How it Works
VMware
Loading...
V
Loading...
Loading...
vCenter Orchestrator - 4.2.1
Administrator’s Guide
64 pgs844.61 Kb0
Installation Manual
78 pgs1.08 Mb0
User Manual
74 pgs1.02 Mb0
User Manual
136 pgs1.74 Mb0
Table of contents
Loading...

VMware vCenter Orchestrator - 4.2.1 Administrator’s Guide

Download
Page 1
Administering VMware vCenter
Orchestrator
vCenter Orchestrator 4.2
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000467-02
Page 2
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2008 – 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
2 VMware, Inc.
Page 3

Contents

Administering VMware vCenter Orchestrator 7
Updated Information 9
The Orchestrator Client 11
1
Log in to the Orchestrator Client 11
Access the Orchestrator API Explorer 12
User Preferences 13
My Orchestrator View 14
Configurations View 15
Packages View 15
Scheduler View 16
Workflows View 16
Components of the Workflows View 16
Actions View 17
Resources View 17
Inventory View 18
Web Views View 18
Weboperator Web View 18
Start the Weboperator Web View 18
Policies 19
Managing Workflows 21
2
Standard Workflows in the Workflow Library 21
Workflow Name Changes 22
Key Concepts of Workflows 23
Workflow User Permissions 23
Workflow Credentials 24
Workflow Attributes 24
Workflow Parameters 24
Workflow Schema 25
View Workflow Schema 25
Workflow Tokens 25
Workflow Token States 26
Locking Mechanism 26
Set User Permissions on a Workflow 27
Run a Workflow 27
Respond to a Request for a User Interaction 28
Scheduling Workflows 29
Schedule a Workflow 29
Edit the Workflow Recurrence Pattern 30
VMware, Inc.
3
Page 4
Creating Resource Elements 31
3
View a Resource Element 31
Import an External Object to Use as a Resource Element 32
Edit the Resource Element Information and Access Rights 32
Save a Resource Element to a File 33
Update a Resource Element 33
Add a Resource Element to a Workflow 33
Add a Resource Element to a Web View 34
Managing Actions 37
4
Create an Action 37
Duplicate an Action 38
Export an Action 38
Import an Action 39
Move an Action 39
Find Elements That Implement an Action 39
Using Packages 41
5
Create a Package 41
Set User Permissions on a Package 42
Export a Package 43
Import a Package 44
Get and Synchronize a Remote Package 44
Remove a Package 45
Setting System Properties 47
6
Disable Access to the Orchestrator Client By Nonadministrators 47
Disable Access to Workflows from Web Service Clients 48
Setting Server File System Access from Workflows and JavaScript 48
Set Server File System Access for Workflows and JavaScript 49
Manually Create the js-io-rights.conf File 50
Set JavaScript Access to Operating System Commands 51
Set JavaScript Access to Java Classes 51
Set Custom Timeout Property 52
Modify the Number of Objects a Plug-In Search Obtains 53
Modify the Number of Concurrent and Pending Workflows 54
Maintenance and Recovery 55
7
Orchestrator Server Fails to Start 56
Revert to the Default Password for Orchestrator Configuration 56
Change the Web View SSL Certificate 57
Orchestrator Log Files 58
Logging Persistence 59
Define the Server Log Level 60
Change the Size of Server Logs 60
Export Orchestrator Log Files 61
Loss of Server Logs 62
Maintaining the Orchestrator Database 62
4 VMware, Inc.
Page 5
Index 63
Contents
VMware, Inc. 5
Page 6
6 VMware, Inc.
Page 7

Administering VMware vCenter Orchestrator

Administering VMware vCenter Orchestrator provides information and instructions about using and maintaining VMware® vCenter Orchestrator. It also describes how to manage workflows, plug-ins, packages, and inventory.
Intended Audience
This information is intended for advanced vSphere administrators and experienced system administrators who are familiar with virtual machine technology and datacenter operations, as well as anyone who wants to:
n
Automate frequently repeated processes related to the management of the virtual environment.
n
Manage multiple automated processes across and among heterogeneous systems.
n
Provide transparency in IT processes by centralizing automated scripts.
n
React faster to unplanned changes in the virtual environment.
VMware, Inc.
7
Page 8
8 VMware, Inc.
Page 9

Updated Information

Administering VMware vCenter Orchestrator is updated with each release of the product or when necessary.
This table provides the update history of Administering VMware vCenter Orchestrator.
Revision Description
EN-000467-02
EN-000467-01 Removed a note regarding policy development from “Policies,” on page 19. Orchestrator 4.2 supports
EN-000467-00 Initial release.
n
Updated Step 3 in “Set Server File System Access for Workflows and JavaScript,” on page 49.
n
Added topic “Manually Create the js-io-rights.conf File,” on page 50.
policy development.
VMware, Inc. 9
Page 10
10 VMware, Inc.
Page 11

The Orchestrator Client 1

The Orchestrator client is an easy-to-use desktop application that allows you to perform daily administration tasks such as importing packages, running and scheduling workflows, and managing user permissions. The Orchestrator client also serves as an IDE for creating or customizing workflows.
This chapter includes the following topics:
n
“Log in to the Orchestrator Client,” on page 11
n
“Access the Orchestrator API Explorer,” on page 12
n
“User Preferences,” on page 13
n
“My Orchestrator View,” on page 14
n
“Configurations View,” on page 15
n
“Packages View,” on page 15
n
“Scheduler View,” on page 16
n
“Workflows View,” on page 16
n
“Actions View,” on page 17
n
“Resources View,” on page 17
n
“Inventory View,” on page 18
n
“Web Views View,” on page 18
n
“Weboperator Web View,” on page 18
n
“Policies,” on page 19

Log in to the Orchestrator Client

To perform general administration tasks or to edit and create workflows, you must log in to the Orchestrator client interface.
NOTE The Orchestrator client interface is designed for developers with administrative rights who want to develop workflows, actions, and other custom elements.
Prerequisites
All components of the Orchestrator server must be configured and the Orchestrator server service must be running.
VMware, Inc.
11
Page 12
Procedure
1 Log in as an administrator to the machine on which the Orchestrator client is installed.
2 Click Start > Programs > VMware > vCenter Orchestrator Client.
3 In the Host name field, type the IP address to which Orchestrator server is bound.
To check the IP address, log in to the Orchestrator configuration interface and check the IP settings on the Network tab.
4 Log in by using the Orchestrator user name and password.
To check the credentials, log in to the Orchestrator configuration interface and check the credentials on the LDAP tab.
5 In the Security Warning window select an option to handle the certificate warning.
The Orchestrator client communicates with the Orchestrator server by using an SSL certificate. A trusted CA does not sign the certificate during installation. Because of this, you receive a certificate warning each time you connect to the Orchestrator server.
Option Description
Ignore
Cancel
Install this certificate and do not display any security warnings for it anymore.
You can change the default SSL certificate with a certificate signed by CA. For more information about changing SSL certificates, see Installing and Configuring VMware vCenter Orchestrator.
Click Ignore to continue using the current SSL certificate.
The warning message appears again when you reconnect to the same Orchestrator server, or when you try to synchronize a workflow with a remote Orchestrator server.
Click Cancel to close the window and stop the login process.
Select this check box and click Ignore to install the certificate and stop receiving security warnings.
The My Orchestrator view appears. This view summarizes the recent activities on the server, shows pending and running workflows, running policies, scheduled tasks, completed workflows, and elements you recently edited.
What to do next
You can import a package, start a workflow, or set root access rights on the system.

Access the Orchestrator API Explorer

Orchestrator provides an API Explorer to allow you to search the Orchestrator API and see the documentation for JavaScript objects that you can use in scripted elements.
You can consult an online version of the Scripting API for the vCenter Server plug-in on the Orchestrator documentation home page.
Procedure
u
Access the API Explorer from either the Orchestrator client or from the Scripting tabs of the workflow, policy, and action editors.
n
To access the API Explorer from the Orchestrator client, click Tools > API Explorer in the Orchestrator client tool bar.
n
To access the API Explorer from the Scripting tabs of the workflow, policy, and action editors, click Search API on the left.
The API Explorer appears, allowing you to search all the objects and functions of the Orchestrator API.
12 VMware, Inc.
Page 13
What to do next
Use the API Explorer to write scripts for scriptable elements.

User Preferences

You can customize aspects of the Orchestrator client by using the User preferences tool.
Your preferences are saved on the client side in the C:\Documents and
Settings\
client to a running Orchestrator server.
To access the tool, select Tools > User preferences in the Orchestrator client toolbar.
From the User preferences tool you can change the following preferences.
General Preferences
Table 1-1. Orchestrator Client Customization Options
Option Description
Auto-edit new inserted The new elements that you add open in an editor.
Script compilation delay The frequency of the background task that compiles the scripts and reports
Show decision scripts You can see the decision script of the implemented decision functions.
Delete non empty folder permitted You can delete a folder together with its subfolders and contents.
Size of run logs (number of lines) The maximum number of lines in the system log that Orchestrator displays
Server log fetch limit The maximum number of lines in the server logs that Orchestrator fetches
Finder maximum size The maximum number of results that the searches return when you search
Check usage when deleting an element Orchestrator checks if the element you are trying to delete is referenced
Check OGNL expression Orchestrator validates the OGNL expressions in the workflow
Current_User
Chapter 1 The Orchestrator Client
\.vmware\vmware-vmo.cfg file. The .vmware folder is created when you first connect the
errors in edit mode.
when you select a workflow run in the Orchestrator client and click Logs on the Schema tab.
The value must be greater than 0.
from the database and displays when you click any of the Events tabs in the Orchestrator client.
The value must be greater than 0.
for elements such as actions or workflows. The value must be greater than 0.
by other elements. If the element is used by another workflow, policy, or action, a warning message appears.
presentations.
NOTE The use of OGNL expressions in workflow presentations is deprecated as of Orchestrator 4.1. Using OGNL expressions in workflow presentations is not supported in Orchestrator 4.1 and later.
Workflows Preferences
Table 1-2. Workflow Editor Customization Options
Option Description
Check task/decision IN/OUT parameters Orchestrator checks if the input and output parameters of an activity are
correctly bound to the corresponding input or output attribute of the workflow.
Check error in task's scripts Orchestrator validates the script in scriptable task elements.
VMware, Inc. 13
Page 14
Table 1-2. Workflow Editor Customization Options (Continued)
Option Description
Check workflow termination Orchestrator checks if each terminal transition of a workflow with
Check unreachable items Orchestrator checks if all activities are reachable.
Check unused workflow's parameters/attributes
Check unknown types from plug-ins Orchestrator checks if all parameters and attributes of a workflow are of
Check for legacy 'Action' scripting call (slow) Orchestrator detects legacy actions calls and displays a warning message.
Use direct lines as workflow diagram links The connector tool uses direct lines to link the workflow schema elements.
Choose workflow in tree view The workflow selector displays a hierarchical tree viewer instead of the
Validate workflow before running it Orchestrator validates each workflow before allowing it to run.
different possible outcomes is connected to an End Workflow schema element.
Orchestrator checks if all parameters and attributes of a workflow are used.
a known type.
default list panel.
Inventory Preferences
You can enable the Use contextual menu in inventory option to display the workflows that are available for an inventory object. When the option is enabled and you right-click an object in the Orchestrator inventory, all workflows applicable to the selected object type are displayed.
Script Editor Preferences
You can customize the scripting engine from the Script Editor option of the User preferences menu. You can disable automatic completion of lines, and change the default code formatting options.

My Orchestrator View

The My Orchestrator view in the Orchestrator client interface summarizes the most recent activities on the Orchestrator server, such as recently modified elements, pending and running workflows, running policies, completed workflows, and workflows that are waiting for user interaction.
From the My Orchestrator view you can perform common administrative tasks, such as running a workflow, importing a package, and setting root access rights.
The My Orchestrator view presents the following tabs.
Today
Workflow Tokens
Waiting for Input
Tasks
Permissions
Displays the most recent workflow runs and modified elements.
Provides details about the different workflow runs. This information includes the workflow's running status, the user who started it, and the time and date when the workflow started and ended.
Displays a list of the workflows that are waiting for user inputs that you or members of your user group have permission to provide.
Displays information about the scheduled workflows, including name, running state, last run, and next run.
Displays the users and user groups who have root access rights to all published Web views and the workflows in the Orchestrator library. The possible permissions are View, Execute, Inspect, Edit, and Admin.
14 VMware, Inc.
Page 15

Configurations View

The Configurations view in the Orchestrator client allows you to create configuration elements. Creating configuration elements allows you to define common attributes across an Orchestrator server.
The Configurations view consists of a set of tabs that show information about a configuration element that you select. You can edit a configuration element by right-clicking the element and selecting Edit.
Chapter 1 The Orchestrator Client
General
Attributes
Events
Permissions

Packages View

The Packages view in the Orchestrator client interface allows you to add, import, export, and synchronize packages.
The Packages view consists of a set of tabs that show different types of information about a package that you select. You can insert and remove elements on each tab in Edit Package mode. To access Edit Package mode, right-click a package and select Edit.
General
Workflows
Policies
Displays general information about the configuration element, including its name and description, version number, and the user permissions.
Displays the attributes that are added to the configuration element. All elements that are running in the server can call on the attributes that are set in a configuration element.
Displays all the events that are associated with this configuration element.
Displays the users and user groups which have permission to access the configuration element.
Displays general information about the package, including its name, legal owner, and description.
Displays all the workflows that the selected package contains.
Displays the policy templates that the selected package contains.
Actions
Web View
Configurations
Resources
Used Plug-Ins
Permissions
VMware, Inc. 15
Displays the actions that the selected package contains.
Displays the Web views that the selected package contains.
Displays the configuration elements that the selected package contains.
Displays the external resources embedded in the selected package.
Displays information about the plug-ins associated with the selected package. Plug-ins can have one or more packages associated with them.
Displays the permissions granted to users or groups of users to interact with the package. The possible permissions are View, Inspect, Edit, and Admin.
Page 16

Scheduler View

The Scheduler view in the Orchestrator client displays a list of all scheduled workflows in the system. The workflows are sorted by name or date, together with their status. You can use the Scheduler view to create, edit, suspend, resume, and cancel scheduled workflows.
The Scheduler view consists of a set of tabs that show different types of information about scheduled workflow that you select. You can edit a scheduled workflow by right-clicking the workflow and selecting Edit.
General
Recurrence
Workflow Runs
Permissions

Workflows View

The Orchestrator client interface features a Workflows view that provides access to the Orchestrator libraries of workflows.
The Workflows view allows you to view information about each workflow, create, edit, run workflows, and interact with the workflows.
The Orchestrator client uses the following icon to identify workflows:
Displays general information about the scheduled workflow, including task name, start behavior, description, start date, startup user, the name of the scheduled workflow, and a list of the input values for the workflow.
Displays details about the recurrence pattern of the scheduled workflow.
Displays details about the different runs of a particular scheduled workflow. This information includes the running status of the workflow, its start and end date, and the user who started it. When you cancel a scheduled workflow, its log information is removed from the system. When you suspend a workflow, the log information is kept.
Displays the permissions accorded to users or groups of users to interact with the workflow. The possible permissions are View, Execute, Inspect, Edit, and Admin.

Components of the Workflows View

The Workflows view consists of a set of tabs that show information about the selected workflow.
General
Inputs
Outputs
Schema
Presentation
16 VMware, Inc.
Displays general information about the workflow, including its name, its version number, the permissions, a description, and a list of the workflow's global attributes.
Lists all the input parameters that the workflow needs when it runs.
Lists the types of values that the workflow returns when it runs.
Shows a graphical representation of the workflow. Clicking an element in the schema shows information about that element in the bottom half of the Workflows view.
Constructs the input parameters dialog box that users see when they run a workflow. You define the groups in which the input parameters appear in the dialog box and provide descriptions to help users provide the correct parameters. You also define any parameter properties or constraints.
Page 17
Chapter 1 The Orchestrator Client
Parameters Reference
Workflow Tokens
Events
Permissions

Actions View

The Actions view in the Orchestrator client interface allows you to access the libraries of predefined actions. In the Actions view, you can duplicate actions, export them to a file, or move them to a different module in the actions hierarchical list.
By expanding the nodes of the actions hierarchical list, you can browse available actions. When you select an action in the list, the right pane displays details about that action.
Shows all the input and output parameters in a single view. The tab also identifies the schema element that consumes or generates a parameter. You can optionally view the workflow attributes in this tab by clicking Show
Attributes. When you right-click an attribute or a parameter and select Show in schema, the corresponding schema element is highlighted.
Provides details about the different runs of the selected workflow. This information includes the workflow's running status, the user who started it, and the time and date when the workflow started and ended.
Provides information about each event that occurs while the workflow is running. This information includes the event's running status, the user who started it, and the time and date when the event was issued. The information is stored in the VMO_LogEvent table in the Orchestrator database.
Lists the permissions accorded to users or groups of users to interact with the workflow. The possible permissions are View, Execute, Inspect, Edit, and Admin.
The Actions view presents the following tabs.
General
Scripting
Events
Permissions

Resources View

The Resources view in the Orchestrator client allows you to import external objects such as images, sysprep files, custom scripts, and HTML and XML templates and use them as resource elements in workflows and Web views.
The Resources view consists of a set of tabs that show information about a particular resource element.
General
Viewer
Events
Permissions
Displays general information about the action, including its name, its version number, the operations the user is allowed to perform, and a description.
Displays the action’s return type, input parameters, and the JavaScript code that defines the action's function.
Displays all of the events associated with this action.
Displays which users and user groups have permission to access the action.
Displays general information about the resource element, including its name, MIME type, description, version number, and the user permissions.
Displays the contents of the resource element.
Displays all of the events that are associated with this resource element.
Displays which users and user groups have permission to access the resource element.
VMware, Inc. 17
Page 18

Inventory View

The Inventory view in the Orchestrator client interface displays the objects of the plugged-in applications that are enabled in Orchestrator. You can use the Inventory view to run workflows on an inventory object.
If the Use contextual menu in inventory option is enabled, all of the workflows that you can run on the selected inventory object appear in a contextual menu.

Web Views View

The Web Views view in the Orchestrator client allows you to create, publish, and export Web views to a working folder for modification or as templates from which to create other Web views. You can use Web views to access Orchestrator functions from a Web browser.
The Web Views view consists of a set of tabs that show information about a particular Web view.
General
Elements
Attributes
Events
Displays general information about the Web view, including its name, description, version number, the URL on which the Web view is published, and the user permissions.
Displays the HTML files and Web view components associated with the selected Web view.
Displays the attributes that direct the Web view to the objects in the Orchestrator server on which it performs tasks.
Displays all of the events that are associated with the Web view.

Weboperator Web View

Orchestrator provides a standard Web view called weboperator that allows users to run workflows from a browser.
The weboperator Web view provides an example of the orchestration functions that Web views can provide to end users in browsers, without requiring that those users use the Orchestrator client.

