Monitoring VMware Identity Manager with VMware vRealize Operations

Reading time: 8 minutes

Those familiar with deploying VMware vRealize Suite know just how vital VMware Identity Manager (vIDM) is to support the entire deployment. For those who haven’t deployed VMware vRealize Suite, VMware Identity Manager is the centralized authentication platform integrated throughout the entire VMware vRealize Suite of products. It provides multiple directory options, including Active Directory Integrated Windows Authentication, Active Directory over LDAPS, traditional LDAP directories, and local directories. Authentication options include traditional username/password, x509 certificate/smart card, Kerberos, RSA Adaptive Authentication, RSA SecurID, and RADIUS.

While some products within the VMware vRealize Suite such as VMware vRealize Operations and VMware vRealize Log Insight support local authentication and Active Directory integration natively, VMware vRealize Automation 8.x depends exclusively on VMware Identity Manager to provide authentication services. With VMware vRealize Automation 8.x being the foundation of many private cloud environments, the availability of VMware Identity Manager becomes crucial.

In this article, I walk you through the process of configuring the VMware vRealize Operations Management Pack for VMware Identity Manager 1.3.1 and the capabilities that it provides. The management pack supports VMware vRealize Operations 8.4 through 8.6.x, Advanced and Enterprise editions. I am utilizing VMware vRealize Operations 8.6.2 Enterprise and VMware Identity Manager 3.3.6 to create this walkthrough.

Getting Started with the Management Pack for VMware Identity Manager

Installing the Management Pack

The first step is installing the VMware vRealize Operations Management Pack for VMware Identity Manager 1.3.1 within VMware vRealize Operations. The process of installing a new management pack to VMware vRealize Operations is very straightforward, as documented here: VMware vRealize Operations 8.6 – Adding Solutions. Once you have the management pack installed, it is time to connect it to your deployment of VMware Identity Manager.

Creating a Service Account

This connection requires an account that is either part of the Super Admin or ReadOnly Admin roles within VMware Identity Manager. In my deployment, I configured an account just for this purpose. I assigned it the ReadOnly Admin role as the account should not be able to do anything other than view the health of the VMware Identity Manager deployment. To create this account, you will need to access the VMware Identity Manager Admin interface by pointing your browser to “https://{FQDN of vIDM Instance}/SAAS/admin” replacing {FQDN of vIDM Instance} with the hostname of your VMware Identity Manager deployment. Log in to the interface using an account assigned to the Super Admin role, such as the built-in “admin” account. Next, select the “Users and Groups” tab from the top of the page, then click the “Add User Button.”

VMware Identity Manager - Users and Groups

On the resulting “Add a user” dialog, enter the details for your service account. Since we are creating a local service account, select “System Directory” from the “Directory List” and “System Domain” from the “Domain List.” Enter the username for the new account, and then enter an email address that you have access to (you will receive an email that allows you to set the password). Provide a value for the “First Name” and “Last Name” fields, then select “ReadOnly Admin” from the “Role” list.

VMware Identity Manager - Add a user

Please note that you must have SMTP configured within your VMware Identity Manager deployment to send you the email allowing you to set the password. If you cannot configure SMTP, you can set the account password using the REST API as documented here: Reset local user password in VMware Identity Manager vIDM via REST API using Postman. Additionally, you can import an account from an external directory such as Active Directory to utilize as the service account. If you are setting the password from the email message sent, be sure that you log out from VMware Identity Manager before accessing the link or open the link using an Incognito or InPrivate browser session.

Adding the Connection to VMware vRealize Operations

Now that you have an account within VMware Identity Manager, the next step in this process is to connect VMware vRealize Operations to your VMware Identity Manager instances. To do this, log in to your VMware vRealize Operations instance using an account that has all of the “Datasource” permissions assigned. Next, select “Data Sources” and then “Integrations” from the left side navigation. To add our new integration, click the “Add Account” button.

VMware vRealize Operations - Data Sources - Integrations

You are presented with the “Account Types” selection screen. From here, look for the item labeled “VMware Identity Manager.” Click on this box to move to the next screen.

VMware vRealize Operations - Integrations - Account Types

Next, we provide the details on connecting our deployment of VMware Identity Manager. The “Name” field is how VMware vRealize Operations will present the deployment within the application. I usually specify the FQDN for this field. The “vIDM Host” field should contain the FQDN to your VMware Identity Manager deployment. Enter the load-balanced FQDN to the deployments if you have a highly available deployment. In the “Credentials” field, click the “+” beside the field to add a new set of credentials. After defining the credentials, make sure your new entry is selected. Finally, click the “Save” button to save the configuration.

VMware vRealize Operations - Integrations - Add Account

After saving the new integration, verify that the integration is connected and collecting data by expanding the “VMware Identity Manager Adapter” entry on the “Integrations” page and looking for the green “OK” status.

