Oracle Cloud Infrastructure Documentation

Installing the VMware Solution Management Appliance

Install the VMware Solution Management Appliance.

Before you can install the Management Appliance, you must have the following:
After you create an SDDC and set up the services gateway, create the vCenter system users, and then store the credentials of the users as an OCI Vault secret. The Management Appliance requires access to credentials of the following types of users to perform certain operations:
  • vSphere administrator: A vSphere user with administrative privileges. This user type is used to register and unregister the vSphere plugin during provisioning and termination of the Management Appliance. It's also used to reregister the vSphere plugin when the Management Appliance is upgraded with a new version. Use the administrator@vsphere.local user created during provisioning of the SDDC.
  • OCVS system user: A vSphere user with read-only privileges used to access ESXi host metrics. Use vCenter to create a dedicated user called ocvssystem@vsphere.local.
  • NSX administrator user: A user who performs NSX operations when the Management Appliance is adding a new ESXi host. Use the NXS admin user created during provisioning of the SDDC.

The vSphere Administrator and NSX admin users are already created for all SDDCs and you should already have their credentials. OCVS system user should be created manually as it is described below.

Record the OCIDs of the vault secrets because they're used in the next step for security policy setup for the following variables:

  • <administrator_secret_ocid>
  • <ocvssystem_secret_ocid>
  • <nsx_admin_secret_ocid>

Configure a Service Gateway

Service gateway access is required for the Management Appliance to reach OCI services during operation. It enables the appliance to report its state to OCI, export metrics, read/update SDDC resources, and perform other operations.

You might already have a service gateway. Follow these steps to verify your service gateway is configured correctly:

  1. Open the Virtual Cloud Network (VCN) associated with your SDDC and go to the Gateways section.
  2. Scroll down to the Service Gateways section and check whether any service gateways exist.
  3. If one or more service gateways exist, check the Services column to see if any gateway is set to “All Services in Oracle Services Network.” Note the name of that service gateway.
  4. If no service gateways exist, or none includes “All <region-id> Services in Oracle Services Network,” create a new one:
    1. Select Create Service Gateway.
    2. Enter a name, for example, “Service Gateway 1” or “SGW”.
    3. Select a compartment. Using the same compartment as the SDDC or VCN is recommended, but this can vary by setup.
    4. In the Services list, select “All <region-id> Services in Oracle Services Network.”
    5. Select Create Service Gateway.
  5. In your VCN, open the Subnets section and find the subnet where your ESXi hosts reside. It typically has the “Subnet-” prefix, but your naming might differ.
  6. Open the subnet details and locate the associated route table.
  7. Open the Route Table details.
  8. Go to the Route Rules section.
  9. In the route rules table, verify a rule exists with the following settings:
    • Target Type: Service Gateway
    • Destination: All Services in Oracle Services Network
  10. If such a rule doesn't exist, add one:
    1. Select Add route rules.
    2. Set Target Type to "Service Gateway."
    3. Set Destination Service to “All Services in Oracle Services Network.”
    4. Select the target service gateway you noted in step 3 or created in step 4. You might also need to select the compartment where it resides.
    5. Enter a description. For example, “Access to all OCI services from ESXi host subnet.”
    6. Select Add route rules.

Create vCenter System Users

In this section, you create the ocvssystem@vsphere.local user and then configure it.
  1. Sign in to vSphere. From the OCI Console, navigate to the SDDC details page, and select the vSphere client link. Sign in with the Administrator@vsphere.local user (or any other privileged user).
  2. Create the user by following these steps:
    1. Under Administration, go to Users and Groups, and then select Single Sign On.
    2. Under Users and Groups, select the Users tab.
    3. Select the vsphere.local domain, and then select Add.
    4. In the Add User dialog, enter information for Username, Password, and Confirm password. The Description is optional, but we recommend that you specify the purpose of this user.
  3. Create the user role by following these steps:
    Note

    If you already have a role you want to use, you can skip this step.
    1. Under Administration, go to Roles, and then select Access control.
    2. Select the VSPHERE.LOCAL role provider, and then select New.
    3. In the New Role panel, provide the Role name. The Description is optional, but we recommend that you specify the purpose of this role.
    4. In the Permissions table, assign the required privileges based on your vCenter version:
      • vCenter Server 7:
        • Category: Sessions → Privilege: Validate session
      • vCenter Server 8:
        • Category: Sessions → Privilege: Validate session
        • Category: Host → Group: Statistics → Privilege: Query

      You must select Propagate to children for this permission to be correctly propagated to ESXi host resources.

  4. Create the Global permission (assign the role to the user) by following these steps:
    1. Under Administration, go to Access Control, and then select Global Permissions.
    2. Select the VSPHERE.LOCAL permissions provider, and then select Add.
    3. In the Add Permission | Global Permission Root, select the vsphere.local domain, the user and a role you created.

      You must select Propagate to children for this permission to be correctly propagated to ESXi host resources.

  5. Test the new user. Sign out of vSphere client. Use the new ocvssystem@vsphere.local user to sign in to vSphere. In vCenter Inventory, verify you can select an ESXi host. In the Monitor tab, verify you can view metrics for the ESXi host.
  6. Sign out of vSphere.

Create Vault Secrets with User Credentials

When creating a secret, select the Manual secret generation option under Encryption key.

Select Plain-text under Secret type template. See Managing Vault Secrets for instructions.

The secrets must contain the username and password in JSON format:

  • administrator user secret:
    {
  "username":"administrator@vsphere.local",
  "password":"<password>"
}
  • ocvssystem user secret:
    {
  "username":"ocvssystem@vsphere.local",
  "password":"<password>"
}
  • nsx_admin secret:
    {
  "username":"admin",
  "password":"<password>"
}

If you gave the ocvssystem user a different name than what is listed here, use the name you created in the username field.

Remember the OCIDs of the Vault secrets because they're used in the next step for security policy setup for the following variables:

<administrator_secret_ocid>

<ocvssystem_secret_ocid>

<nsx_admin_secret_ocid>

Create an IAM Dynamic Group and Policies

  1. Obtain the following information. Each value is represented in the following steps with a corresponding variable as shown in the table:
    Variable Value
    <sddc_compartment_name> The SDDC compartment name.
    <sddc_compartment_ocid> The SDDC compartment OCID.
    <administrator_secret_ocid> The OCID of the administrator user secret.
    <ocvssystem_secret_ocid> The OCID of the ocvssystem user secret.
    <nsx_administrator_secret_secret_ocid> The OCID of the nsx_admin user secret.
  2. Use the following statement to create a dynamic group. Replace <sddc_compartment_ocid> with the actual OCID of the compartment that you obtained in the previous steps. See Creating a Dynamic Group for more information. 
    Any {resource.type = 'managementagent', resource.compartment.id='<sddc_compartment_ocid>', instance.compartment.id = '<sddc_compartment_ocid>'}

    Note the dynamic group name for use in the next step.

  3. Use the following statements to create permissions for the dynamic group. Replace <resource_principal_dynamic_group_name> and <instance_principal_dynamic_group_name> with the name of the dynamic group you created in the previous steps. Replace <sddc_compartment_name> with the corresponding actual information you obtained in the previous steps. These permissions are used by system user of Management Appliance.
    Important

    Create the policies in the root compartment (tenancy level compartment).

    If your policy subject (user, group, dynamic group) is in a non-default Identity Domain, prefix the subject with the domain name. Subjects in the default domain don't need a prefix. For more information, see Subjects for more information.

    Allow dynamic-group <resource_principal_dynamic_group_name> to read compartments in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to read tag-namespaces in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to read instances in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to read compute-capacity-reservations in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to read vnics in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to read vnic-attachments in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to read subnets in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to {SDDC_INSPECT, SDDC_DATASTORE_INSPECT, SDDC_DATASTORE_CLUSTER_INSPECT, SDDC_MANAGEMENT_APPLIANCE_INSPECT, SDDC_READ, SDDC_DATASTORE_READ, SDDC_DATASTORE_CLUSTER_READ, SDDC_MANAGEMENT_APPLIANCE_READ, SDDC_MANAGEMENT_APPLIANCE_UPDATE} in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to manage sddc-management-appliance-internal in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to read volume-family in compartment <sddc_compartment_name>
Allow dynamic-group <resource_principal_dynamic_group_name> to read vaults in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to read keys in tenancy
Allow dynamic-group <resource_principal_dynamic_group_name> to read secret-family in tenancy where any {target.secret.id='<administrator_secret_ocid>', target.secret.id='<ocvssystem_secret_ocid>', target.secret.id='<nsx_admin_secret_ocid>'}
Allow dynamic-group <instance_principal_dynamic_group_name> to use metrics in compartment <sddc_compartment_name> where target.metrics.namespace='oci_computeagent'
  4. To set up permissions for the user who creates the management appliance, use the following policies.

    If your admin has access rights to all resources in the tenancy you can skip this step.

    If you still need to manage these permissions, we assume that you have a group which your admin user belongs to and you have to grant the permissions below to that group. Replace <user_group_name> with the name of your user group and replace <sddc_compartment_name> with your compartment name.

    Allow group <user_group_name> to manage instance-family in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage virtual-network-family in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage management-agents in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage management-agent-install-keys in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage sddc in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage tag-namespaces in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage tags in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage volume-family in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage vaults in compartment <sddc_compartment_name>
Allow group <user_group_name> to manage secret-family in compartment <sddc_compartment_name>
    Note

    If you place SDDC and Management Appliance to your root compartment (tenancy) you should use "in tenancy" filter for the policies instead of in "compartment <sddc_compartment_name>."

Install the Appliance Using the Console

  1. Select a compartment, and then select the SDDC.
  2. Under Resources, select Management appliance.
  3. Select Create management appliance.
    The Create management appliance panel opens.
  4. Enter the following information:
    • Compute instance name: Enter a name for the Compute instance that's created in the tenancy to host the Management Appliance.
    • Metric ingestion to OCI: Enables transmission of Management Appliance metrics to the OCI Logging service.
    • vSphere admin user vault secret: Enter the OCID of the vault secret you created before for the Administrator user.
    • NSX admin user vault secret: Enter the vault secret for a user with full NSX administrative privileges. The Management Appliance uses this user for NXS operations when adding ESXi hosts. When no longer needed, you can turn off access to this user's credentials by disabling or removing the corresponding vault secret. This user is created when you create the SDDC.
When the appliance is created, the following status updates are displayed on the Management Appliance details page:
  • State: Active
  • State details: Healthy

Check for the vSphere Plugin

  1. In the Management Appliance details page, next to State details, select View details.
  2. View the following status updates to verify connectivity:
    • vSphere connectivity: Healthy
    • vSphere admin connectivity: Healthy
    • vSphere UI plugin registration: Healthy