Start the Weboperator Web View

You start the weboperator Web view from the Orchestrator client.
Procedure
1 Click the Web Views view in the Orchestrator client.
The weboperator Web view and any other Web views that you have imported into Orchestrator appear.
2 Right-click weboperator and select Publish.
3 Open a browser and go to http://
In the URL, orchestrator_server is the DNS name or IP address of the Orchestrator server, and 8280 is the default port number where Orchestrator publishes Web views.
4 On the Orchestrator home page, click Web View List.
5 Click weboperator.
6 Log in using your Orchestrator user name and password.
7 Expand the hierarchical list of workflows to navigate through the workflows in the Orchestrator library.
8 Click a workflow in the hierarchical list to display information about the workflow in the right pane.
18 VMware, Inc.
orchestrator_server
:8280.
Page 19
Chapter 1 The Orchestrator Client
9 In the right pane, select whether to run the workflow now or at a later time.
Option Action
Run the workflow now
Run the workflow at a later time
a Click Start Workflow to run the workflow.
b Provide the required input parameters and click Submit to run the
workflow.
a Click Schedule Workflow to run the workflow at a later time.
b Provide the time, date, and recurrence information to set when and how
often to run the workflow and click Next.
c Provide the required input parameters and click Submit to schedule the
workflow.
You can use the weboperator Web view to run workflows on objects in your inventory from a Web browser rather than from the Orchestrator client.
What to do next
If you only need a Web view to access the inventory and run workflows, the standard weboperator Web view should meet your requirements. If you require more complex functionality from a Web view, you can use the Web components and default Web view template that Orchestrator provides to develop custom Web views.

Policies

Policies are event triggers that monitor the activity of the system. Policies respond to predefined events issued by changes in the status or performance of certain defined objects.
Policies are a series of rules, gauges, thresholds and event filters that run certain workflows or scripts when specific predefined events occur in Orchestrator or in the technologies that Orchestrator accesses through plug­ins. Orchestrator constantly evaluates the policy rules as long as the policy is running. For instance, you can implement policy gauges and thresholds that monitor the behavior of vCenter Server objects of the
VC:HostSystem and VC:VirtualMachine types.
Orchestrator defines the following types of policy:
Policy Templates
Policies
You can organize policy templates into folders, for easier navigation.
Master policies. Policy templates are not linked to real objects. They are abstract sets of rules that define the behavior to implement if a certain abstract event occurs. You can see existing policy templates and create templates in the Policy Templates view in the Orchestrator client.
Policies are instances of a template or standalone event triggers that are linked to real objects, and that are triggered by real-life events. You can see existing policies and create policies in the Policies view in the Orchestrator client.
VMware, Inc. 19
Page 20
20 VMware, Inc.
Page 21

Managing Workflows 2

A workflow is a succession of actions and decisions that are run sequentially until they arrive at a specific result. Orchestrator provides a library of workflows that perform common management tasks according to best practices. Orchestrator also provides libraries of the individual actions that the workflows perform.
Workflows combine actions, decisions, and results that, when performed in a particular order, complete a specific task or a specific process in a virtual environment. Workflows perform tasks such as provisioning virtual machines, backing up, performing regular maintenance, sending emails, performing SSH operations, managing the physical infrastructure, and other general utility operations. Workflows accept inputs according to their function. You can create workflows that run according to defined schedules, or that run if certain anticipated events occur. Information can be provided by you, by other users, by another workflow or action, or by an external process such as a Web service call from an application. Workflows perform some validation and filtering of information before they run.
Workflows can call upon other workflows. For example, you can reuse in several different workflows a workflow that starts a virtual machine.
You create workflows by using the Orchestrator client interface’s integrated development environment (IDE), that provides access to the workflow library and the ability to run workflows on the workflow engine. The workflow engine can also take objects from external libraries that you plug in to Orchestrator. This ability allows you to customize processes or implement functions that third-party applications provide.
This chapter includes the following topics:
n
“Standard Workflows in the Workflow Library,” on page 21
n
“Workflow Name Changes,” on page 22
n
“Key Concepts of Workflows,” on page 23
n
“Set User Permissions on a Workflow,” on page 27
n
“Run a Workflow,” on page 27
n
“Respond to a Request for a User Interaction,” on page 28
n
“Scheduling Workflows,” on page 29

Standard Workflows in the Workflow Library

Orchestrator provides a standard library of workflows that you can use to automate operations in the virtual infrastructure. The workflows in the standard library are locked in the read-only state. To customize a standard workflow, you must create a duplicate of that workflow. Duplicate workflows or custom workflows that you create are fully editable.
For information about the different access rights to the Orchestrator Server depending on the type of vCenter Server license that you apply, see Installing and Configuring VMware vCenter Orchestrator.
VMware, Inc.
21
Page 22
The contents of the workflow library is accessible through the Workflows view in the Orchestrator client. The standard workflow library provides workflows in the following folders.
JDBC
Locking
Mail
Orchestrator
SSH
Troubleshooting
vCenter Server
XML
Test the communication between a workflow and a database by using the JDBC (Java Database Connectivity) plug-in shipped with Orchestrator.
Demonstrates the locking mechanism for automated processes, that allows workflows to lock the resources they use.
Send and receive emails from workflows.
Automate certain common Orchestrator operations.
Implement the Secure Shell v2 (SSH-2) protocol. These workflows allow you to issue remote command and file transfer sessions with password and public key-based authentication. The SSH configuration allows you to specify paths to objects to expose in the Orchestrator inventory through secure connections.
Export application settings and log files to a ZIP archive that you can send to VMware support for troubleshooting.
Access the functions of the vCenter Server API, so that you can incorporate all of the vCenter Server functions into the management processes that you automate by using Orchestrator.
NOTE Orchestrator 4.2 accesses vCenter Server 5.0 through the vCenter Server
4.1 plug-in and does not offer the new functionality in vCenter Server 5.0.
A Document Object Model (DOM) XML parser that you can use to emit or process XML files in workflows.

Workflow Name Changes

Workflow name changes can affect Web service applications if a Web service client uses the
getWorkflowsWithName operation instead instead of a workflow ID to identify workflows.
You must update Web services applications that use getWorkflowsWithName to reflect the new workflow names.
The names of the following workflows changed between Orchestrator 4.1 and Orchestrator 4.2.
Customize virtual machine from properties
Mass migrate virtual machines with Storage vMotion
Mass migrate virtual machines with vMotion
Migrate virtual machine with vMotion
Quick virtual machine migration
Customizes a virtual machine by using properties as input parameters.
Uses Storage vMotion to migrate a single virtual machine, a selection of virtual machines, or all available virtual machines.
Uses vMotion, Storage vMotion, or both vMotion and Storage vMotion to migrate a single virtual machine, a selection of virtual machines, or all available virtual machines.
Migrates a virtual machine from one host to another by using the
MigrateVM_Task operation from the vSphere API.
Suspends the virtual machine if it is powered on and migrates it to another host that is using the same storage.
22 VMware, Inc.
Page 23

Key Concepts of Workflows

Workflows consist of actions, attributes, parameters, and schema. Orchestrator saves a workflow token every time a workflow runs, recording the details of that specific run of the workflow.
n
Workflow User Permissions on page 23
Orchestrator defines levels of permissions that you can apply to users or groups to allow or deny them access to workflows.
n
Workflow Credentials on page 24
Each workflow has a default running credential that the workflow starter issues. The credentials with which a workflow runs depend on the manner in which the workflow is started.
n
Workflow Attributes on page 24
Workflow attributes act as global constants and global variables throughout a workflow. Workflow elements process data that they receive as input parameters, and set the resulting output as workflow attributes or output parameters.
n
Workflow Parameters on page 24
Workflows receive input parameters and generate output parameters when they run.
n
Workflow Schema on page 25
A workflow schema is a graphical representation of a workflow that shows the workflow as a flow diagram of interconnected workflow elements.
Chapter 2 Managing Workflows
n
View Workflow Schema on page 25
You view a workflow schema in the schema tab for that workflow in the Orchestrator client.
n
Workflow Tokens on page 25
A workflow token represents a workflow that is running or has run.
n
Workflow Token States on page 26
Each time you run a workflow, a workflow token appears under that workflow as a new leaf node in the workflows hierarchical list. Clicking a workflow token in the hierarchical list shows tabs in the right pane that show information about the workflow token.
n
Locking Mechanism on page 26
You can modify a workflow schema while it is running. This ability is useful in testing or debugging but not in production environment.

Workflow User Permissions

Orchestrator defines levels of permissions that you can apply to users or groups to allow or deny them access to workflows.
View
Inspect
The user can view the elements in the workflow, but cannot view the schema or scripting.
The user can view the elements in the workflow, including the schema and scripting.
Execute
Edit
Admin
The user can run the workflow.
The user can edit the workflow.
The user can set permissions on the workflow.
Permissions are not cumulative. For example, to grant a user full permissions, you must set all the permissions, not just Admin. All the permissions require the View permission.
VMware, Inc. 23
Page 24
If you do not set any permissions on a workflow, the workflow inherits the permissions from the folder that contains it. If you do set permissions on a workflow, those permissions override the permissions of the folder that contains it, even if the permissions of the folder are more restrictive.

Workflow Credentials

Each workflow has a default running credential that the workflow starter issues. The credentials with which a workflow runs depend on the manner in which the workflow is started.
Table 2-1. Workflow Credentials
Workflow Starter Workflow Credential
A user who uses the Java GUI or Web GUI to start the workflow
A policy The policy's credential
Another workflow The parent workflow can set the credential
A Web view that is using its own credential The Web view can set the credential
The user's credential
To run a workflow by using credentials different than your current credentials, select Start workflow as when you start the workflow.

Workflow Attributes

Workflow attributes act as global constants and global variables throughout a workflow. Workflow elements process data that they receive as input parameters, and set the resulting output as workflow attributes or output parameters.
Read-only workflow attributes act as global constants for a workflow. Writable attributes act as a workflow’s global variables.
A workflow attribute has the following properties:
n
Read-only flag
n
Name
n
Type
n
Value
n
Linking
n
Description
You use attributes to transfer variables between workflow elements. You can obtain attributes in the following ways:
n
Define attributes when you create a workflow
n
Set the output parameter of a workflow element as a workflow attribute
n
Inherit attributes from a configuration element

Workflow Parameters

Workflows receive input parameters and generate output parameters when they run.
Input Parameters
An input parameter is a runtime argument that you, an application, or another workflow or action passes to a workflow or action for it to process when it starts.
24 VMware, Inc.
Page 25
Chapter 2 Managing Workflows
Input parameters have the following properties:
n
name
n
type
n
description
After you pass a value for an input parameter to a workflow, you cannot change the parameter's name, type, or description.
Output Parameters
A workflow's output parameters represent the result of running that workflow. Output parameters can change when a workflow or workflow element runs. While they run, workflows can receive the output parameters of other workflows as their input parameters.

Workflow Schema

A workflow schema is a graphical representation of a workflow that shows the workflow as a flow diagram of interconnected workflow elements.

View Workflow Schema

You view a workflow schema in the schema tab for that workflow in the Orchestrator client.
For information about schema elements and creating and editing workflow schema, see Developing with VMware vCenter Orchestrator.
Prerequisites
You must be granted the Inspect privilege or higher to view schema and scripting.
Procedure
1 Click the Workflows view in the Orchestrator client.
2 Navigate to a workflow in the workflow hierarchical list.
3 Click the workflow.
Information about that workflow appears in the right pane.
4 Select the Schema tab in the right pane.
You see the graphical representation of the workflow.
What to do next
You can duplicate the workflow and edit the workflow schema by dragging schema elements from the palette on the left.

Workflow Tokens

A workflow token represents a workflow that is running or has run.
A workflow is an abstract description of a process that defines a generic sequence of steps and a generic set of required input parameters. When you run a workflow with a set of real input parameters, you receive an instance of this abstract workflow that behaves according to the specific input parameters you give it. This specific instance of a completed or a running workflow is called a workflow token.
VMware, Inc. 25
Page 26
Workflow Token Attributes
Workflow token attributes are the specific parameters with which a workflow token runs. The workflow token attributes are an aggregation of the workflow's global attributes and the specific input and output parameters with which you run the workflow token.

Workflow Token States

Each time you run a workflow, a workflow token appears under that workflow as a new leaf node in the workflows hierarchical list. Clicking a workflow token in the hierarchical list shows tabs in the right pane that show information about the workflow token.
The information shown includes the schema diagram for that workflow, a list of events, the list of the workflow token attributes, and a log of the specific workflow token run. If you click on a workflow token while it is running, you can see the information in the tabs updating in real time.
Table 2-2. Workflow Token States
State Icon Description
Running
Waiting for User Interaction
Waiting for Event or Timer
Canceled
Failed
The workflow token is running.
The workflow token is suspended while it waits for input parameters from a user interaction or from an external application. During the waiting period, the workflow threads become passive.
The workflow token is suspended while it waits for a signal from an external trigger or a timer before resuming. Long-running workflows enter this state while they wait for the signal to resume running. During the waiting period, the workflow threads become passive.
The workflow token is canceled by the user, by an external application, or by another workflow.
The workflow token failed.
Completed
The workflow token ran successfully. However, a completed workflow token might have encountered errors when it ran, if error-handling is part of the workflow definition.

Locking Mechanism

You can modify a workflow schema while it is running. This ability is useful in testing or debugging but not in production environment.
Orchestrator features a mechanism that allows you to lock the workflow and prevent other users from editing it while it is running. To make actions, workflows, or whole packages read-only, use the contextual menus in the Actions, Workflows, and Packages views of the Orchestrator client.
26 VMware, Inc.
Page 27

Set User Permissions on a Workflow

You set levels of permission on a workflow to limit the access that users or user groups can have to that workflow.
You select the users and user groups for which to set permissions from the users and user groups in the Orchestrator LDAP server.
Prerequisites
Create a workflow, open it for editing in the workflow editor, and add to it the necessary elements.
Procedure
1 Click the Permissions tab.
2 Click the Add access rights link to define permissions for a new user or user group.
3 Search for a user or user group.
The search results show all of the users and user groups from the Orchestrator LDAP server that match the search.
4 Select a user or user group and click OK.
Chapter 2 Managing Workflows
5 Right-click the user and select Add access rights.
6 Check the appropriate check boxes to set the level of permissions for this user and click OK.
To allow a user to view the workflow, inspect the schema and scripting, run and edit the workflow, and change the permissions, you must check all check boxes.
7 Click Save and Close to exit the editor.
You set the appropriate user permissions on a workflow.

Run a Workflow

You can perform automated operations in vCenter Server by running workflows from the standard library or workflows that you create.
For example, you can create a virtual machine by running the Create simple virtual machine workflow.
Prerequisites
You must have configured the vCenter plug-in. For details, see Installing and Configuring VMware vCenter Orchestrator.
Procedure
1 Click the Workflows view in the Orchestrator client.
2 In the workflows hierarchical list, open Library > vCenter > Virtual machine management > Basic to
navigate to the Create simple virtual machine workflow.
3 Right-click the Create simple virtual machine workflow and select Start workflow.
VMware, Inc. 27
Page 28
4 Provide the following information into the Start workflow input parameters dialog box to create a virtual
machine in a vCenter Server connected to Orchestrator.
Option Action
Virtual machine name
Virtual machine folder
Size of the new disk in GB
Memory size in MB
Number of virtual CPUs
Virtual machine guest OS
Host on which to create the virtual machine
Resource pool
The network to connect to
Datastore in which to store the virtual machine files
5 Click Submit to run the workflow.
Name the virtual machine orchestrator-test.
a Click Not set for the Virtual machine folder value.
b Select a virtual machine folder from the inventory.
The Select button is inactive until you select an object of the correct type, in this case, VC:VmFolder.
Type an appropriate numeric value.
Type an appropriate numeric value.
Select an appropriate number of CPUs from the Number of virtual CPUs drop-down menu.
Click the Not Set link and select a guest operating system from the list.
Click Not set for the Host on which to create the virtual machine value and navigate through the vCenter Server infrastructure hierarchy to a host machine.
Click Not set for the Resource pool value and navigate through the vCenter Server infrastructure hierarchy to a resource pool.
Click Not set for the The network to connect to value and select a network.
Press Enter in the Filter text box to see all the available networks.
Click Not set for the Datastore in which to store the virtual machine value and navigate through the vCenter Server infrastructure hierarchy to a datastore.
A workflow token appears under the Create simple virtual machine workflow, showing the workflow running icon.
6 Click the workflow token to view the status of the workflow as it runs.
7 Click the Events tab in the workflow token view to follow the progress of the workflow token until it
completes.
8 In the Orchestrator client, click the Inventory view.
9 Navigate through the vCenter Server infrastructure hierarchy to the resource pool you defined.
If the virtual machine does not appear in the list, click the refresh button to reload the inventory.
The orchestrator-test virtual machine is present in the resource pool.
10 (Optional) Right-click the orchestrator-test virtual machine in the Inventory view to see a contextual
list of the workflows that you can run on the orchestrator-test virtual machine.
The Create simple virtual machine workflow ran successfully.
What to do next
You can log in vSphere Client and manage the new virtual machine.

Respond to a Request for a User Interaction

Workflows that require interactions from users during their run suspend their run either until the user provides the required information or until the workflow times out.
Workflows that require user interactions define which users can provide the required information and direct the requests for interaction.
28 VMware, Inc.
Page 29
Chapter 2 Managing Workflows
Prerequisites
Log in to the Orchestrator client.
At least one workflow in Waiting for User Interaction state.
Procedure
1 Click the My Orchestrator view in the Orchestrator client.
2 Click the Waiting for Input tab.
The Waiting for Input tab lists the workflows that are waiting for user inputs that you or members of your user group have permission to provide.
3 Double-click a workflow that is waiting for input.
The workflow token that is waiting for input appears in the Workflows hierarchical list with the following
symbol:
4 Right-click the workflow token and select Answer.
5 Follow the instructions in the input parameters dialog box to provide the information that the workflow
requires.
You provided information to a workflow that was waiting for user input during its run.
.

Scheduling Workflows

You can schedule a workflow to run once, or multiple times using a recurrence pattern.

Schedule a Workflow

You can schedule a workflow from the Orchestrator client Scheduler or Workflows views. The user credential that starts the workflow is the same as the credential you use to schedule it.
Prerequisites
You must have the Execute privilege to schedule a workflow.
Procedure
1 In the Orchestrator client, click the Scheduler view.
2 From the drop-down menu, select Schedule workflow.
3 (Optional) Select Schedule workflow as to use another user's credentials to schedule a workflow.
4 Search for the workflow to schedule.
5 Right-click the workflow and click Select.
6 Click the Run date and time value's Not set button.
7 Select the start date and time for the workflow and click OK.
8 From the Recurrence drop-down menu, select the workflow recurrence pattern.
9 (Optional) Click the Recurrence end date value’s Not Set button and set an end time and date for the
workflow.
10 Provide the necessary information in the input parameters dialog box.
11 Click Submit to schedule the workflow.
VMware, Inc. 29
Page 30
The scheduled workflow is listed on the Scheduler view. An R appears next to the scheduled workflow to denote that recurrence is set.
What to do next
You can monitor the scheduled workflow and delete it from the Scheduler view when it is complete.

Edit the Workflow Recurrence Pattern

A recurrence pattern is used to specify the way in which a given workflow is scheduled. You can edit the recurrence pattern of a workflow from the Scheduler view.
Prerequisites
A recurrent workflow that is scheduled.
Procedure
1 In the Orchestrator client, click the Scheduler view.
2 Right-click the scheduled workflow whose recurrence pattern you want to edit and select Edit.
3 Click the Recurrence tab.
4 From the drop-down menu, select the recurrence pattern.
You can add an unlimited number of entries to the pattern. You can edit each entry.
The display changes according to the selected pattern.
5 Click Save and Close to exit the editor.
The new recurrence pattern for the scheduled workflow appears on the Recurrence tab.
What to do next
You can view details about the different runs of the scheduled workflow on the Workflow Runs tab.
30 VMware, Inc.
Page 31

Creating Resource Elements 3

Workflows and Web views can require as attributes objects that you create independently of Orchestrator. To use external objects as attributes in workflows or Web views, you import them into the Orchestrator server as resource elements.
Objects that workflows and Web views can use as resource elements include image files, scripts, XML templates, HTML files, and so on. Any workflows or Web views that run in the Orchestrator server can use any resource elements that you import into Orchestrator.
Importing an object into Orchestrator as a resource element allows you to make changes to the object in a single location, and to propagate those changes automatically to all the workflows or Web views that use this resource element.
You can organize resource elements into folders. The maximum size for a resource element is 16MB.
This chapter includes the following topics:
n
“View a Resource Element,” on page 31
n
“Import an External Object to Use as a Resource Element,” on page 32
n
“Edit the Resource Element Information and Access Rights,” on page 32
n
“Save a Resource Element to a File,” on page 33
n
“Update a Resource Element,” on page 33
n
“Add a Resource Element to a Workflow,” on page 33
n
“Add a Resource Element to a Web View,” on page 34

View a Resource Element

You can view existing resource elements in the Orchestrator client, to examine their contents and discover which workflows or Web views use this resource element.
Procedure
1 In the Orchestrator client, click the Resources view.
2 Expand the hierarchical tree viewer to navigate to a resource element.
3 Click a resource element to show information about it in the right pane.
4 Click the Viewer tab to display the contents of the resource element.
5 Right-click the resource element and select Find Elements that Use this Element.
Orchestrator lists all the workflows and Web views that use this resource element.
VMware, Inc.
31
Page 32
What to do next
Import and edit a resource element.

Import an External Object to Use as a Resource Element

Workflows and Web views can require as attributes objects that you create independently of Orchestrator. To use external objects as attributes in workflows or Web views, you import them to the Orchestrator server as resource elements.
Prerequisites
An image file, script, XML template, HTML file, or other type of object to import.
Procedure
1 In the Orchestrator client, click the Resources view.
2 Right-click a resource folder in the hierarchical list or the root and select New folder to create a folder in
which to store the resource element.
3 Right-click the resource folder in which to import the resource element and select Import resources.
4 Select the resource to import and click Open.
Orchestrator adds the resource element to the folder you selected.
You imported a resource element into the Orchestrator server.
What to do next
Edit the general information of the resource element and set the user access permissions.

Edit the Resource Element Information and Access Rights

After you import an object into the Orchestrator server as a resource element, you can edit the resource element's details and permissions.
Prerequisites
An image, script, XML, or HTML file, or any other type of object that you imported into Orchestrator as a resource element.
Procedure
1 Right-click the resource element and select Edit.
2 Click the General tab and set the resource element name, version, and description.
3 Click the Permissions tab and click the Add access rights link to define permissions for a user group.
4 Type a user group name in the Filter text box.
5 Select a user group and click OK.
6 Right-click the user group and select Add access rights.
7 Check the appropriate check boxes to set the level of permissions for this user group and click OK.
Permissions are not cumulative. To allow a user to view the resource element, use it in their workflows or Web views, and change the permissions, you must check all check boxes.
8 Click Save and Close to exit the editor.
You edited the general information about the resource element and set the user access rights.
32 VMware, Inc.
Page 33
What to do next
Save the resource element to a file to update it, or add the resource element to a workflow or Web view.

Save a Resource Element to a File

You can save a resource element to a file on your local system. Saving the resource element as a file allows you to edit it.
For example, if the resource element is an XML configuration file or a script, you must save it locally to modify it. You cannot edit a resource element in the Orchestrator client.
Prerequisites
You must have a resource element in the Orchestrator server to save to a file.
Procedure
1 Right-click the resource element and select Save to file.
2 Make the required modifications to the file.
You saved a resource element to a file.
What to do next
Chapter 3 Creating Resource Elements
Update the resource element in the Orchestrator server.

Update a Resource Element

If a file or object that you have defined as a resource element changes, you can update the resource element in the Orchestrator server.
Prerequisites
An image, script, XML, or HTML file, or any other type of object that you imported into Orchestrator as a resource element.
Procedure
1 Modify the source file of the resource element in your local system.
2 In the Orchestrator client, click the Resources view.
3 Navigate through the hierarchical list to the resource element that you have updated.
4 Right-click the resource element and select Update resource.
5 (Optional) Click the Viewer tab to check that Orchestrator has updated the resource element.
You updated a resource element that the Orchestrator server contains.

Add a Resource Element to a Workflow

Resource elements are external objects that you can import to the Orchestrator server for workflows to use as attributes when they run. For example, a workflow can use an imported XML file that defines a map to convert one type of data to another, or a script that defines a function, when it runs.
Prerequisites
You must have the following objects in your Orchestrator server:
n
An image, script, XML, or HTML file, or any other type of object that you imported into Orchestrator as a resource element.
VMware, Inc. 33
Page 34
n
A workflow that requires this resource element as an attribute.
Procedure
1 Click the Workflows view in the Orchestrator client.
2 Expand the hierarchical tree viewer to navigate to the workflow that requires the resource element as an
attribute.
3 Right-click the workflow and select Edit.
4 On the General tab, right-click in the attributes pane and select Add attribute.
5 Click the attribute name and type a new name for the attribute.
6 Click Type to set the attribute type.
7 In the Select a type dialog box, type resource in the Filter box to search for an object type.
Option Action
Define a single resource element as an attribute
Define a folder that contains multiple resource elements as an attribute
8 Click Value and type the name of the resource element or category of resource elements in the Filter text
box.
Select ResourceElement from the list.
Select ResourceElementCategory from the list.
9 Select the resource element or folder of resource elements from the proposed list and click Select.
10 Click Save and Close to exit the editor.
You added a resource element or folder of resource elements as an attribute in a workflow.

Add a Resource Element to a Web View

Resource elements are external objects that you can import into the Orchestrator server for Web views to use as Web view attributes. Web view attributes identify objects with which Web view components interact.
Prerequisites
You must have the following objects in your Orchestrator server:
n
An image, script, XML, or HTML file, or any other type of object that you imported into Orchestrator as a resource element.
n
A Web view that requires this resource element as an attribute.
Procedure
1 In the Orchestrator client, click the Web views view.
2 If the Web view is running, right-click the Web view to which to add the resource element and select
Unpublish.
3 Right-click the Web view and select Edit.
4 Click the Attributes tab.
5 Right-click in the Attributes tab and select Add attribute.
6 Click the attribute name and type a new name for the attribute.
7 Click Type to set the attribute type.
34 VMware, Inc.
Page 35
Chapter 3 Creating Resource Elements
8 In the Select a type dialog box, type resource in the Filter box to search for an object type.
Option Action
Define a single resource element as an attribute
Define a folder that contains multiple resource elements as an attribute
Select ResourceElement from the list.
Select ResourceElementCategory from the list.
9 Click Value and type the name of the resource element or category of resource elements in the Filter text
box.
10 Select the resource element or folder of resource elements from the proposed list and click Select.
11 Click Save and Close to exit the editor.
You added a resource element or folder of resource elements as an attribute in a Web view.
VMware, Inc. 35
Page 36
36 VMware, Inc.
Page 37

Managing Actions 4

Actions represent individual functions that you use as building blocks in workflows, Web views, and scripts. Actions are JavaScript functions that take multiple input parameters and have a single return value. Actions can call on any object or method in the Orchestrator API, or on objects in any API that you import into Orchestrator by using a plug-in.
When a workflow runs, an action takes its input parameters from the workflow's attributes. These attributes can be attributes that other elements in the workflow set when they run.
When you define actions independently from the workflows that call upon them, you can update or optimize the actions more easily. Instead of adding a function as scripting in a workflow, you can define individual actions and allow other workflows to reuse them.
This chapter includes the following topics:
n
“Create an Action,” on page 37
n
“Duplicate an Action,” on page 38
n
“Export an Action,” on page 38
n
“Import an Action,” on page 39
n
“Move an Action,” on page 39
n
“Find Elements That Implement an Action,” on page 39

Create an Action

When you define an individual function as an action, instead of coding it directly into a scriptable task workflow element, you can expose it in the library for other workflows to use.
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the root of the actions hierarchical list and navigate to the module in which you want to create
the action.
3 Right-click the module and select Add action.
4 Type a name for the action in the text box and click OK.
Your custom action is added to the library of actions.
5 Right-click the action and select Edit.
6 Click the Scripting tab.
7 To change the default return type, click the void link.
VMware, Inc.
37
Page 38
8 Add the action input parameters by clicking the arrow icon.
9 Write the action script.
10 Set the action permissions.
11 Click Save and close.
You created a custom action and added the action input parameters.
What to do next
You can use the new custom action in a workflow.

Duplicate an Action

The predefined library of actions is read-only. To customize a standard action, you must create a duplicate of that action.
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the root of the actions hierarchical list and navigate to the action to duplicate.
3 Right-click the action and select Duplicate action.
4 Type a name for the new action.
A number is appended to the name of the action if you do not type a value in this text box.
5 For the value of Action module, select the module to which you want to add the new action.
6 (Optional) Select No if you do not want version history to be copied.
When you import an action, its version is compared to the version of the local content, allowing the administrator to decide whether to import it or not.
7 Select Duplicate.
The new action is available in the library of actions and you can reuse it in your scripts.
What to do next
You can use the action in a workflow.

Export an Action

You can export an action to other Orchestrator servers to reuse it in other workflows, policies, or Web views.
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the root of the actions hierarchical list and navigate to the action to export.
3 Right-click the action and select Export action.
4 (Optional) Select the Encrypt content with name option to encrypt the exported file.
Other systems can import and run the encrypted file, but the importer cannot edit the file. The encrypted file content is read-only.
5 Select a location in which to save the action file and click Save.
You saved the action to a local file.
38 VMware, Inc.
Page 39
What to do next
You can import the action on a different Orchestrator server and use it in workflows and scripts.

Import an Action

You can import actions and use them as building blocks in workflows, Web views, and scripts.
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the root of the actions hierarchical list and navigate to the module in which you want to import
the action.
3 Right-click the module and select Import action.
4 Select a file with the .action extension and click Open.
The imported action appears in the actions library.
What to do next
You can use the action in workflows and scripts.
Chapter 4 Managing Actions

Move an Action

To reorder actions in the actions hierarchical list, or organize your scripts in a different way, move an action to another module.
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the root of the actions hierarchical list and navigate to the action to relocate.
3 Right-click the action and select Move this action.
4 Select a location in which to save the action file and click Save.
The action is moved to the new module.
CAUTION Action referencing is based on the action module name and action name. Make sure that all elements that reference this action are still valid after you move the action.
What to do next
Find all workflows and packages that implement the relocated action.

Find Elements That Implement an Action

If you edit an action and change its behavior, you might inadvertently break a workflow or application that implements that action. Orchestrator provides a function to find all of the actions, workflows, or packages that implement a given element. You can check whether modifying the element affects the operation of other elements.
IMPORTANT The Find Elements that Use this Element function checks all packages, workflows, and policies, but it does not check in scripts. Consequently, modifying an action might affect an element that calls this action in a script that the Find Elements that Use this Element function did not identify.
VMware, Inc. 39
Page 40
Procedure
1 In the Orchestrator client, click the Actions view.
2 Expand the nodes of the actions hierarchical list to navigate to a given action.
3 Right-click the action and select Find Elements that Use this Element.
A dialog box shows all of the elements, such as workflows or packages, that implement this action.
4 Double-click an element in the list of results to show that element in the Orchestrator client.
You located all of the elements that implement an action.
What to do next
You can check whether modifying this element affects any other elements.
40 VMware, Inc.
Page 41

Using Packages 5

Packages are the vehicle for transporting content from one Orchestrator server to another. Packages can contain workflows, actions, policies, Web views, configurations, and resources.
When you add an element to a package, Orchestrator checks for dependencies and adds any dependent elements to the package. For example, if you add a workflow that uses actions or other workflows, Orchestrator adds those actions and workflows to the package.
When you import a package, the server compares the versions of the different elements of its content to matching local elements. The comparison shows the differences in versions between the local and imported elements. The administrator can decide whether to import the whole package, or choose specific elements to import.
Packages feature digital rights management to control how the receiving server can use the content of the package. Orchestrator signs packages and encrypts the packages for data protection. Packages use X509 certificates to monitor which users export and redistribute elements.
This chapter includes the following topics:
n
“Create a Package,” on page 41
n
“Set User Permissions on a Package,” on page 42
n
“Export a Package,” on page 43
n
“Import a Package,” on page 44
n
“Get and Synchronize a Remote Package,” on page 44
n
“Remove a Package,” on page 45

Create a Package

You export workflows, policies, actions, plug-in references, resources, Web views, and configuration elements in packages. All elements that an element implements are added to the package automatically, to ensure compatibility between versions. If you don't want to add the referenced elements, you can delete them in the package editor.
Prerequisites
Elements such as workflows, actions, and policies to add to a package.
Procedure
1 In the Orchestrator client, click the Packages view.
2 Click the menu button in the title bar of the Packages list and select Add package.
VMware, Inc.
41
Page 42
3 Name the new package and click OK.
The syntax for package names is
com.vmware.myfolder.mypackage.
domain.your_company.folder.package_name
4 Right-click the package and select Edit.
The package editor opens.
5 Add a description for the package in the General tab.
6 Click the Workflows tab to add workflows to the package.
n
Click Insert Workflows (list search) to search for and select workflows in a selection dialog box.
n
Click Insert Workflows (tree browsing) to browse and select workflows in a hierarchical list.
7 (Optional) Click the Policies, Actions, Web View, Configurations, Resources, and Used Plug-Ins tabs to
add policy templates, actions, Web views, configuration elements, resource elements, and plug-ins to the package.
You created a package and added elements to it.
What to do next
You must set the user permissions for this package.

Set User Permissions on a Package

You set different levels of permission on a package to limit the access that different users or user groups can have to the contents of that package.
. For example,
You select the different users and user groups for which to set permissions from the users and user groups in the Orchestrator LDAP server. Orchestrator defines levels of permissions that you can apply to users or groups.
View
The user can view the elements in the package, but cannot view the schemas or scripting.
Inspect
The user can view the elements in the package, including the schemas and scripting.
Execute
Edit
Admin
Not used.
The user can edit the elements in the package.
The user can set permissions on the elements in the package.
Prerequisites
You must have created a package, opened it for editing in the package editor, and added to it the necessary elements.
Procedure
1 Click the Permissions tab in the package editor.
2 Click the Add access rights link to define permissions for a new user or user group.
3 Search for a user or user group.
The search results show all of the users and user groups from the Orchestrator LDAP server that match the search.
4 Select a user or user group and click OK.
5 Right-click the user and select Add access rights.
42 VMware, Inc.
Page 43
6 Check the appropriate check boxes to set the level of permissions for this user and click OK.
To allow a user to view the elements, inspect the schema and scripting, run and edit the elements, and change the permissions, you must check all check boxes.
7 Click Save and Close to exit the package editor.
You created a package and set the appropriate user permissions.

Export a Package

You can export a package and reuse its content on another Orchestrator server. The system adds the certificates for all of the elements that the exported package contains. When the package is imported into another server, these certificates are also imported.
Prerequisites
You must have created a package and added to it the necessary elements.
Procedure
1 In the Orchestrator client, click the Packages view.
2 Right-click the package to export and select Export package.
Chapter 5 Using Packages
3 Browse to select a location in which to save the package and click Open.
4 (Optional) Click Add target certificate to sign the package.
a In the list of certificates, select the certificate to use for the exported package.
b Click Select.
5 (Optional) To impose restrictions on the exported package, deselect any of the following options.
Option Description
View contents
Add to package
Edit contents
When selected, the importer of the package is allowed to view the JavaScript of the elements contained in the package.
When selected, the importer of the package is allowed to redistribute the elements contained in the package.
When selected, the importer of the package is allowed to modify the elements contained in the package.
6 (Optional) Deselect the Export version history check box if you do not want to export the version history
of the package.
7 Click Save.
You exported the package.
What to do next
You can use all of the workflows, actions, policies, and Web views from the exported package on the new Orchestrator server.
VMware, Inc. 43
Page 44

Import a Package

To reuse workflows, actions, policies, Web views, and configuration elements from one Orchestrator server on another server, you can import them as a package.
IMPORTANT Packages that Orchestrator 3.2 generates are upwardly compatible with Orchestrator 4.x. You can import a package from an Orchestrator 3.2 server to an Orchestrator 4.x server. Packages from Orchestrator
4.x are not backwards compatible with Orchestrator 3.2. You cannot import to an Orchestrator 3.2 server a package that an Orchestrator 4.x server generates.
Prerequisites
n
Back up any standard Orchestrator elements that you modified. If the imported package contains elements whose version number is later than the version number of the elements stored in the Orchestrator database, your changes might be lost.
n
On the remote server, you created a package and added to it the necessary elements.
Procedure
1 In the Orchestrator client, click the Packages view.
2 From the drop-down menu, select Import package.
3 Browse to select the package to import and click Open.
Certificate information about the exporter appears.
4 Review the package import details and select Import or Import and trust provider.
The Import package view appears. If the version of the imported package element is later than the server version, the system selects the element for import.
5 (Optional) Deselect the elements that you do not want to import.
For example, deselect custom elements for which later versions exist.
6 Click Import checked elements.
The imported package appears in the list of packages.
What to do next
You can use all of the workflows, actions, policies, Web views, and configuration elements from the imported package as new building blocks on your Orchestrator server.

Get and Synchronize a Remote Package

The Packages view provides a way to synchronize a package on one Orchestrator server with a package on another server.
If a package already exists on the local server, use the Synchronize option. If you want to retrieve a package from a remote server, use the Get remote package option.
Synchronizing packages is the only way to be sure to obtain all the elements from the remote server. If you synchronize individual elements, Orchestrator only synchronizes elements that already exist on the local server. To obtain any new elements from the remote server, you must synchronize the package that contains those elements.
Procedure
1 In the Orchestrator client, click the Packages view.
44 VMware, Inc.
Page 45
Chapter 5 Using Packages
2 Right-click the package to synchronize and select Synchronize.
3 Log in to the remote server.
The Orchestrator Synchronization dialog box opens. It displays the differences between the package elements. To view only elements that are different on the local and remote server, select Hide identical from the drop-down menu.
4 View the comparison between the local and remote package elements, click Synchronize and select an
option.
Option Description
none
commit
update
merge
Local and remote elements have the same version number. No synchronization is required.
The version of the local element is later. The remote element is overwritten.
The version of the remote element is later. The local element is updated. If an element does not exist locally, it is imported from the remote server to the local server.
The local and remote packages are overwritten with a merged list of references. The referenced elements remain unchanged.
NOTE If the remote server does not recognize your certificate, you cannot commit elements.
The synchronized package is reloaded.
What to do next
You can use the updated package content in workflows, actions, policies, and Web views.

Remove a Package

Workflows and actions, as well as other resources, can be reused in many packages. This is why, before you remove a package, you must decide whether to delete the workflows, actions, policies and other resources contained in the package.
Procedure
1 In the Orchestrator client, click the Packages view.
2 Right-click the package to delete and select one of the deletion options.
Option Description
Delete
Delete element with content
Removes the package only from the Packages view.
Removes all workflows, actions, policies, Web views, configurations, plug­in settings or resources that the package contains. Does not remove read-only elements and the plug-in .dar archive.
CAUTION This action might delete elements that are referenced by other packages too. To avoid deleting an element that another package needs, remove any dependencies that you added to the package. To view a list of all the packages, workflows and policies that reference an element, use the Find Elements that Use this Elementfunction.
VMware, Inc. 45
Page 46
46 VMware, Inc.
Page 47

Setting System Properties 6

You can set system properties to change the default Orchestrator behavior.
This chapter includes the following topics:
n
“Disable Access to the Orchestrator Client By Nonadministrators,” on page 47
n
“Disable Access to Workflows from Web Service Clients,” on page 48
n
“Setting Server File System Access from Workflows and JavaScript,” on page 48
n
“Set JavaScript Access to Operating System Commands,” on page 51
n
“Set JavaScript Access to Java Classes,” on page 51
n
“Set Custom Timeout Property,” on page 52
n
“Modify the Number of Objects a Plug-In Search Obtains,” on page 53
n
“Modify the Number of Concurrent and Pending Workflows,” on page 54

Disable Access to the Orchestrator Client By Nonadministrators

You can configure the Orchestrator server to deny access to the Orchestrator client to all users who are not members of the Orchestrator administrator LDAP group.
VMware, Inc.
By default, all users who are granted execute permissions can connect to the Orchestrator client. However, you can limit access to the Orchestrator client to Orchestrator administrators by setting a system property in the
vmo.properties Orchestrator configuration file.
IMPORTANT If the vmo.properties configuration file does not contain this property, or if the property is set to false, Orchestrator permits access to the Orchestrator client by all users.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
2 Open the vmo.properties configuration file in a text editor.
47
Page 48
3 Add the following line to the vmo.properties configuration file.
#Disable Orchestrator client connection com.vmware.o11n.smart-client-disabled = true
4 Save the vmo.properties file.
5 Restart the Orchestrator server.
You disabled access to the Orchestrator client to all users other than members of the Orchestrator administrator LDAP group.

Disable Access to Workflows from Web Service Clients

You can configure the Orchestrator server to deny access to Web service requests, to prevent malicious attempts from Web service clients to access sensitive servers.
By default, Orchestrator permits access to workflows from Web service clients. You disable access to workflows from Web service clients by setting a system property in the Orchestrator configuration file, vmo.properties.
IMPORTANT If the vmo.properties configuration file does not contain this property, or if the property is set to false, Orchestrator permits access to workflows from Web services.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
2 Open the vmo.properties configuration file in a text editor.
3 Add the following line to the vmo.properties configuration file.
#Disable Web service access com.vmware.o11n.web-service-disabled = true
4 Save the vmo.properties file.
5 Restart the Orchestrator server.
You disabled access to workflows Web service clients. The Orchestrator server only answers Web service client calls from the echo() or echoWorkflow() methods, for testing purposes.

Setting Server File System Access from Workflows and JavaScript

Orchestrator limits access to the server file system from workflows and JavaScript to specific directories. You can extend access to other parts of the server file system by modifying the js-io-rights.conf Orchestrator configuration file.
The js-io-rights.conf file is created when a workflow tries to access the Orchestrator server file system. If the js-io-rights.conf file does not exist on your system, you can create it manually with the default content. For more information, see “Manually Create the js-io-rights.conf File,” on page 50.
The js-io-rights.conf file contains rules that permit write access to defined directories in the server file system.
48 VMware, Inc.
Page 49
Chapter 6 Setting System Properties
Each line of the js-io-rights.conf file must contain the following information.
n
A plus (+) or minus (-) sign to indicate whether rights are permitted or denied
n
The read (r), write (w), and execute (x) levels of rights
n
The path on which to apply the rights
Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override the previous lines. The following code extract shows the default content of the js-io-rights.conf configuration file:
-rwx c:/ +rwx c:/orchestrator +rx ../../configuration/jetty/logs/ +rx ../server/vmo/log/ +rx ../bin/ +rx ./boot.properties +rx ../server/vmo/conf/ +rx ../server/vmo/conf/plugins/ +rx ../server/vmo/deploy/vmo-server/vmo-ds.xml +rx ../../apps/ +r ../../version.txt
The first two entries in the default js-io-rights.conf configuration file allow the following access rights:
-rxw c:/
+rxw c:/orchestrator
All access to the file system is denied.
Read, write, and execute access is permitted in the c:/orchestrator directory.
In the default js-io-rights.conf configuration file, the second line partially overrides the first line because
c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies access
to the rest of the file system under c:/. The default configuration allows workflows and the Orchestrator API to write to the c:/orchestrator directory, but nowhere else.
IMPORTANT You can permit access to all parts of the file system by setting +rxw / in the js-io-rights.conf file. However, doing so represents a high security risk.

Set Server File System Access for Workflows and JavaScript

To change the parts of the server file system that workflows and the Orchestrator API can access, modify the
js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow tries to access
the Orchestrator server file system.
If the js-io-rights.conf file does not exist on your system, you can create it manually with the default content. For more information, see “Manually Create the js-io-rights.conf File,” on page 50.
Orchestrator has read, write, and execute rights to a folder named orchestrator, at the root of the server system. Although workflows have permission to read, write, and execute in this folder, you must create the folder on the server system.
Procedure
1 Create the c:/orchestrator folder at the root of the Orchestrator server system.
VMware, Inc. 49
Page 50
2 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
Go to
install_directory
server\server\vmo\conf.
Go to server\server\vmo\conf.
3 Open the js-io-rights.conf configuration file in a text editor.
4 Add the necessary lines to the js-io-rights.conf file to allow or deny access to parts of the file system.
For example, the following line denies the execution rights in the c:/orchestrator/noexec directory:
-x c:/orchestrator/noexec
By adding the preceding line, c:/orchestrator/exec retains execution rights, but
c:/orchestrator/noexec/bar does not. Both directories remain readable and writable.
You modified the access rights to the file system from workflows and from the Orchestrator API.

Manually Create the js-io-rights.conf File

\VMware\Infrastructure\Orchestrator\app-
install_directory
\VMware\Orchestrator\app-
You can extend access to other parts of the Orchestrator server file system by modifying the js-io-
rights.conf Orchestrator configuration file. If the js-io-rights.conf file does not exist on your system, you
can create it manually with the default content.
IMPORTANT Manually creating the js-io-rights.conf file is applicable only for Windows systems. The recommended way to generate the js-io-rights.conf file is to run a workflow attempting to access the Orchestrator server file system, for example, the workflow Export logs and application settings from the Troubleshooting folder in the Orchestrator workflow library.
Procedure
1 Log in as an administrator to the machine on which the Orchestrator server is installed.
2 Navigate to the Orchestrator configuration directory.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed Orchestrator standalone
Go to
install_directory
ver\server\vmo\conf.
Go to
install_directory
o\conf.
\VMware\Infrastructure\Orchestrator\appser
\VMware\Orchestrator\appserver\server\vm
3 Create the js-io-rights.conf file and open it in a text editor.
4 Type the default js-io-rights.conf file content.
-rwx C:/
+rwx C:/orchestrator +rx ../../configuration/jetty/logs/ +rx ../server/vmo/log/ +rx ../bin/ +rx ./boot.properties +rx ../server/vmo/conf/
50 VMware, Inc.
Page 51
Chapter 6 Setting System Properties
+rx ../server/vmo/conf/plugins +rx ../server/vmo/deploy/vmo-server/vmo-ds.xml +rx ../../apps/ +r ../../version.txt
5 Save and close the file.
You can now set the server file system access from workflows and JavaScript.

Set JavaScript Access to Operating System Commands

The Orchestrator API provides a scripting class, Command, that runs commands in the Orchestrator server host operating system. To prevent unauthorized access to the Orchestrator server host, by default, Orchestrator applications do not have permission to run the Command class. If Orchestrator applications require permission to run commands on the host operating system, you can activate the Command scripting class.
You grant permission to use the Command class by setting a system property in the vmo.properties properties file.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
2 Open the vmo.properties configuration file in a text editor.
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
3 Set the com.vmware.js.allow-local-process system property by adding the following line to the
vmo.properties file.
com.vmware.js.allow-local-process=true
4 Save the vmo.properties file.
5 Restart the Orchestrator server.
You granted permissions to Orchestrator applications to run local commands in the Orchestrator server host operating system.
NOTE By setting the com.vmware.js.allow-local-process system property to true, you allow the Command scripting class to write anywhere in the file system. This property overrides any file system access permissions that you set in the js-io-rights.conf file for the Command scripting class only. The file system access permissions that you set in the js-io-rights.conf file still apply to all scripting classes other than Command.

