roles are defined in Automation Service Broker and can vary between projects.

In the following tables, which tells you what the different service and project roles can see
and do, remember that the service administrators have full permission on all areas of the user
interface.

Use the following descriptions of project roles will help you as you decide what permissions to
give your users.

n Project administrators leverage the infrastructure that is created by the service administrator
to ensure that their project members have the resources they need for their development
work.

n Project members work within their projects to design and deploy cloud templates. In the
following table, Your projects can include only resources that you own or resources that are
shared with other project members.

n Project viewers are restricted to read-only access.

n Project supervisors are approvers in Automation Service Broker for their projects where an
approval policy is defined with a project supervisor approver. To provide the supervisor with
context for approvals, consider also granting them the project member or viewer role.

Table 2-4. Service Broker Service Roles and Project Roles

Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Access
Service
Broker

Console In the console, Yes Yes Yes Yes Yes Yes

you can see
and open Service
Broker

Infrastructure

See and open the Yes Yes

Infrastructure tab

Administration Create projects Yes

- Projects

Update, or delete Yes

values from
project summary,
provisioning,
Kubernetes,
integrations, and
test project
configurations.

VMware by Broadcom 21
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Add users and Yes Yes. Your

groups, and projects
assign roles in Only via API.
projects.

View projects Yes Yes Yes. Your Yes. Yes.

projects Your Your
projects projects

Administration Create custom Yes

- Custom user roles and
Roles assign them to
users and groups.

Administration Create custom Yes

- Custom resource names.
Names

Administration Create and delete Yes

- Secrets secret reusable
properties.

Administration Turn on or off Yes

- Settings internal settings.

Administration View the users Yes

- Users and and groups
Groups assigned to
custom roles.

Configure - Create, update, Yes

Cloud Zones or delete cloud
zones

View cloud zones Yes Yes

Configure - Create, update, or Yes

Kubernetes delete Kubernetes
Zones zones

View Kubernetes Yes Yes

zones

Connections - Create, update, Yes

Cloud or delete cloud
Accounts accounts

View cloud Yes Yes

accounts

Connections - Create, update, Yes

Integrations or delete
integrations

VMware by Broadcom 22
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

View integrations Yes Yes

Activity - Delete Yes

Requests deployment
request records

View deployment Yes

request records

Activity - View event logs Yes

Event Logs

Content and
Policies

See and open Yes Yes

the Content and
Policies tab

Content Create, update, Yes

Sources or delete content
sources

View content Yes Yes

sources

Content Customize form Yes

and configure
item

View content Yes Yes

Policies - Create, update, Yes

Definitions or delete policy
definitions

View policy Yes Yes

definitions

Policies - View enforcement Yes Yes

Enforcement log

Notifications - Configure an Yes

Email Server email server

Consume

See and open the Yes Yes Yes Yes Yes Yes
Consume tab

Projects See and search Yes Yes. Yes. Your Yes. Yes. Yes. Your
projects Your projects Your Your projects
projects projects projects

VMware by Broadcom 23
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Catalog See and open the Yes Yes Yes Yes Yes Yes
Catalog page

View available Yes Yes Yes. Your Yes. Yes.

catalog items projects Your Your
projects projects

Request a catalog Yes Yes. Your Yes.

item projects Your
projects

Deployments - View Yes Yes Yes. Your Yes. Yes.

Deployments deployments, projects Your Your
including projects projects
deployment
details,
deployment
history, price,
monitor, alerts,
optimize, and
troubleshooting
information

Manage alerts Yes Yes. Your Yes.

projects Your
projects

Run day 2 actions Yes Yes. Your Yes.

on deployments projects Your
based on policies projects

Deployments - View all Yes Yes

Resources discovered
resources

Run day 2 actions Yes

on discovered
resources.
Actions available
only on machines
and limited to
power on and
off for all
machines, and
remote console
for vSphere
machines.

VMware by Broadcom 24
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Deployments - View deployed, Yes Yes Yes. Your Yes. Yes.

All Resources onboarded, projects. Your Your
migrated projects. projects.
resources

Run Day 2 actions Yes Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
resources based
on policies

Deployments - View discovered Yes Yes

Virtual machines
Machines

Run day 2 actions Yes

on discovered
machines.
Actions are
limited to power
on and off, and
remote console
for vSphere
machines.

VMware by Broadcom 25
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Create New VM Yes Yes. Yes. Your Yes.

This option Your projects. Your
is available projects. projects.
in Automation
Service Broker if
your administrator
activates the
option. To
activate the
option, select
Infrastructure >
Administration >
Settings.
By activating
the option,
Automation
Service Broker
users can create
VMs based on
any image and
any flavor even
though they are
not administrators
themselves.
To avoid
the potential
overconsumption
of resources,
administrators can
create approval
policies to reject
or approve
any deployment
requests based
on the image
used or the flavor
or size requested.

View deployed, Yes Yes. Your Yes. Yes.

onboarded, projects. Your Your
and migrated projects. projects.
resources.

VMware by Broadcom 26
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
resources based
on policies

Deployments - View discovered Yes Yes

Volumes volumes

No day 2 actions
available

View deployed, Yes Yes Yes. Your Yes. Yes.

onboarded, and projects. Your Your
migrated volumes projects. projects.

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, and projects.
migrated volumes
based on policies

Deployments - View discovered Yes Yes

Networking networks, load
and Security balancers, and
security groups

No day 2 actions
available

View deployed, Yes Yes Yes. Your Yes. Yes.

onboarded, projects. Your Your
and migrated projects. projects.
networks, load
balancers, and
security groups

Run day 2 actions Yes Yes. Your Yes.

on deployed, projects. Your
onboarded, projects.
and migrated
networks, load
balancers, and
security groups
based on policies

Inbox

See and open the Yes Yes

Inbox tab

VMware by Broadcom 27
Administering VMware Aria Automation

Table 2-4. Service Broker Service Roles and Project Roles (continued)
Service Service Service Broker User
Broker Broker User must be a project administrator to see and do
UI Context Task Administrator Viewer project-related tasks.

Project Project Project Project

Administrator Member Viewer Supervisor

Approvals View approval Yes Yes Yes Yes Yes Yes

requests

Respond to Yes Yes. Your Only if Only if Yes. Your

approval requests projects and you are a you are projects
the policy named a named and the
approver is approver approver policy
Project approver
Administrator is Project
Supervisor

User Input View user input Yes Yes Yes Yes

Requests requests

Respond to user Only if you Only if Only if you Only if Only if Only if you
input requests are assigned you are are assigned you are you are are
to provide assigned to provide assigned assigned assigned
input to input to to to provide
provide provide provide input
input input input

Active Directory sync and authentication with multiple

domains
When adding a directory, you must choose whether to use the SAM Account Name and the User
Principal Name (UPN) as an Active Directory attribute that contains the user name, and there are
implications to either choice that users should consider.

The following list outlines impotant issues that you should understand regarding synching
multiple domains with Active Directory.

n When an Active Directory is synced by SAM Account Name, usernames are in the format
"USERNAME"

n When an Active Directory is synced by User Principal Name (UPN), the usernames are in the
format “USERNAME@DOMAIN”. A UPN consists of a UPN prefix (the user account name) and
an UPN suffix (a DNS domain name). The prefix is joined with the suffix using the @ symbol.
For example, [email protected].

n By convention, User Principal Name (UPN) matches the email of the user, but there
might be exceptions: The UPN might be [email protected] but the email field can be
[email protected]. The username and email fields are mapped to different attributes from
the Active Directory.

No matter what format you choose, the same account is specified.

VMware by Broadcom 28
Administering VMware Aria Automation

Consider the following isues when choosing the SAM Account Name as the attribute for the
username: It is possible to explicitly configure a user in different domains with the same SAM
Account Name, but with a different User Principal Name (UPN) name. As a consequence, in
order to ensure that the SAM Account Name is working in a multi-domain environment, you must
ensure that the attribute is unique within all of the domains (and not just unique in the specific
domain). On the other side, a configuration having a User Principal Name (UPN) will support a
multi-domain environment without any issues.

Display full names of users

By default, users in VMware Aria Automation are identified with user IDs, such as Active
Directory SAM Account Names or User Principal Names (UPN). You can expose the personal
names (first and last name) of your users on different pages across the organization, such as
Resources, Deployments, and Policies.

To be legally compliant with regulations such as the California Consumer Privacy Act (CCPA), the
General Data Protection Regulation (GDPR) and others, you must provide explicit consent to data
compliance when you expose the names of users.

If you deactivate the feature, you revoke consent and the names of your users will no longer be
displayed in the VMware Aria Automation user interface.

Important VMware Aria Automation employs a data at rest policy, which means that storing
personal user data is necessary for performance and low latency requirements of the application,
so storing the data is considered legally data compliant with or without explicit user consent.

For more information, see the Privacy and Data Protection policies.

Procedure

1 Log in as an administrator.

2 Go to Infrastructure > Settings, and click Show names of users.

3 Toggle the feature on or off.

4 Click Save.

Enable Department of Defense Notice and Consent Banner

For some government customers, an administrator must configure the standard Department of
Defense (DoD) notice and consent banner in Workspace ONE Access to allow users to access
VMware Aria Automation.

The Standard Mandatory DoD Notice and Consent Banner text is as follows:

VMware by Broadcom 29
Administering VMware Aria Automation

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-
authorized use only. By using this IS (which includes any device attached to this IS) you consent
to the following conditions:

n The USG routinely intercepts and monitors communications on this IS for purposes including,
but not limited to, penetration testing, COMSEC monitoring, network operations and defense,
personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

n At any time, the USG may inspect and seize data stored on this IS.

n Communications using, or data stored on, this IS are not private, are subject to routine
monitoring, interception, and search, and may be disclosed or used for any USG-authorized
purpose.

The following steps describe how to configure this banner in Workspace ONE Access. For more
information, see the Workspace ONE Access administrative console documentation.

Procedure

1 Log in to the Workspace ONE Access administrative console as an administrator.

2 In the Workspace ONE Access console, click the Identity and Access Management tab.

3 Click Setup and then click the Connectors tab.

4 Click the Worker link for each connector that you want to configure.

5 Click the Auth Adapters tab and then CertificateAuthAdapter.

6 Click the Enable Consent Form before Authentication check box.

7 Paste the Standard Mandatory DoD Notice and Consent Banner text into the Consent Form
Content box.

8 Save your changes.

VMware by Broadcom 30
Maintaining your VMware Aria
Automation appliance 3
As a system administrator, you might need to perform various tasks to ensure the proper
functioning of your installed VMware Aria Automation application.

If you are just getting started with VMware Aria Automation, these are not required tasks.
Knowing how to perform these tasks is useful if you need to resolve performance or product
behavior issues.

Read the following topics next:

n Starting and stopping VMware Aria Automation

n Scale out VMware Aria Automation from one to three nodes

n Configure an anti-affinity rule and virtual machine group for a clustered Workspace ONE
Access instance in VMware Aria Automation

n Configure anti-affinity rules for VMware Aria Automation appliances

n Configure anti-affinity rule and virtual machine group for a clustered VMware Aria Automation
instance

n Replacing a VMware Aria Automation appliance node

n Increase VMware Aria Automation appliance disk space

n Update the DNS assignment for VMware Aria Automation

n Change IP addresses of VMware Aria Automation node or cluster

n How do I enable time synchronization of VMware Aria Automation

n How do I reset the root password for VMware Aria Automation

Starting and stopping VMware Aria Automation

Observe the proper procedures when starting or shutting down VMware Aria Automation.

The recommended procedure to shut down and start VMware Aria Automation components is
to use the Power OFF and ON functionality provided in Lifecycle Operations > Environments
section of VMware Aria Suite Lifecycle. The following procedures outline manual methods to shut
down and start VMware Aria Automation components in case VMware Aria Suite Lifecycle is not
available for some reason.

VMware by Broadcom 31
Administering VMware Aria Automation

Shut down VMware Aria Automation

To preserve data integrity, shut down the VMware Aria Automation services before powering
off the virtual appliances. Using SSH or VMRC, you can shut down or start all nodes from any
individual appliance.

Note Avoid using vracli reset vidm commands if at all possible. This command resets
all configurations of Workspace ONE Access and breaks the association between users and
provisioned resources.

1 Log in to the console of any VMware Aria Automation appliance using either SSH or VMRC.

2 To shut down the VMware Aria Automation services on all cluster nodes, run the following set
of commands.

Note If you copy any of these commands to run and they fail, paste them into notepad
first, and then copy them again before running them. This procedure strips out any hidden
characters and other artifacts that might exist in the documentation source.

/opt/scripts/deploy.sh --shutdown

3 Shut down the VMware Aria Automation appliances.

Your VMware Aria Automation deployment is now shut down.

Start VMware Aria Automation

Following an unplanned shutdown, a controlled shutdown, or a recovery procedure, you must
restart VMware Aria Automation components in a specific order. VMware Aria Suite Lifecycle is
a non-critical component, so you can start it at any time. Workspace ONE Access components
must be started before you start VMware Aria Automation.

Note Verify that applicable load balancers are running before starting VMware Aria Automation
components.

1 Power on all VMware Aria Automation appliances and wait for them to start.

2 Log into the console for any appliance using SSH or VMRC and run the following command to
restore the services on all nodes.

/opt/scripts/deploy.sh

3 Verify that all services are up and running with the following command.

kubectl get pods --all-namespaces

Note You should see three instances of every service, with a status of either Running or
Completed.

VMware by Broadcom 32
Administering VMware Aria Automation

When all services are listed as Running or Completed, VMware Aria Automation is ready to
use.

Restart VMware Aria Automation

You can restart all VMware Aria Automation services centrally from any of the appliances in your
cluster. Follow the preceding instructions to shut down VMware Aria Automation, and then use
the instructions to start VMware Aria Automation. Before restarting VMware Aria Automation,
verify that all applicable load balancer and Workspace ONE Access components are running.

When all services are listed as Running or Completed, then VMware Aria Automation is ready to
use.

Run the following command to verify that all services are running:

kubectl -n prelude get pods

Scale out VMware Aria Automation from one to three nodes

As needs expand, you can scale out a VMware Aria Automation deployment from one node to
three nodes.

You must use features of VMware Aria Suite Lifecycle to complete many steps of this procedure.
For information about working with VMware Aria Suite Lifecycle installation, upgrade, and
management, see VMware Aria Suite Lifecycle product documentation.

If you are using a three node clustered deployment, VMware Aria Automation can typically
withstand the failure of one node and still function. The failure of two nodes in a three node
cluster will render VMware Aria Automation non-functional.

Prerequisites

This procedure assumes that you already have a functioning single node VMware Aria
Automation deployment.

Procedure

1 Shut down all VMware Aria Automation appliances.

To shut down the VMware Aria Automation services on all cluster nodes, run the following set
of commands.

/opt/scripts/svc-stop.sh
sleep 120
/opt/scripts/deploy.sh --onlyClean

Now you can shut down the VMware Aria Automation appliances.

VMware by Broadcom 33
Administering VMware Aria Automation

2 Take a deployment snapshot.

Use the Create Snapshot option in VMware Aria Suite Lifecycle by selecting Lifecycle
Operations > Environments > vRA > View Details.

Note Online snapshots, taken without shutting down VMware Aria Automation nodes, are
supported.

3 Power on the VMware Aria Automation appliance and bring up all containers.

4 Using the Locker functionality located in VMware Aria Suite Lifecycle at Locker > Certificates,
generate or import VMware Aria Automation certificates for all components, including
VMware Aria Automation node FQDNs and the VMware Aria Automation load balancer
FQDN.

Add the names of all three appliances in the Subject Alternative Names.

5 Import the new certificate into VMware Aria Suite Lifecycle.

6 Replace the existing VMware Aria Automation certificate with the one generated in the
previous step using the Lifecycle Operations > Environments > vRA > View Details > Replace
Certificate option in VMware Aria Suite Lifecycle.

7 Scale out VMware Aria Automation to three nodes using the Add Components option in
VMware Aria Suite Lifecycle by selecting Lifecycle Operations > Environments > vRA > View
Details.

Note If your VMware Aria Automation deployment is patched, refer to the workaround in KB
96619.

Results

VMware Aria Automation has been scaled to a three node deployment.

Configure an anti-affinity rule and virtual machine group for

a clustered Workspace ONE Access instance in VMware Aria
Automation
If your VMware Aria Automation environment uses a clustered Workspace ONE Access instance,
you can create an anti-affinity rule and machine cluster to ensure proper vSphere High
Availability workflow.

To protect any clustered Workspace ONE Access nodes from a host-level failure, you can
configure an anti-affinity rule to run virtual machines that exist on different hosts in the default
vSphere management cluster. To define the desired machine start-up order, create an anti-
affinity rule to configure a virtual machine group. By using a defined machine start-up order,
you can ensure that vSphere High Availability powers on the clustered Workspace ONE Access
nodes in the correct order.

VMware by Broadcom 34
Administering VMware Aria Automation

For general information about creating datastore anti-affinity rules for VMs, see Create VM anti-
affinity rules.

For information about how to configure anti-affinity rules for a VMware Aria Automation
appliance, see Configure anti-affinity rules for VMware Aria Automation appliances.

Configure anti-affinity rules for VMware Aria Automation

appliances
Create an anti-affinity rule to ensure that each VMware Aria Automation appliance runs on a
different ESXi host. This ensures that if an ESXi host fails, the VMware Aria Automation appliance
remains available and operational on one or more other hosts.

1 In a web browser, log in to the management domain or VI workload domain vCenter at

https://vcenter_server_fqdn/ui.

2 Select Menu > Hosts and Clusters.

3 In the inventory, expand vCenter Server > Datacenter.

4 Select the VMware Aria Automation appliance or appliances and click the Configure tab.

5 Select VM/Host rules and click Add.

6 Enter the following rule details:

n Name - Enter a new rule name.

n Enable rule - Toggle this option on.

n Type - Select Separate Virtual Machines.

n Members - Click Add, select the VMware Aria Automation appliance or appliances, and
click OK.

7 Click OK on the Create VM/Host rule page.

Configure anti-affinity rule and virtual machine group for a

clustered VMware Aria Automation instance
If your VMware Aria Automation environment is clustered, you can create an anti-affinity rule and
machine cluster to ensure proper vSphere High Availability workflow.

To protect any clustered VMware Aria Automation nodes from a host-level failure, configure
an anti-affinity rule to run virtual machines that exist on different hosts in the default vSphere
management cluster. After you create an anti-affinity rule, configure a virtual machine group to
define the desired machine start-up order. By using a defined machine start-up order, you can
ensure that vSphere High Availability powers on the clustered VMware Aria Automation nodes in
the correct order for your environment.

VMware by Broadcom 35
Administering VMware Aria Automation

For information about how to configure anti-affinity rules for a manager cluster, see Create
Anti-Affinity Rule for Global Manager Cluster in VMware Cloud Foundation in VMware Cloud
Foundation Product Documentation.

For general information about creating anti-affinity rules for VMs, see Create VM Anti-Affinity
Rules.