VMware vRealize Operations - Integrations - VMware Identity Manager Adapter - Green OK Status

Management Pack Contents

The VMware vRealize Operations Management Pack for VMware Identity Manager 1.3.1 contains some initial content to help you get started with monitoring your VMware Identity Manager environments. This includes a single overview dashboard and several symptom/alert definitions.

VMware Identity Manager Overview Dashboard

The single dashboard included with the management pack provides a high-level overview of your VMware Identity Manager deployments. The top portion of the dashboard provides an overview list of all registered VMware Identity Manager deployments, including Name, FQDN, IP, Number of Active Users, Number of Directories, Number of LDAP Directories, Number of Local Directories, Version, Current Time, and Health. The bottom portion of the dashboard provides a drill-down of details for the specific environment selected from the top part of the dashboard. Details included in this drill down are Total Apps, Total Devices, Total Groups, Total Users, All Activity, Groups Removed, Groups Updated, Users Added, Unique User Logins, and Health.

VMware Identity Manager Overview Dashboard

Symptoms and Alerts

In addition to the included dashboard, the management pack also contains 21 symptom definitions and 17 alert definitions.

Symptom Definitions

The symptom definitions included are the following:

  • Avarage Health of vIDM Instance is critically low.
  • Health of Application Deployment is Critically Low.
  • Health of FQDN vIDM Server is crtically low.
  • Health of vIDM ACSHealth-ApplicationDeployment is Low.
  • Health of vIDM AirWatch API Server is Critically low.
  • Health of vIDM Application Manager-Application Deployment is Critically Low.
  • Health of vIDM Certificate is not good , look like it is Expired.
  • Health of vIDM Configurator-ApplicationDeployment is Low.
  • Health of vIDM Connector-ApplicationDeployment is Critically Low.
  • Health of vIDM Disk Space is Critically Low.
  • Health of vIDM Elasticsearch is Red.
  • Health of vIDM Port Connectivity is Critically Low.
  • Health of vIDM RabbitMQ Service is CriticallyLow.
  • vIDM AirWatch API Server status is INFO.
  • vIDM AirWatch API Server Summary is Configured.
  • vIDM AirWatch API Server Summary is not configured;
  • vIDM Analytics Connection Test Connection failed.
  • vIDM Database Test connection failed.
  • vIDM Directory Sync Status false.
  • vIDM File System usage above threshold.
  • vIDM Messaging Server Test Connection failed.

Alert Definitions

The alert definitions included are the following:

  • Health of Application Deployment is Critically Low.
  • Health of FQDN vIDM Server is critically low.
  • Health of vIDM ACSHealth-ApplicationDeployment is Low.
  • Health of vIDM AirWatch API Server is Critically low.
  • Health of vIDM Application Manager-Application Deployment is Critically Low.
  • Health of vIDM Certificate is not good , look like it is Expired.
  • Health of vIDM Configurator-ApplicationDeployment is Low.
  • Health of vIDM Connector-ApplicationDeployment is Critically Low.
  • Health of vIDM Disk Space is Critically Low.
  • Health of vIDM Elasticsearch is Red.
  • Health of vIDM Instance is degraded.
  • Health of vIDM RabbitMQ Service is Critically Low.
  • Health of vIDMPort Connectivity is Critically Low.
  • vIDM Analytics Connection Test Connection failed.
  • vIDM Database Test connection failed.
  • vIDM Directory Sync status is down
  • vIDM Messaging Server Test Connection failed.

Metrics Included

The management pack includes several metrics and properties for the various objects discovered/monitored. Because the list is quite long, I will refer you to VMware’s official documentation. However, I have noticed that a few metrics are missing from this documentation, but overall, it’s a detailed list. Metrics in VMware Identity Manager

Integeration with SDDC Health Monitoring Solution

The SDDC Health Monitoring Solution for vRealize Operations is a valuable tool for seeing a complete picture of your software-defined data center’s health. After you complete the setup of the VMware vRealize Operations Management Pack for VMware Identity Manager, the SDDC Health Monitoring Solution for VMware vRealize Operations will surface health information and relationships related to VMware Identity Manager within the SDDC Management Health Overview dashboard.

vRealize Operations - SDDC Health Monitoring Solution - Health Overview Dashboard

Final Thoughts

The VMware vRealize Operations Management Pack for VMware Identity provides a lot of great out-of-the-box information that can give you a quick way to begin monitoring VMware Identity Manager. It’s great that it automatically integrates with the SDDC Health Monitoring Solution to provide a quick high-level view of your SDDC health. However, I feel that the management pack lacks some polish and depth:

  • There are very few, if any, performance metrics provided
  • Some alert and symptom definitions sometimes capitalize words or phrases differently from item to item
  • I’ve also been unable to find a description of the metrics that list the possible values to expect. Statuses that are either “OK” or “notOK” are not very informative.

It would be great if the management pack could provide:

  • Additional auditing statistics such as failed login attempts
  • Performance metrics, such as response times and individual service level metrics
  • Documentation on support for multi-tenant VMware Identity Manager deployments

Additional Resources

See Also


Search

Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts