Scenario
After applying steps described above WAP will continue working separately from OSA:
- Customers will have ability to directly manage Azure Pack Plans, VMs, Subscriptions using WAP Portal directly
- No communication with OA and BA
- Provider will have ability to sell WAP service as dummy using BA and PA
Removing integration with OSA - disabling communication and notifications:
1) Login to WAP host (where IIS with all WAP websites is installed)
2) Open Windows Azure Pack Configuration Power Shell
3) Build the connection variable with DataBase IP, system administrator login, and password
$cnctString = 'Data Source=<WAP DataBase IP>;User ID=sa;Password=<password>'
4) Set default Admin Endpoint. Port 30072 is default for Admin Endpoint site. For URL you can use your own domain which is pointing to this site. Using this URL customer will have ability to access WAP portal.
Set-MgmtSvcRelyingPartySettings -Target 'Admin' -MetadataEndpoint https://wap.example.com:30072/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $cnctString -DisableCertificateValidation
5) Set the default Tenant Endpoint. Use same domain as for WAP portal
Set-MgmtSvcRelyingPartySettings -Target 'Tenant' -MetadataEndpoint https://wap.example.com:30071/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $cnctString -DisableCertificateValidation
6) Set default Auth Endpoint. By using this command you remove authentication which was set up during WAP deployment blocking exernal access to WAP portal. Instead of wap.example.com you need to use the domain pointing to this site.
Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint https://wap.example.com:30081/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $cnctString -DisableCertificateValidation
For reference, please see the Technet link Switch back to the default Windows Azure Pack authentication sites
7) Remove our Billing notification subscriber. This action is needed to remove integration with OSA Billing side. When it is performed, notification to WAP endpoint will not be sent in case customer cancels subscription in CCP.
Remove-MgmtSvcNotificationSubscriber -Name 'Billing'
Remove users created during deployment from WAP.
These users have access and permissions to execute command on WAP endpoint and needed for communication with OSA via API. They should be removed to prevent access to WAP endpoint for anyone except admin.
1) Remove OSA Rest-API User.
Remove-MgmtSvcAdminUser 'wap-rest-admin'
# in case DB deployed on separate host:*
Remove-MgmtSvcAdminUser 'wap-rest-admin' -ConnectionString 'Data Source=<fqdn of wap db>;Initial Catalog=Microsoft.MgmtSvc.Store;User ID=<admin user of database>;Password=<password of db admin>'
2) Remove OSA WAP-Portal User.
Remove-MgmtSvcAdminUser 'wap-portal-admin'
IMPORTANT: In case DB deployed on separate host:
Remove-MgmtSvcAdminUser 'wap-portal-admin' -ConnectionString 'Data Source=om;Initial Catalog=Microsoft.MgmtSvc.Store;User ID=<admin user of database>;Password=<password of db admin>'
3) Restart IIS
iisreset
Create users in WAP portal to allow customer to login in WAP:
1) Create new users for OA Customers with WAP subscriptions from Admin Portal directly. Also you can use built-in cmdlets in order to create them. To automate that please refer to Microsoft cmdlet
IMPORTANT: This action is needed to restore access of users to WAP portal. By default users created with UIDs instead of human readable UPN logins.
12) Assign subscription administrator rights to them and provide new login details to customers.
Now you and your customers will directly manage Azure Pack Plans, VMs, Subscriptions using WAP Portal directly.
IMPORTANT NOTES:
1) Keep in mind that 30072, 30071, 30081 are default ports for appropriate WAP websites. Like installation from beginning
2) OA creates WAP Users with Names = GUID, like (7a9ea80c-e279-461f-bc5c-40d7841ed5d0), therefore 'Forgot Password', 'Reset Password' or login with that GUID as login name will no longer work.
3) Important: do not remove users in WAP which were created by OA, that will trigger sugbscription removal
4) Important: do not apply that guide for WAP with ADFS integration.
For reference, please see Switch back to the default Windows Azure Pack authentication sites
If you want also to remove possibility to manage existing WAP subscriptions and buy new ones from OA you may use a few paths.
Our default approach is not to remove existing subscriptions, but to keep them remaining in OSA. Prodiver will have an ability to sell them as dummy subscriptions.
Setup dummy APS endpoint in WAP settings. This will make sure provisioning to complete successfully as APS endpoint will always give answer 200 OK. You need to ensure that connection to https://doc.apsstandard.org:443/endpoint is working from the Management Node:
[root@core ~]# curl --verbose -k https://doc.apsstandard.org:443/endpoint
* About to connect() to doc.apsstandard.org port 443 (#0)
* Trying 199.115.104.147... connected
* Connected to doc.apsstandard.org (199.115.104.147) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=*.apsstandard.org,OU=Domain Control Validated
* start date: Feb 03 08:17:38 2016 GMT
* expire date: Feb 03 06:40:38 2017 GMT
common name: .apsstandard.org
* issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET /endpoint HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: doc.apsstandard.org
> Accept: /
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 06 May 2016 07:43:35 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: no-cache, must-revalidate
< Expires: Sat, 26 Jul 1997 05:00:00 GMT
<
* Connection #0 to host doc.apsstandard.org left intact
* Closing connection #0
And then repoint WAP application to the new endpoint:
plesk> update aps_application set endpoint_uri='https://doc.apsstandard.org:443/endpoint' where id=59;
For new subscriptions use ServicePlan based on dummy resources - no subscription will be provisioned to OA side, but subscription will be not visible in hosting cp - only in managed subscriptions under account.
If you decide to clean up all WAP subscriptions from OSA completely - use the following steps:
1) In OA provider's control panel, go to Billing panel > Operations > Subscriptions
2) Cancel and destroy each subscription on WAP services. Wait until Cancellation Orders provisioning finished
3) Go to Products > Service Plans. Unpublish all WAP Service Plans from there.
4) Go to Products > Online Store. Delete Purchase Scenario, which was created for selling WAP services. Synchronize Online Store
5) Go to Operations panel > Operations > Tasks. You will have failed “Unprovisioning "AzureSubscription" for APS application Windows Azure Pack APS Package” tasks for each cancelled WAP subscription. Cancel this Tasks trees
IMPORTANT NOTES:
Tasks will be failed with errors like:
APS Application Error: 403 Forbidden [ApplicationUnknownError] Unprovisioning: resource 345e5cee-be5a-40ed-b41e-351f0414b5ae of type 'subscriptions' (http://www.parallels.com/infrastructure/cloudos/subscription/1.1) for APS application 'Windows Azure Pack APS Package-1.4-307': [AZURE] {"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]}.
Body: { "error": "ApplicationUnknownError", "message": "[AZURE] {\"Code\":\"InvalidSecurityToken\",\"Message\":\"The security token cannot be verified.\",\"Details\":[]}", "http_request": "DELETE /subscriptions/345e5cee-be5a-40ed-b41e-351f0414b5ae to '0.0.0.0:4485'" }
It’s normal in current situation because we have already decommissioned WAP from OA.
Now Customers won’t see Azure Pack Services tab in their control panels, couldn’t manage existing WAP subscriptions from it and buy new WAP subscriptions in customer’s control panel or Online Store. Business Automation will not bill customers for WAP subscriptions anymore.
You cannot remove WAP Service Plans, Service Templates, Resources, WAP APS package itself because previously created WAP subscriptions are still stored in BA database, and it is not possible to delete them because of constraints.