Replacing a VMware Aria Automation appliance node

When a VMware Aria Automation appliance in a multiple-node, high availability (HA)
configuration has failed, you might need to replace the faulty node.

Caution Before proceeding, VMware recommends that you contact technical support to
troubleshoot the HA issue and verify that the problem is isolated to one node.

If technical support determines that you need to replace the node, take the following steps.

1 In vCenter, take backup snapshots of every appliance in the HA configuration.

In the backup snapshots, don't include virtual machine memory.

2 Shut down the faulty node.

3 Make note of the faulty node VMware Aria Automation software build number, and network
settings.

Note the FQDN, IP address, gateway, DNS servers, and especially MAC address. Later, you
assign the same values to the replacement node.

4 Check the status of the primary database node. From a root command line on any healthy
node, run the following:

> kubectl get pod `vracli status | jq -r '.databaseNodes[] | select(.["Role"] ==

"primary") | .["Node name"]' | cut -d '.' -f 1` -n prelude -o wide --no-headers=true

primary-db-node-name 1/1 Running 0 39h 12.123.2.14 vc-vm-224-84.company.com <none> <none>

Important The primary database node must be one of the healthy nodes.

If the primary database node is faulty, contact technical support instead of proceeding.

5 From the root command line of the healthy node, remove the faulty node.

vracli cluster remove faulty-node-FQDN

6 Use vCenter to deploy a new, replacement VMware Aria Automation node.

Deploy the same VMware Aria Automation software build number, and apply the network
settings from the faulty node. Include the FQDN, IP address, gateway, DNS servers, and
especially MAC address that you noted earlier.

7 Power on the replacement node.

VMware by Broadcom 36
Administering VMware Aria Automation

8 Log in as root to the command line of the replacement node.

9 Verify that the initial boot sequence has finished by running the following command.

vracli status first-boot

Look for a First boot complete message.

10 From the replacement node, join the VMware Aria Automation cluster.

Note If your VMware Aria Automation deployment is patched, refer to the workaround in KB
96619.

vracli cluster join primary-DB-node-FQDN

11 Log in as root to the command line of the primary database node.

12 Deploy the repaired cluster by running the following script:

/opt/scripts/deploy.sh

Increase VMware Aria Automation appliance disk space

You might need to increase VMware Aria Automation appliance disk space for purposes such as
log file storage.

Procedure

1 Use vSphere to expand the VMDK on the VMware Aria Automation appliance.

2 Log in to the command line of the VMware Aria Automation appliance as a root user.

3 From the command prompt, run the following VMware Aria Automation command:

vracli disk-mgr resize

If VMware Aria Automation resizing fails, see Knowledge Base article 79925.

Update the DNS assignment for VMware Aria Automation

An administrator can update the DNS assignments for VMware Aria Automation.

Procedure

1 Log in to the console for any VMware Aria Automation appliance using either SSH or VMRC.

2 Run the following command.

vracli network dns set --servers DNS1,DNS2

3 Verify that the new DNS servers were properly applied to all VMware Aria Automation nodes
with vracli network dns status command.

VMware by Broadcom 37
Administering VMware Aria Automation

4 Run the following set of commands to shut down the VMware Aria Automation services on all
cluster nodes.

For related information about shutting down VMware Aria Automation, see Starting and
stopping VMware Aria Automation.

/opt/scripts/svc-stop.sh
sleep 120
/opt/scripts/deploy.sh --onlyClean

5 Restart the VMware Aria Automation nodes and wait for them to start completely.

For related information about restarting VMware Aria Automation, see Starting and stopping
VMware Aria Automation.

6 Log in to each VMware Aria Automation node with SSH and verify that the new DNS servers
are listed in /etc/resolv.conf.

7 On one of the VMware Aria Automation nodes, run the following command to start the
VMware Aria Automation services: /opt/scripts/deploy.sh

Results

The VMware Aria Automation DNS settings are changed as specified.

Change IP addresses of VMware Aria Automation node or

cluster
You can change the IP address of a VMware Aria Automation node or cluster.

For example, you might want to migrate your deployed VMware Aria Automation environment to
a more convenient vCenter or to support VMware Aria Automation fail-over.

As a VMware Aria Automation administrator, you can use the following procedure to set a new IP
address for the VMware Aria Automation node or cluster and then redeploy services to the new
IP address.

Note Before you proceed with changing the IP of a VMware Aria Automation node or cluster,
you must verify that the node or cluster is in a healthy state. Attempting to run this procedure on
a node or cluster that is not in a healthy state can create problems that are very challenging to
resolve.

VMware by Broadcom 38
Administering VMware Aria Automation

In this procedure, you will restart VMware Aria Automation in a specific and sequential manner.
For related information about shutting down and restarting VMware Aria Automation, see
Starting and stopping VMware Aria Automation.

1 Verify that the VMware Aria Automation node or cluster is in a healthy state by using the
following command.

vracli service status

2 When VMware Aria Automation is in healthy state, set the alternative IP of the node or cluster
appliance(s) by using the following command.

vracli network alternative-ip set --dns DNSIPaddress1,DNSIPaddress2 IPV4_address

Gateway_IPV4_address

If you are working with a cluster, set the alternative IP of each applicable node in the cluster.

3 Shut down the services by using the following command.

/opt/scripts/deploy.sh –shutdown

4 If needed, perform a VMware Aria Automation fail-over or migration operation. See

information about VMware Site Recovery Manager and your own internal procedures and
practices.

5 Change the IP of VMware Aria Automation by using the following command.

vracli network alternative-ip swap

If you are using a VMware Aria Automation cluster, you must change the IP address of each
node in the cluster.

6 Reboot VMware Aria Automation by using the following command.

shutdown -r now

If you are using a VMware Aria Automation cluster, you must reboot each node in the cluster.

7 Redeploy VMware Aria Automation services by using the following command.

/opt/scripts/deploy.sh

After you reboot VMware Aria Automation and the redeploy services are running, VMware Aria
Automation should be available at the new IP address.

How do I enable time synchronization of VMware Aria

Automation
You can enable time synchronization on your VMware Aria Automation deployment by using the
VMware Aria Automation appliance command line.

VMware by Broadcom 39
Administering VMware Aria Automation

You can configure time synchronization for your standalone or clustered VMware Aria
Automation deployment by using the Network Time Protocol (NTP) networking protocol.
VMware Aria Automation supports two, mutually exclusive, NTP configurations:

NTP configuration Description

ESXi This configuration can be used when the ESXi server

hosting the VMware Aria Automation is synchronized with
an NTP server. If you are using a clustered deployment, all
ESXi hosts must be synchronized with an NTP server. For
more information about configuring NTP for ESXi, see KB
article 57147 Configuring Network Time Protocol (NTP) on
an ESXi host using the vSphere Web Client.

Note If your VMware Aria Automation deployment is

migrated to a ESXi host that is not synchronized to an NTP
server, you can experience clock drift.

systemd This configuration uses the systemd-timesyncd daemon to

synchronize the clocks of your VMware Aria Automation
deployment.

Note By default, the systemd-timesyncd daemon is

enabled, but configured with no NTP servers. If the
VMware Aria Automation appliance uses a dynamic IP
configuration, the appliance can use any NTP servers
received by the DHCP protocol.

Procedure

1 Log in to the VMware Aria Automation appliance command line as root.

2 Enable NTP with ESXi.

a Run the vracli ntp esxi command.

b (Optional) To confirm the status of the NTP configuration, run the vracli ntp status
command.

You can also reset the NTP configuration to the default state by running the vracli ntp
reset command.

3 Enable NTP with systemd.

a Run the vracli ntp systemd --set FQDN_or_IP_of_NTP_server command.

Note You can add multiple systemd NTP servers by separating their network addresses
with a comma. Each network address must be placed inside single quotation marks. For
example, vracli ntp systemd --set 'ntp_address_1','ntp_address_2'.

b (Optional) To confirm the status of the NTP configuration, run the vracli ntp status
command.

VMware by Broadcom 40
Administering VMware Aria Automation

Results

You have enabled time synchronization for your VMware Aria Automation appliance deployment.

What to do next

The NTP configuration can fail if there is a time difference of above 10 minutes between the
NTP server and the VMware Aria Automation deployment. To resolve this problem, reboot the
VMware Aria Automation appliance.

How do I reset the root password for VMware Aria

Automation
You can reset a lost or forgotten VMware Aria Automation root password.

In this procedure, you use a command line window on the host vCenter appliance to reset your
organization’s VMware Aria Automation root password.

Prerequisites

This process is for VMware Aria Automation administrators and requires the credentials needed
to access the host vCenter appliance.

For related information about password management in VMware Aria Suite Lifecycle, see KB
92245.

Procedure

1 Shut down and start up VMware Aria Automation by using the procedure described in
Starting and stopping VMware Aria Automation.

2 When the Photon operating system command line window appears, enter e and press the
Enter key to open the GNU GRUB boot menu editor.

VMware by Broadcom 41
Administering VMware Aria Automation

3 In the GNU GRUB editor, enter rw init=/bin/bash at the end of the line that begins with linux
"/" $photon_linux root=rootpartition as shown below:

4 Click the F10 key to push your change and restart VMware Aria Automation.

5 Wait for VMware Aria Automation to restart.

6 At the root [/]# prompt, enter passwd and press the Enter key.

7 At the New password: prompt, enter your new password and press the Enter key.

8 At the Retype new password: prompt, reenter your new password and press the Enter key.

9 At the root [/]# prompt, enter reboot -f and press the Enter key to complete the root
password reset process.

What to do next

As a VMware Aria Automation administrator, you can now log in to VMware Aria Automation
with the new root password.

To remediate passwords outside of VMware Aria Suite Lifecycle , see KB 92253.

VMware by Broadcom 42
Using multi-organization tenant
configurations in VMware Aria
Automation
4
VMware Aria Automation enables IT providers to set up multiple tenants, or organizations, within
each deployment. Providers can set up multiple tenant organizations and allocate infrastructure
within each deployment and also manage users for tenants.

In a VMware Aria Automation multi-organization configuration, providers can create multiple

organizations, and each tenant organization manages its own projects, resources and
deployments. While providers cannot manage tenant infrastructure remotely, they can log in
to tenants and manage infrastructure within their tenants.

Multi-tenancy relies on coordination and configuration of three different VMware products as

outlined below:

n Workspace ONE Access - This product provides the infrastructure support for multi-tenancy
and the Active Directory domain connections that provide user and group management
within tenant organizations.

n VMware Aria Suite Lifecycle - This product supports the creation and configuration of tenants
for supported products, such as VMware Aria Automation. In addition, it provides some
certificate management capabilities.

n VMware Aria Automation - Providers and users log in to VMware Aria Automation to access
tenants in which they create and manage deployments.

When configuring multi-tenancy, users should be familiar with all three of these products and
their associated documentation.

For more information about working VMware Aria Suite Lifecycle and Workspace ONE Access,
see the following:

n VMware Aria Suite Lifecycle product documentation

n VMware Workspace ONE Access product documentation

Administrators with VMware Aria Suite Lifecycle privileges create and manage tenants using the
VMware Aria Suite Lifecycle tenants page located under the Identity and Tenant Management
service. Tenants are constructed by using an Active Directory IWA or LDAP connection. They are
supported by the associated Workspace ONE Access instance that is required for VMware Aria
Automation deployments.

VMware by Broadcom 43
Administering VMware Aria Automation

When configuring multi-tenancy, you start with a base, or master tenant. This tenant is the
default tenant that is created when the underlying Workspace ONE Access application is
deployed. Other tenants, known as sub-tenants, can be based upon the master tenant. VMware
Aria Automation currently supports up to 20 tenant organizations with the standard three node
deployment.

Before enabling VMware Aria Automation for multi-tenancy, you must first install the application
in a single organization configuration, and then use VMware Aria Suite Lifecycle to set up a multi-
organization configuration. A Workspace ONE Access deployment supports the management of
tenants and the associated Active Directory domain connections.

When you initially set up multi-tenancy, a provider administrator is designated in VMware Aria
Suite Lifecycle. You can change this designation or add administrators later if desired. Under
multi-organization configurations, VMware Aria Automation users and groups are managed
primarily through Workspace ONE Access.

After organizations are created, authorized users can log in to their applications to create or
work with projects and resources and create deployments. Administrators can manage user roles
in VMware Aria Automation.

Setting up for a multi-organization configuration

You can enable a multi-organization deployment after completing a VMware Aria Automation
installation. When setting up a multi-organization configuration, you must configure your external
Workspace ONE Access for multi-tenancy use and then use Lifecycle manager to create and
configure tenants. This applies to both new and existing deployments. As an initial step to setting
up tenants, you must use VMware Aria Suite Lifecycle to set an alias for the master tenant that
was created by default on Workspace ONE Access. Sub-tenants that you create based on this
master tenant inherit the Active Directory domain configurations from this master tenant.

In Lifecycle Manager, you assign tenants to a product, such as VMware Aria Automation, and to a
specific environment. When setting up a tenant, you must also designate a tenant administrator.
By default, multi-tenancy is enabled based on tenant hostname. Users can elect to manually
configure tenant name by DNS name. During this procedure you must set several flags to
support multi-tenancy, and you must configure the load balancer as well.

If you use a clustered instance, both the Workspace ONE Access and VMware Aria Automation
tenant based hostnames will point to the load balancer.

If your clustered VMware Aria Automation and Workspace ONE Access load balancers do
not use wildcard certificates, then users must add tenant hostnames as SAN entries on the
certificates. for every new tenant that is created.

You cannot delete tenants in VMware Aria Automation or in VMware Aria Suite Lifecycle. If you
need to add tenants to an existing multi-tenancy deployment, you can do this using VMware Aria
Suite Lifecycle, but it will require downtime of three to four hours.

Refer to the documentation links at the beginning of this topic for more information about using
VMware Aria Suite Lifecycle Workspace ONE Access.

VMware by Broadcom 44
Administering VMware Aria Automation

Hostnames and multi-tenancy

In prior versions of VMware Aria Automation, users accessed tenants with URLs that were based
on directory path. In the current multi-tenancy implementation, users access tenants based on
hostname.

Also, the hostname format that VMware Aria Automation users will use to access tenants differs
from the format that is used to access tenants within Workspace ONE Access. For example, a
valid hostname would look like the following: tenant1.example.eng.vmware.com as opposed to
vidm-node1.eng.vmware.com.

Multi-tenancy and certificates

You must create certificates for all components involved in a multi-organization configuration.
You will need one or more certificates for Workspace ONE Access, VMware Aria Suite Lifecycle,
and VMware Aria Automation, depending on whether you are using a single node configuration
or a clustered configuration.

When configuring certificates, you can use either wildcard with the SAN names or dedicated
names. Using wild cards will simplify certificate management somewhat as certificates must be
updated whenever you add new tenants. If your VMware Aria Automation and Workspace ONE
Access load balancer do not use wildcard certificates, then you must add tenant hostnames
as SAN entries on the certificates for every new tenant that is created. Also, if you use SAN,
certificates must be updated manually if you add or delete hosts or change a hostname. You
must also update DNS entries for tenants.

Note that VMware Aria Suite Lifecycle does not create separate certificates for
each tenant. Instead it creates a single certificate with each tenant hostname
listed. For basic configurations, the tenant's CNAME uses the following format:
tenantname.vrahostname.domain. For high availability configurations, the name uses the
following format: tenantname.vraLBhostname.domain.

If you are using a clustered Workspace ONE Access configuration, note that Lifecycle Manager
cannot update the load balancer certificate, so you must update it manually. Also, if you need to
re-register products or services that are external to VMware Aria Suite Lifecycle, this is a manual
process.

Read the following topics next:

n Set up multi-organization tenancy for VMware Aria Automation

n Logging in to tenants and adding users in VMware Aria Automation

n Using VMware Aria Automation Orchestrator with VMware Aria Automation multi-
organization deployments

VMware by Broadcom 45
Administering VMware Aria Automation

Set up multi-organization tenancy for VMware Aria

Automation
You can set up multi-organization tenancy for VMware Aria Automation by using VMware Aria
Suite Lifecycle.

The following is a high level description of the procedure to set up multi-tenancy for VMware Aria
Automation including configuring DNS and certificates. It focuses on a single node deployment
but includes notes for a clustered configuration.

For related information and a video demonstration of configuring VMware Aria Automation multi-
organization multi-tenancy, see this VMware blog.

Prerequisites

n Install and configure Workspace ONE Access.

n Install and configure VMware Aria Suite Lifecycle.

Procedure

1 Create the required A and CNAME Type DNS records.

n For your primary tenant and each sub-tenant, you must create and apply a SAN
certificate.

n For single node deployments, the VMware Aria Automation FQDN points to the VMware
Aria Automation appliance, and the Workspace ONE Access FQDN points to the
Workspace ONE Access appliance.

n For clustered deployments, both the Workspace ONE Access and VMware Aria
Automation tenant-based FQDNs must point to their respective load balancers.
Workspace ONE Access is configured with SSL Termination, so the certificate is applied
on both the Workspace ONE Access cluster and load balancer. The VMware Aria
Automation load balancer uses SSL passthrough, so the certificate is applied only on the
VMware Aria Automation cluster.

See Managing certificates and DNS configuration under single-node multi-organization

deployments and Managing certificate and DNS configuration in clustered VMware Aria
Automation deployments for more details.

2 Create or import the required multi-domain (SAN) certificates for both Workspace ONE
Access and VMware Aria Automation.

You can create certificates in VMware Aria Suite Lifecycle by using the Locker service. The
Locker service allows you to create certificates licenses, and passwords. Alternatively, you
can use a CA server or some other mechanism to generate certificates.

If you need to add or create additional tenants, you must recreate and apply your VMware
Aria Automation and Workspace ONE Access tenants.

VMware by Broadcom 46
Administering VMware Aria Automation

After you create your certificates, you can apply them within VMware Aria Suite Lifecycle
by using the Lifecycle Operations feature. You must select the environment and product
and then select the Replace Certificate option. Then you can select the product. When you
replace a certificate, you must re-trust all associated products in your environment.

Wait for the certificate to be applied and all services to restart before proceeding to the next
step.

See Managing certificates and DNS configuration under single-node multi-organization

deployments and Managing certificate and DNS configuration in clustered VMware Aria
Automation deployments for more details.

3 Apply the Workspace ONE Access SAN certificate on the Workspace ONE Access instance
or cluster.

4 In VMware Aria Suite Lifecycle, run the Enable Tenancy wizard to enable multi-tenancy and
create an alias for the default primary tenant.

Enabling tenancy requires that you create an alias for the provider organization primary
tenant or default tenant. After you enable tenancy, you can access Workspace ONE Access
via the primary tenant FQDN.

For example, if the existing Workspace ONE Access FQDN is idm.example.local and you
create an alias of default-tenant, after tenancy is enabled, the Workspace ONE Access FQDN
changes to default-tenant.example.local, and all clients communicating with Workspace
ONE Access would now communicate through default-tenant.example.local.

5 Apply the VMware Aria Automation SAN certificates on the VMware Aria Automation
instance or cluster.

You can apply SAN certificates through the VMware Aria Suite Lifecycle Lifecycle Operations
service. Display details of the environment and then select Replace Certificates. You must
wait for the certificate replacement task to complete before adding tenants. As part of
certificate replacement, VMware Aria Automation services will restart.

6 In VMware Aria Suite Lifecycle, run the Add Tenants wizard to configure the desired tenants.

You add tenants by using the VMware Aria Suite Lifecycle Tenant Management page located
under Identity and Tenant Management. You can only add tenants for which you have
previously configured certificates and DNS settings.

When creating a tenant, you must designate a tenant administrator and you can select
the Active Directory connections for this tenant. Available connections are based on those
configured in your default or primary tenant. You must also select the product or product
instance to which the tenant will be associated.

What to do next

After you create tenants, you can use the VMware Aria Suite Lifecycle Tenant Management page
located under Identity and Tenant Management to change or add tenant administrators, add
Active Directory directories to the tenant and change product associations for the tenant.

VMware by Broadcom 47
Administering VMware Aria Automation

You can also log in to your Workspace ONE Access instance to view and validate your tenant
configuration.

Managing certificates and DNS configuration under single-node

multi-organization deployments
Multi-organization tenancy VMware Aria Automation configurations rely on a coordinated
configuration between several products, and you must ensure that DNS settings and certificates
are configured correctly in order for your multi-organization tenancy configuration to function.

This multi-organization configuration assumes single node deployments for the following
components:

n VMware Aria Suite Lifecycle

n Workspace ONE Access Identity Manager

n VMware Aria Automation

Also, it assumes that you are starting with a default tenant, which is your provider organization,
and creating two sub-tenants, called tenant-1 and tenant-2.

You can create and apply certificates using the Locker service in VMware Aria Suite Lifecycle
or you can use another mechanism. VMware Aria Suite Lifecycle also enables you to replace or
re-trust certificates on VMware Aria Automation or Workspace ONE Access.

DNS Requirements
You must create both main A type records and CNAME type records for system components as
described below.

n Create both main A type records for each system component and for each of the tenants
that you will create when you enable multi-tenancy.

n Create multi-tenancy A type records for each of the tenants you will create as well as for the
primary tenant.

n Ccreate multi-tenancy CNAME type records for each of the tenants you will create, not
including the primary tenant.

Certificate requirements for single node multi-tenancy deployment

You must create two Subject Alternative Name (SAN) certificates, one for Workspace ONE
Access and one for VMware Aria Automation.

n The VMware Aria Automation certificate lists the hostname of the VMware Aria Automation
server and the names of the tenants you will create.

n The Workspace ONE Access certificate lists the hostname of the Workspace ONE Access
server and the tenant names you are creating.

VMware by Broadcom 48
Administering VMware Aria Automation

n If you use dedicated SAN names, certificates must be updated manually when you add or
delete hosts or change a hostname. You must also update DNS entries for tenants. As an
option to simplify configuration, you can use wildcards for the Workspace ONE Access and
VMware Aria Automation certificates. For example, *.example.com and *.vra.example.com.

Note VMware Aria Automation supports wildcard certificates only for DNS names that
match the specifications in the Public Suffix list at https://publicsuffix.org. For example,
*.myorg.com is a valid name while *.myorg.local is invalid.

Note that VMware Aria Suite Lifecycle does not create separate certificates for
each tenant. Instead it creates a single certificate with each tenant hostname
listed. For basic configurations, the tenant's CNAME uses the following format:
tenantname.vrahostname.domain. For high availability configurations, the name uses the
following format: tenantname.vraLBhostname.domain.

Summary
The following table summarizes DNS and certificate requirements for a single node Workspace
ONE Access and single node VMware Aria Automation deployment.

DNS Requirements SAN Certificate Requirements

Main A Type Records Workspace ONE AccessCertificate

lcm.example.com Host Name:
WorkspaceOne.example.com WorkspaceOne.example.com, default-tenant.example.com,
vra.example.com tenant-1.vra.example.com, tenant-2.vra.example.com

Multi-tenancy A Type Records

default-tenant.example.com
tenant-1.example.com
tenant-2.example.com

Multi-Tenancy CNAME Type Records VMware Aria Automation Certificate

tenant-1.vra.example.com Host Name:
tenant-2.vra.example.com vra.example.com, tenant-1.vra.example.com, tenant-2.vra.example.com

Managing certificate and DNS configuration in clustered VMware

Aria Automation deployments
You must coordinate the certificate and DNS configuration between all applicable components to
set up a multi-organization clustered VMware Aria Automation deployment.

In a typical clustered configuration, there are three Workspace ONE Access appliances and three
VMware Aria Automation appliances as well as a single VMware Aria Suite Lifecycle appliance.

This configuration assumes clustered deployments for the following components:

n Workspace ONE Access Identity Manager appliances:

n idm1.example.com

n idm2.example.com

VMware by Broadcom 49
Administering VMware Aria Automation

n idm3.example.com

n idm-lb.example.com

n VMware Aria Automation appliances:

n vra-1.example.com

n vra-2.example.com

n vra-3.example.com

n vra-lb.example.com

n VMware Aria Suite Lifecycle appliance

DNS Requirements
You must create both main A type records for each component and for each of the tenants
that you will create when you enable multi-tenancy. In addition, you must create multi-tenancy
CNAME type records for each of the tenants you will create, not including the master tenant.
Finally, you must also create Main A Type records for the Workspace ONE Access and VMware
Aria Automation load balancers.

n Create A type records for the three Workspace ONE Access appliances, and for the VMware
Aria Automation appliances that point to their respective FQDNs.

n In addition, create A type records for the Workspace ONE Access load balancer and the
VMware Aria Automation load balancer that point to their respective FQDNs.

n Create multi-tenancy A Type records for the default tenant and for tenant-1 and tenant-2 that
point to the IP address of the Workspace ONE Access load balancer.

n Create CNAME records for tenant-1 and tenant-2 that point to the IP address of the VMware
Aria Automation load balancer.

Subject Alternative Name (SAN) Certificate Requirements

You must create two Workspace ONE Access certificates, one that applies on the cluster
appliances and one that applies on the load balancer. In addition, create a certificate that applies
to the VMware Aria Automation appliances, the tenants you are creating, excluding the default
tenant, and the load balancer.

n Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the
Workspace ONE Access appliances as well as the default tenant and other tenants you
create. This certificate should include the IP addresses of the Workspace ONE Access
appliances.

n As a best practice, create an SSL termination on the load balancer. To support this capability,
create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the
Workspace ONE Access load balancer as well as the default tenant and all other tenants you
create. This certificate should include the IP address of the load balancer.

VMware by Broadcom 50
Administering VMware Aria Automation

n You must create a certificate for VMware Aria Automation that lists the host names of the
three VMware Aria Automation appliances as well as the related load balancer and the
tenants you are creating. In addition, it should list the IP addresses of the three VMware
Aria Automation appliances.

n As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access
and VMware Aria Automation certificates. For example, *.example.com, *.vra.example.com,
and *.vra-lb.example.com.

Note VMware Aria Automation supports wildcard certificates only for DNS names that
match the specifications in the Public Suffix list at https://publicsuffix.org. For example,
*.myorg.com is a valid name .

If you are using a clustered Workspace ONE Access configuration, note that VMware Aria Suite
Lifecycle cannot update the load balancer certificates, so you must update them manually. Also,
if you need to re-register products or services that are external to VMware Aria Suite Lifecycle,
this is a manual process.

Summary of DNS entries and certificates for a clustered multi-organization

configuration
The following tables outlines DNS Main A Type Records and C Name Type records and certificate
requirements for a clustered Workspace ONE Access and clustered VMware Aria Automation
multi-organization deployment.

VMware by Broadcom 51
Administering VMware Aria Automation

DNS Requirements SAN Certificate Requirements

Main A Type Records Workspace ONE Access Certificate

n lcm.example.com Host Name:
n WorkspaceOne-1.example.com n WorkspaceOne-1.example.com
n WorkspaceOne-2.example.com n WorkspaceOne-2.example.com
n WorkspaceOne-3.example.com n WorkspaceOne-3.example.com
n Workspace.One-lb.example.com n default-tenant.example.com
n vra-1.example.com n tenant-1.example.com
n vra-2.example.com n tenant-2.example.com
n vra-3.example.com
n vra-lb.example.com

Multi-Tenancy A Type Records Workspace ONE Access LB Certificate (LB

n default-tenant.example.com Terminated)

n tenant-1.vra.example.com Host Name:

n tenant-2.vra.example.com n WorkspaceOne-lb.example.com
n default-tenant.example.com
Note All of the multi-tenancy A Type records must point
n tenant-1.example.com
to the vIDM/WS1A load balancer IP address.
n tenant-2.example.com

Multi-Tenancy CNAME Type Records VMware Aria Automation Certificate

n tenant-1.vra-lb.example.com - vra-lb.example.com Host Name:
n tenant-2.vra-lb.example.com - vra-lb.example.com n vra-1.example.com
n vra-2.example.com
n vra-3.example.com
n vra-lb.example.com
n tenant-1.example.com
n tenant-2.example.com
No certificate is required on the VMware Aria Automation
load balancer as it uses SSL passthrough.

Note Each additional tenant that you add must be listed separately in the VMware Aria
Automation Certificate, Multi-tenancy CNAME records, Multi-tenancy Type A records, Workspace
ONE Access Certificate and Workspace ONE Access LB Certificate.

Note The *.com file names are for example use only. They may not be applicable to most
business environments.

Logging in to tenants and adding users in VMware Aria

Automation
After you have created tenants for VMware Aria Automation in VMware Aria Suite Lifecycle, you
can log in to Workspace ONE Access to view your tenants and add users.

VMware by Broadcom 52
Administering VMware Aria Automation

You can view tenants created for a VMware Aria Automation deployment by logging in to
the associated Workspace ONE Access instance. The URL to use is https://default-tenant
name.domainname.local or, for a non-clustered deployment, https://idm.domainname.local
which will direct you back to the default tenant Workspace ONE Access URL.

You can validate specific tenants in Workspace ONE Access by using the following URL:
https://tenant-1.domainname.local. This URL opens a page that show the users for the
specified tenant. You can click Add User to create additional users.

Authorized users can log in to the main provider organization in VMware Aria Automation by
using https://vra.domainname.local. This view provides access to all VMware Aria Automation
related services.

Authorized users can log in to applicable tenants in VMware Aria Automation by using https://
tenantname.vra.domainname.local.

For more information about managing users, see VMware Workspace ONE Access product
documentation.

Adding local users

You can add local users to your deployment using the associated Workspace ONE Access
instance. Local users are users that are not stored in any external identity provider.

Using VMware Aria Automation Orchestrator with VMware

Aria Automation multi-organization deployments
You can use VMware Aria Automation Orchestrator with VMware Aria Automation multi-
organization tenancy deployments.

The default tenant supports integration with the embedded VMware Aria Automation
Orchestrator integration out of the box. VMware Aria Automation Orchestrator is available
pre-configured on the Integrations page of the default tenant. Subtenants do not have any
pre-registered VMware Aria Automation Orchestrator integration. They have several options to
add a VMware Aria Automation Orchestrator integration.

n Subtenants can add an integration with the embedded VMware Aria Automation
Orchestrator by navigating to Infrastructure > Connections > Integrations.

Note If the embedded VMware Aria Automation Orchestrator is added as an integration to

multiple tenants, all the VMware Aria Automation Orchestrator content, including the plug-in
inventory, is shared among these tenants.

n Subtenants can add an external VMware Aria Automation Orchestrator instance that uses the
multi-organization VMware Aria Automation as an Auth Provider.

VMware by Broadcom 53
Administering VMware Aria Automation

Any VMware Aria Automation Orchestrator instance that uses a VMware Aria Automation
multi-organization deployment as an Auth Provider can be registered to any of the tenants
by creating a new integration and providing the VMware Aria Automation Orchestrator FQDN
without providing any credentials.

VMware by Broadcom 54
Working with logs in VMware Aria
Automation 5
You can use the supplied vracli command line utility to create and use logs in VMware Aria
Automation.

You can use logs directly in VMware Aria Automation or you can instead forward all logs to
VMware Aria Operations for Logs.

Read the following topics next:

n How do I work with logs and log bundles in VMware Aria Automation

n How do I configure log forwarding to VMware Aria Operations for Logs in VMware Aria
Automation

n How do I create or update a syslog integration in VMware Aria Automation

n How do I work with VMware Aria Automation content packs

How do I work with logs and log bundles in VMware Aria

Automation
Various services generate logs automatically. You can generate log bundles in VMware Aria
Automation. You can also configure your environment to send logs to VMware Aria Operations
for Logs.

Use the --help argument in the vracli command line (for example, vracli log-bundle --help)
for information about the vracli command line utility.

For related information about using VMware Aria Operations for Logs, see How do I configure log
forwarding to VMware Aria Operations for Logs in VMware Aria Automation.

Log bundle commands

You can create a log bundle to contain all the logs that are generated by the services that you
run. A log bundle contains all your service logs. You can use a log bundle for troubleshooting.

VMware by Broadcom 55
Administering VMware Aria Automation

In a clustered environment (high availability mode), run the vracli log-bundle command on
only one node. Logs are pulled from all nodes in the environment. However, in the event of a
networking or other cluster issue, logs are pulled from as many nodes as can be reached. For
example, if one node is disconnected in a cluster of three nodes, logs are only collected from
the two healthy nodes. Output from the vracli log-bundle command contains information about
any issues found and their workaround steps.

n To create a log bundle, SSH to any node and run the following vracli command:

vracli log-bundle

n To change the timeout value for collecting logs from each node, run the following vracli
command:

vracli log-bundle --collector-timeout $CUSTOM_TIMEOUT_IN_SECONDS

For example, if your environment contains large log files, slow networking, or high CPU
usage, you can set the timeout to greater than the 1000 second default value.

n To determine the disk space being consumed by a specific service log such as ebs or vro, run
the following vracli command and examine the command output:

vracli disk-mgr

n To configure other options, such as assembly timeout and buffer location, use the following
vracli help command:

vracli log-bundle --help

Log bundle structure

The log bundle is a timestamped tar file. The name of the bundle matches the patter log-bundle-
<date>T<time>.tar file, for example log-bundle-20200629T131312.tar. Typically the log bundle
contains logs from all nodes in the environment. In case of an error, it contains as many logs as
possible. It minimally contains logs from the local node.

The log bundle consists of the following content:

n Environment file

The environment file contains the output of various Kubernetes maintenance commands. It
supplies information about current resource usage per nodes and per pods. It also contains
cluster information and description of all available Kubernetes entities.

n Host logs and configuration

The configuration of each host (for example, its /etc directory) and the host-specific logs (for
example, journald) are collected in one directory for each cluster node or host. The directory
name matches the host name of the node. The internal contents of the directory match the
file system of the host. The number of directories matches the number of cluster nodes.

n Services logs

VMware by Broadcom 56
Administering VMware Aria Automation

Logs for Kubernetes services are located in the following folder structure:

n <hostname>/services-logs/<namespace>/<app-name>/file-logs/<container-name>.log

n <hostname>/services-logs/<namespace>/<app-name>/console-logs/<container-
name>.log

An example file name is my-host-01/services-logs/prelude/vco-app/file-logs/vco-

server-app.log.

n hostname is the host name of the node on which the application container is or was
running. Typically, there is one instance for each node for each service. For example, 3
nodes = 3 instances.

n namespace is the Kubernetes namespace in which the application is deployed. For user-
facing services, this value is prelude.

n app-name is the name of the Kubernetes application that produced the logs (for example,
provisioning-service-app).

n container-name is the name of the container that produced the logs. Some apps consist
of multiple containers. For example, the vco-app container includes the vco-server-app
and vco-controlcenter-app containers.

n (Legacy) Pod logs

While you can continue to generate pod logs in the bundle by using the vracli log-bundle
--include-legacy-pod-logs command, doing so is not advised as all log information already
resides in each services' logs. Including pod logs can unnecessarily increase the time and
space required to generate the log bundle.

Reducing the size of the log bundle

To generate a smaller log bundle, use either of the following vracli log-bundle commands:

n vracli log-bundle --since-days n

Use this command to collect only the log files that were generated over the past number of
days. Otherwise, logs are retained and collected for the past 2 days. For example:

vracli log-bundle --since-days 1

n vracli log-bundle --services service_A,service_B,service_C

Use this command to collect only the logs for the named provided services. For example:

vracli log-bundle --services ebs-app,vco-app

n vracli log-bundle --skip-heap-dumps

Use this command to exclude all heap dumps from the generated log bundle.

Displaying logs
You can output the logs of a service pod or app by using the vracli logs <pod_name> command.

VMware by Broadcom 57
Administering VMware Aria Automation

The following command options are available:

n --service
Displays a merged log for all nodes of the app instead of a single pod

Example: vracli logs --service abx-service-app

n --tail n
Displays the last n lines of the log. The default n value is 10.

Example: vracli logs --tail 20 abx-service-app-8598fcd4b4-tjwhk

n --file
Displays only the specified file. If a file name is not provided, all files are shown.

Example: vracli logs --file abx-service-app.log abx-service-app-8598fcd4b4-tjwhk

Understanding log rotation

Regarding log rotation, recognize the following service log considerations:

n All services produce logs. Service logs are stored in a dedicated /var/log/services-logs
disk.

n All logs are rotated regularly. Rotation occurs either hourly or when a certain size limit is
reached.

n All old log rotations are eventually compressed.

n There is no per-service quota for log rotations.

n The system retains as many logs as possible. Automation regularly checks the used disk
space for logs. When the space becomes 70% full, older logs are purged until the disk space
for logs reaches 60% full.

n You can resize your logs disk if you need more space. See Increase VMware Aria Automation
appliance disk space.

To check the logs disk space, run the following vracli commands. The free space of /dev/
sdc(/var/log) should be near 30% or more for each node.

# vracli cluster exec -- bash -c 'current_node; vracli disk-mgr; exit 0'

sc1-10-182-1-103.eng.vmware.com
/dev/sda4(/):
Total size: 47.80GiB
Free: 34.46GiB(72.1%)
Available(for non-superusers): 32.00GiB(66.9%)
SCSI ID: (0:0)
/dev/sdb(/data):
Total size: 140.68GiB
Free: 116.68GiB(82.9%)
Available(for non-superusers): 109.47GiB(77.8%)
SCSI ID: (0:1)
/dev/sdc(/var/log):

VMware by Broadcom 58
Administering VMware Aria Automation

Total size: 21.48GiB

Free: 20.76GiB(96.6%)
Available(for non-superusers): 19.64GiB(91.4%)
SCSI ID: (0:2)
/dev/sdd(/home):
Total size: 29.36GiB
Free: 29.01GiB(98.8%)
Available(for non-superusers): 27.49GiB(93.7%)
SCSI ID: (0:3)

How do I configure log forwarding to VMware Aria

Operations for Logs in VMware Aria Automation
To take advantage of more robust log analysis and report generation, you can forward logs from
VMware Aria Automation to VMware Aria Operations for Logs.

VMware Aria Automation contains a fluentd-based logging agent. The agent collects and stores
logs so that they can be included in a log bundle and examined later. The agent can forward
a copy of the logs to a VMware Aria Operations for Logs server by using the VMware Aria
Operations for Logs REST API. The API allows other programs to communicate with VMware Aria
Operations for Logs.

For more information about VMware Aria Operations for Logs, including documentation for the
REST API, see VMware Aria Operations for Logs documentation.

To forward all VMware Aria Automation logs to VMware Aria Operations for Logs, use vracli
configuration commands.

You can examine each log line in VMware Aria Operations for Logs. Each log line contains a host
name and an environment tag. In a high availability (HA) environment, logs contains tags with
different host names depending on the node from which they originated. The environment tag
is configurable by using the --environment ENV option as described in the Configure or update
integration of VMware Aria Operations for Logs section. In a high availability (HA) environment,
the environment tag has the same value for all log lines.

To display information about how to use the vracli command line utility, use the --help
argument in the vracli command line. For example, vracli vrli --help. For a user-friendly
response, begin the command with vracli -j vrli.

Note You can only configure a single remote logging integration. VMware Aria Operations
for Logs has priority when a VMware Aria Operations for Logs server and a syslog server are
available.

Check existing configuration of VMware Aria Operations for Logs

Command

vracli vrli

Arguments

VMware by Broadcom 59
Administering VMware Aria Automation

There are no command line arguments.

Output

The current configuration for VMware Aria Operations for Logs integration is output in JSON
format.

Exit codes

The following exit codes are possible:

n 0 - Integration with VMware Aria Operations for Logs is configured.

n 1 - An exception error occurred. Examine the error message for details.

n 61 - Integration with VMware Aria Operations for Logs is not configured. Examine the error
message for details.

Example - check integration configuration

$ vracli vrli
No vRLI integration configured

$ vracli vrli
{
"agentId": "0",
"environment": "prod",
"host": "my-vrli.local",
"port": 9543,
"scheme": "https",
"sslVerify": false
}

Configure or update integration of VMware Aria Operations for Logs

Command

vracli vrli set [options] FQDN_OR_URL

Note After you run the command, it can take up to 2 minutes for the logging agent to apply
your specified configuration.

Arguments

n FQDN_OR_URL

VMware by Broadcom 60
Administering VMware Aria Automation

Specifies the FQDN or URL address of the VMware Aria Operations for Logs server to use
for posting logs. Port 9543 and https are used by default. If any of these settings must be
changed, you can use a URL instead.

vracli vrli set <options> https://FQDN:9543

Note You can set a different host scheme (the default is HTTPS) and port (default for https
is 9543, default for http is 9000) to use for sending the logs, as shown in the following
samples:

vracli vrli set https://HOSTNAME:9543

vracli vrli set --insecure HOSTNAME
vracli vrli set http://HOSTNAME:9000

Ports 9543 for https and 9000 for http are used by the VMware Aria Operations for Logs
ingestion REST API as described in the Administering VMware Aria Operations for Logs topic
Ports and External Interfaces in VMware Aria Operations for Logs documentation.

n Options

n --agent-id SOME_ID

Sets the id of the logging agent for this appliance. The default is 0. Used to identify the
agent when posting logs to VMware Aria Operations for Logs by using the VMware Aria
Operations for Logs REST API.

n --environment ENV

Sets an identifier for the current environment. It will be available in VMware Aria
Operations for Logs logs as a tag for each log entry. The default is prod.

n --ca-file /path/to/server-ca.crt

Specifies a file that contains the certificate of the certificate authority (CA) that was
used to sign the certificate of the VMware Aria Operations for Logs server. This forces
the logging agent to trust the specified CA and enable it to verify the certificate of
the VMware Aria Operations for Logs server if it was signed by an untrusted authority.
The file may contain a whole certificate chain to verify the certificate. In the case of a
self-signed certificate, pass the certificate itself.

n --ca-cert CA_CERT

Definition is identical to that of --ca-file as above, but instead passes the certificate (chain)
inline as string.

n --insecure

Deactivates SSL verification of the server certificate. This forces the logging agent to
accept any SSL certificate when posting logs.

n Advanced options

n --request-max-size BYTES

VMware by Broadcom 61
Administering VMware Aria Automation

Multiple log events are ingested with a single API call. This argument controls the
maximum payload size, in bytes, for each request. Valid values are between 4000 and
4000000. The default value is 256000. For related information for allowed values, see
VMware Aria Operations for Logs events ingestion in the VMware Aria Operations for
Logs REST API documentation. Setting this value too low can cause logging events that
are larger than the allowed size to be dropped.

n --request-timeout SECONDS

A call to the API can hang for a number of reasons including problems with the remote,
networking issues,and so on. This parameter controls the number of seconds wait for
each operation to complete, such as opening a connection, writing data, or awaiting a
response, before the call is recognized as failed. The value cannot be less than 1 second.
The default is 30.

n --request-immediate-retries RETRIES

Logs are buffered in aggregated chunks before they are sent to VMware Aria Operations
for Logs (see --buffer-flush-thread-count below). If an API request fails, the log is retried
immediately. The default number of immediate retries is 3. If none of the retries is
successful, then the whole log chunk is rolled back and is retried again later.

n --request-http-compress

To lower network traffic volumes, you can apply gzip compression to requests that are
sent to the VMware Aria Operations for Logs server. If this parameter is not specified, no
compression is used.

n --buffer-flush-thread-count THREADS

For better performance and to limit networking traffic, logs are buffered locally in chunks
before they are flushed and sent to the log server. Each chunk contains logs from a single
service. Depending on your environment, chunks can grow large and time-consuming to
flush. This argument controls the number of chunks that can be flushed simultaneously.
The default is 2.

Note When configuring integration over https, if the VMware Aria Operations for Logs server
is configured to use an untrusted certificate such as a self-signed certificate or a certificate
that was signed by an untrusted authority, you must use one of the --ca-file, --ca-cert or
--insecure options or the logging agent fails to validate the server identity and does not send
logs. When using --ca-file or --ca-cert, the VMware Aria Operations for Logs server certificate
must be valid for the server's host name. In all cases, verify the integration by allowing a few
minutes for processing and then checking that VMware Aria Operations for Logs received the
logs.

Output

No output is expected.

Exit codes

VMware by Broadcom 62
Administering VMware Aria Automation

The following exit codes are possible:

n 0 - The configuration was updated.

n 1 - An exception occurred as part of the execution. Examine the error message for details.

Examples - Configure or update integration configuration

The following example statements are shown in separate command lines, however the
arguments can be combined in a single command line. For example, you can include multiple
arguments when using vracli vrli set {somehost} or vracli vrli set --ca-file path/to/
server-ca.crt to modify the default agent ID or environment values. For related information, see
the online command help at vracli vrli --help.

$ vracli vrli set my-vrli.local

$ vracli vrli set 10.20.30.40
$ vracli vrli set --ca-file /etc/ssl/certs/ca.crt 10.20.30.40
$ vracli vrli set --ca-cert "$(cat /etc/ssl/certs/ca.crt)" 10.20.30.40
$ vracli vrli set --insecure http://my-vrli.local:8080
$ vracli vrli set --agent-id my-vrli-agent my-vrli.local
$ vracli vrli set --request-http-compress
$ vracli vrli set --environment staging my-vrli.local
$ vracli vrli set --environment staging --request-max-size 10000 --request-timeout 120 --
request-immediate-retries 5 --buffer-flush-thread-count 4 my-vrli.local

Clear integration of VMware Aria Operations for Logs

Command

vracli vrli unset

Note After you run the command, it can take up to 2 minutes for the logging agent to apply
your specified configuration.

Arguments

There are no command line arguments.

Output

Confirmation is output in plain text format.

Exit codes

The following exit codes are available:

n 0 - The configuration was cleared or no configuration existed.

n 1 - An exception occurred as part of the execution. Examine the error message for details.

VMware by Broadcom 63
Administering VMware Aria Automation

Examples - Clear integration

$ vracli vrli unset

Clearing vRLI integration configuration

$ vracli vrli unset

No vRLI integration configured

How do I create or update a syslog integration in VMware

Aria Automation
You can configure VMware Aria Automation to send your logging information to remote syslog
servers.

The vracli remote-syslog set command is used to create a syslog integration or overwrite
existing integrations.

VMware Aria Automation remote syslog integration supports the following connection types:

n Over UDP.

n Over TCP without TLS.

Note To create a syslog integration without using TLS, add the --disable-ssl flag to the
vracli remote-syslog set command.

n Over TCP with TLS.

Note You can only configure a single remote logging integration. VMware Aria Operations for
Logs is prioritized in the event that both a VMware Aria Operations for Logs server and a syslog
server are available.

For information on configuring logging integration with VMware Aria Operations for Logs,
see How do I configure log forwarding to VMware Aria Operations for Logs in VMware Aria
Automation.

Prerequisites

Configure a remote syslog server.

Procedure

1 Log in to the VMware Aria Automation appliance command line as root.

VMware by Broadcom 64
Administering VMware Aria Automation

2 To create an integration to a syslog server, run the vracli remote-syslog set command.

vracli remote-syslog set -id name_of_integration protocol_type://

syslog_URL_or_FQDN:syslog_port

Note If you do not enter a port in the vracli remote-syslog set command, the port
value defaults to 514.

Note You can add a certificate to the syslog configuration. To add a certificate file, use the
--ca-file flag. To add a certificate as plaintext, use --ca-cert flag.

3 (Optional) To overwrite an existing syslog integration, run the vracli remote-syslog set
and set the -id flag value to the name of the integration you want to overwrite.

Note By default, the VMware Aria Automation appliance requests that you confirm that
you want to overwrite the syslog integration. To skip the confirmation request, add the -f or
--force flag to the vracli remote-syslog set command.

What to do next

To review the current syslog integrations in the appliance, run the vracli remote-syslog
command.

How do I delete a syslog integration for logging in VMware Aria

Automation
You can delete syslog integrations from your VMware Aria Automation appliance by running the
vracli remote-syslog unset command.

Prerequisites

Create one or more syslog integrations in the VMware Aria Automation appliance. See How do I
create or update a syslog integration in VMware Aria Automation.

Procedure

1 Log in to the VMware Aria Automation appliance command line as root.

2 Delete syslog integrations from the VMware Aria Automation appliance using either of the
following methods:

n To delete a specific syslog integration, run the vracli remote-syslog unset -id
Integration_name command.

VMware by Broadcom 65
Administering VMware Aria Automation

n To delete all syslog integrations on the VMware Aria Automation appliance, run the
vracli remote-syslog unset command without the -id flag.

Note By default, the VMware Aria Automation appliance requests that you confirm that
you want to delete all syslog integrations. To skip the confirmation request, add the -f or
--force flag to the vracli remote-syslog unset command.

How do I work with VMware Aria Automation content packs

Content packs are hosted in Log Insight and contain dashboards, extracted fields, saved queries,
and alerts that are related to a specific product or set of logs. You can install community
supported content packs from the VMware Sample Exchange and other content packs from the
Content Pack Marketplace.

VMware Aria Operations for Logs delivers automated log management through aggregation,
analytics and search, enabling operational intelligence and enterprise-wide visibility in dynamic
hybrid cloud environments. Content packs are plug-ins to VMware Aria Operations for Logs that
provide pre-defined knowledge about specific types of events such as log messages.

To download a content pack, from VMware Aria Operations for Logs navigate to Content Packs
> Marketplace. You can also import content packs by clicking + Import Content Pack.

VMware Aria Automation Content Pack

The VMware Aria Automation content pack provides a consolidated summary of log events
across all VMware Aria Automation environment components. In includes several dashboards
that provide a general overview, insight on errors and operations, and overall health of your
VMware Aria Automation instance. These dashboards are listed on the Dashboard tab along
with all other VMware Aria Operations for Logs dashboards. Once loaded, it can take up to 30
seconds for the dashboards to populate with metrics.

The VMware Aria Automation content pack includes these dashboards:

n General - Overview: Captures an overview of high level metrics for VMware Aria Automation.

n General - Problems:

n Service - Provision: Captures issues related to the provisioning service.

n Service - Catalog: Captures issues related to the catalog service.

n Service - EBS: Captures issues related to the event broker service.

n Service - Templates: Captures errors and metrics related to Automation Assembler cloud
templates, custom resources, and resource actions.

n Service - Approval: Captures errors and metrics related to approvals.

n Infra - Health: Captures when pods are restarted over time. This dashboard is essential to
detect outages dues to resource limits.

n Infra - Active Ping: Captures the health check URL over time.

VMware by Broadcom 66
Administering VMware Aria Automation

Some dashboards contain widgets that provide more focused analytics. To view the type of

analysis that is performed in each widget, click the information icon.

As a VMware Aria Automation administrator, you can follow this general content pack workflow
to identify errors and troubleshoot.

VMware by Broadcom 67
Participating in the Customer
Experience Improvement Program
for VMware Aria Automation
6
This product participates in VMware's Customer Experience Improvement Program (CEIP). The
CEIP provides VMware with information that allows VMware to improve its products and services,
to fix problems, and to advise you on how best to deploy and use our products.

Details regarding the data collected through CEIP, and the purposes for which it is used by
VMware, are described on the Customer Experience Improvement Program page.

Read the following topics next:

n How do I join or leave the Customer Experience Improvement Programs for VMware Aria
Automation

n How do I configure the data collection time for the Customer Experience Improvement
Program for VMware Aria Automation

How do I join or leave the Customer Experience

Improvement Programs for VMware Aria Automation
VMware Aria Automation participates in VMware's original Customer Experience Improvement
Program (CEIP) and also the Pendo Customer Experience Program (Pendo CEIP) for supported
services.

You can separately join or leave the VMware original Customer Experience Improvement
Program (CEIP) and the Pendo Customer Experience Program (Pendo CEIP). Each program
collects somewhat different types of customer interaction data, as described below.

n Original CEIP

The original CEIP provides VMware with information that helps VMware designers and
engineers improve products and services and fix problems. It collects usage and data that
helps gauge system stability and consumption levels of different features. This information
also helps determine what should be build next based on which use-cases and features are
being used.

You can join this CEIP when you install VMware Aria Automation with Workspace ONE
Access. After installation, VMware Aria Automation administrators and enabled users can also
join or leave the program by using vracli ceip command line options.

n Pendo CEIP

VMware by Broadcom 68
Administering VMware Aria Automation

Pendo is an integrated third-party tool that collects user activities and provides analytics
to VMware Aria Automation product development. The Pendo CEIP collects workflow data
based on your interaction with the user interface. This information helps VMware designers
and engineers develop data-driven improvements to the usability of products and services.

You can join or leave the Pendo CEIP by using vracli ceip pendo command line options.
Enabled users can also join or leave the Pendo CEIP by using options in their VMware Aria
Automation user interface.

Details regarding the data collected through the original VMware CEIP, and the purposes for
which that data is used by VMware, are described at http://www.vmware.com/trustvmware/
ceip.html. Details regarding the Pendo CEIP for supported services are described on the Cookie
Usage page in VMware Aria Automation.

Join or leave the VMware CEIP by using VMware Aria Automation

appliance command line options
You can join or leave the original Customer Experience Improvement Program (CEIP) by using
the following procedures.

Join the program by using the following appliance command line sequence:

1 Log in to the VMware Aria Automation appliance command line as root.

2 Run the vracli ceip on command.

3 Review the Customer Experience Improvement Program information and run the vracli
ceip on --acknowledge-ceip command.

4 Restart the VMware Aria Automation services by running the /opt/scripts/deploy.sh

command.

Leave the program by using the following command line sequence:

1 Log in to the VMware Aria Automation appliance command line as root.

2 Run the vracli ceip off command.

3 Restart the VMware Aria Automation services by running the /opt/scripts/deploy.sh

command.

Join or leave the Pendo CEIP by using VMware Aria Automation

appliance command line options
You can join, leave, or verify the Pendo Customer Experience Improvement Program (Pendo
CEIP) by using the following procedures.

Join the program by using the following command line sequence:

1 Log in to the VMware Aria Automation appliance command line as root.

2 Run the vracli ceip pendo on command.

3 Restart VMware Aria Automation services by running the /opt/scripts/deploy.sh command.

VMware by Broadcom 69
Administering VMware Aria Automation

Leave the program by using the following command line sequence:

1 Log in to the VMware Aria Automation appliance command line as root.

2 Run the vracli ceip pendo off command.

3 Restart VMware Aria Automation services by running the /opt/scripts/deploy.sh command.

Verify the program status by using the following command line sequence:

1 Log in to the VMware Aria Automation appliance command line as root.

2 Run the vracli ceip pendo status command.

Join or leave the Pendo CEIP by using on-screen options in VMware

Aria Automation
You can join or leave the program by using the following on-screen interaction sequence in
VMware Aria Automation.

1 From the active VMware Aria Automation service, click the question mark toggle (?) in the
upper-right area of the screen. Alternately and if visible, you can click Cookie Usage in the
cookie banner.

If you clicked the ? icon, click Cookie Usage in the lower right area of the subsequent Help
page.

2 Review the Cookie Usage and How to opt-out content.

3 Click Opt-in or Opt-out.

If you click Opt-in, the program sends your user interaction cookies to VMware. If you click
Opt-out, the program does not send your user interaction cookies to VMware.

How do I configure the data collection time for the

Customer Experience Improvement Program for VMware
Aria Automation
You can set the day and time when the Customer Experience Improvement Program (CEIP) sends
data to VMware.

Procedure

1 Log in to the VMware Aria Automation appliance command line as root.

VMware by Broadcom 70
Administering VMware Aria Automation

2 Open the following file in a text editor.

/etc/telemetry/telemetry-collector-vami.properties

3 Edit the properties for day of week (dow) and hour of day (hod).

Property Description

frequency.dow=<day-of-week> Day when data collection occurs.

frequency.hod=<hour-of-day> Local time of day when data collection occurs. Possible

values are 0–23.

4 Save and close telemetry-collector-vami.properties.

5 Apply the settings by entering the following command.

vcac-config telemetry-config-update --update-info

Changes are applied to all nodes in your deployment.

VMware by Broadcom 71
Turning on the in-product
feedback form in VMware Aria
Automation
7
You can enable your users to provide feedback to the VMware Aria Automation development
team. Your feedback is important to our development process.

What is the feedback form

The feedback form is located in the support panel on a tab labeled Feedback. To open the form,
click the ? button and then click Feedback in the upper right corner of the page.

How do I make the feedback form available to my users

The feedback form requires that your VMware Aria Automation host has Internet access and that
the following base URLs are included in your allowed list of Internet URLs.

n https://lumos.vmware.com/

n https://feedback.esp.vmware.com/

If the host does not have Internet access, the form is not available in the help pane.

VMware by Broadcom 72