Set JavaScript Access to Java Classes

By default, Orchestrator restricts JavaScript access to a limited set of Java classes. If you require JavaScript access to a wider range of Java classes, you must set an Orchestrator system property to allow this access.
Allowing the JavaScript engine full access to the Java virtual machine (JVM) presents potential security issues. Malformed or malicious scripts might have access to all of the system components to which the user who runs the Orchestrator server has access. Consequently, by default the Orchestrator JavaScript engine can access only the classes in the java.util.* package.
VMware, Inc. 51
Page 52
If you require JavaScript access to classes outside of the java.util.* package, you can list in a configuration file the Java packages to which to allow JavaScript access. You then set the com.vmware.scripting.rhino-
class-shutter-file system property to point to this file.
Procedure
1 Create a text configuration file to store the list of Java packages to which to allow JavaScript access.
For example, to allow JavaScript access to all the classes in the java.net package and to the
java.lang.Object class, you add the following content to the file.
java.net.* java.lang.Object
2 Save the configuration file with an appropriate name and in an appropriate place.
3 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
4 Open the vmo.properties configuration file in a text editor.
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
5 Set the com.vmware.scripting.rhino-class-shutter-file system property by adding the following line
to the vmo.properties file.
com.vmware.scripting.rhino-class-shutter-file=
6 Save the vmo.properties file.
7 Restart the Orchestrator server.
The JavaScript engine has access to the Java classes that you specified.

Set Custom Timeout Property

When vCenter is overloaded, it takes more time to return the response to the Orchestrator server than the 20000 milliseconds set by default. To prevent this situation, you must modify the Orchestrator configuration file to increase the default timeout period.
If the default timeout period expires before the completion of certain operations, the Orchestrator server log contains errors.
Operation 'getPropertyContent' total time : '5742228' for 1823 calls, mean time : '3149.0', min time : '0', max time : '32313'
Timeout, unable to get property 'info' com.vmware.vmo.plugin.vi4.model.TimeoutException
path_to_your_configuration_file
52 VMware, Inc.
Page 53
Chapter 6 Setting System Properties
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
2 Open the vmo.properties configuration file in a text editor.
3 Set the com.vmware.vmo.plugin.vi4.waitUpdatesTimeout system property by adding the following line to
the vmo.properties file.
com.vmware.vmo.plugin.vi4.waitUpdatesTimeout=
<milliseconds>
4 Save the vmo.properties file.
5 Restart the Orchestrator server.
The value you set overrides the default timeout setting of 20000 milliseconds.

Modify the Number of Objects a Plug-In Search Obtains

By default, using the Orchestrator client to search for objects through a plug-in returns 20 objects at a time. You can modify the plug-in configuration file to increase the number of objects that are returned.
Prerequisites
You must have installed a plug-in in the Orchestrator server.
Procedure
1 Navigate to the plug-in configuration folder on the Orchestrator server system.
This folder contains an XML configuration file for each plug-in you have installed in the Orchestrator server.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
2 Open the XML configuration file of the plug-in for which you want to change the number of search results.
Go to
install_directory
server\server\vmo\conf\plugins.
Go to
install_directory
server\server\vmo\conf\plugins.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
3 Add the following line to the XML configuration file for the plug-in.
<entry key="ch.dunes.database.fetch-limit">50</entry>
This line sets the number of search results to return to 50.
4 Save the XML configuration file.
5 (Optional) Repeat Step 2 through Step 4 for each plug-in to modify.
6 Restart the Orchestrator server.
You increased the number of search results Orchestrator displays for a particular plug-in.
VMware, Inc. 53
Page 54
Modify the Number of Concurrent and Pending Workflows
By default, Orchestrator permits 300 workflows to run at the same time. When the Orchestrator server has to run more than 300 concurrent workflows, the pending workflow runs are queued. When an active workflow run completes, the next workflow in the queue starts to run. If the maximum number of queued workflows is reached, the next workflow runs fail until one of the pending workflows starts to run.
By setting system properties in the Orchestrator vmo.properties configuration file, you can control the number of workflows that are running at the same time and the number of pending workflows that are waiting in a queue.
IMPORTANT If your system is configured with one CPU, the recommended maximum value of the
com.vmware.vco.workflow-engine.executors-count property is 100. If the number of concurrent workflows is
higher than 100, you might reach the maximum number of threads per processor.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
2 Open the vmo.properties configuration file in a text editor.
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
3 Set the com.vmware.vco.workflow-engine.executors-count and com.vmware.vco.workflow-
engine.executors-max-queue-size properties by adding the following lines to the vmo.properies file.
com.vmware.vco.workflow-engine.executors-count= com.vmware.vco.workflow-engine.executors-max-queue-size=
200
5000
4 Save the vmo.properties file.
5 Restart the Orchestrator server.
You set the maximum values for concurrent and pending workflows. You can run up to 200 workflows and 5000 workflows can be queued if the number of actively running workflows is reached.
54 VMware, Inc.
Page 55

Maintenance and Recovery 7

The Troubleshooting tab in the Orchestrator configuration interface allows you to perform several bulk operations related to workflows and tasks. You can use the Troubleshooting tab to globally reset the server and remove all traces of previous runs.
NOTE Before you click a troubleshooting option, make sure that the Orchestrator server is stopped.
Table 7-1. Troubleshooting Options
Action Description
Cancel all running workflows
Delete all workflow runs Deletes all completed workflow tokens from the Orchestrator database.
Suspend all scheduled tasks
Clean all server temporary files
Force plug-in reinstallation when server starts
Marks all running workflows as cancelled in the database, which prevents the server from restarting the workflows on the next reboot. Allows Orchestrator to exit infinite loops.
Cancels all scheduled tasks, but does not stop or remove its associated workflow runs.
Cleans all temporary files that the JBoss server uses to ensure the server persistency. The JBoss server is the application server that underlies the Orchestrator server.
Used so that a changed plug-in is correctly updated on the next server start.
NOTE If you change the Orchestrator database after you configure and install the default plug-ins, you must force plug-in reinstallation. Forcing plug-in reinstallation deletes the
install_directory
server\server\vmo\plugins\_VSOPluginInstallationVersion.xml file, which holds
the version of the plug-ins already installed and forces plug-in reinstallation. The plug-in is reinstalled with its original content, and any changes are lost.
\app-
This chapter includes the following topics:
n
“Orchestrator Server Fails to Start,” on page 56
n
“Revert to the Default Password for Orchestrator Configuration,” on page 56
n
“Change the Web View SSL Certificate,” on page 57
n
“Orchestrator Log Files,” on page 58
n
“Maintaining the Orchestrator Database,” on page 62
VMware, Inc.
55
Page 56

Orchestrator Server Fails to Start

The VMware vCenter Orchestrator Server service might fail to start when not enough RAM is available for the JVM to start the server.
Problem
The server status appears as Starting in the configuration interface and it is not updated when you refresh the page. When you select My Computer > Services and Applications > Services, the server fails to start and you receive a timeout error.
Cause
The Orchestrator server might not start in the following circumstances:
n
Orchestrator runs on a host with less than 2GB of RAM.
n
Orchestrator and vCenter Server run on a shared host with less than 4GB of RAM.
n
The Orchestrator database runs on the same host as Orchestrator.
n
Orchestrator is installed in a directory whose name contains non-ASCII characters.
Solution
If you installed Orchestrator standalone, verify that your system has at least 2GB of RAM.
If you installed Orchestrator silently with vCenter Server, verify that your system has at least 4GB of RAM.
Verify that the Orchestrator database is running on a dedicated server.
Verify that the Orchestrator components are configured properly and that all of the status indicators in the configuration interface display a green circle.

Revert to the Default Password for Orchestrator Configuration

If the default password for the Orchestrator configuration interface is changed, you cannot retrieve it because Orchestrator uses encryption to encode passwords. You can revert to the default password vmware if the current password is not known.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
2 Open the password.properties file in a text editor.
Go to
install_directory
uration\jetty\etc.
Go to
install_directory
tc.
\VMware\Infrastructure\Orchestrator\config
\VMware\Orchestrator\configuration\jetty\e
3 Delete the content of the file.
4 Add the following line to the password.properties file.
vmware=92963abd36c896b93a36b8e296ff3387
5 Save the password.properties file.
6 Restart the Orchestrator Configuration service.
56 VMware, Inc.
Page 57
You can log in to the Orchestrator configuration interface with the default credentials.
n
User name: vmware
n
Password: vmware

Change the Web View SSL Certificate

Orchestrator provides an SSL certificate that controls user access to Web views. You can configure Orchestrator to use a different SSL certificate to control access to Web views. For example, if your company security policy requires you to use their SSL certificates.
Procedure
1 Create an SSL certificate by running the keytool Java utility at the command prompt.
keytool -genkey -alias mySslCertificate -keyalg RSA
The keytool utility generates a file called .keystore by using the information and password that you provide when you run the command.
2 Open the following Orchestrator application server configuration file in an editor.
Option Action
If you installed the standalone version of Orchestrator
If the vCenter Server installed Orchestrator
3 Find the following entry at line 44 in the server.xml file.
Go to
install_directory
server\server\vmo\deploy\jboss-deploy-tomcat\jbossweb­tomcat55.sar\server.xml.
Go to
install_directory
server\server\vmo\deploy\jboss-deploy-tomcat\jbossweb­tomcat55.sar\server.xml.
Chapter 7 Maintenance and Recovery
\VMware\Orchestrator\app-
\VMware\Infrastructure\Orchestrator\app-
<!-- Define a SSL HTTP/1.1 Connector on port ${ch.dunes.https-server.port} --> <Connector address="${jboss.bind.address}" protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" emptySessionPath="true" keystoreFile="${java.home}/lib/security/jssecacerts" keystorePass="dunesdunes" maxHttpHeaderSize="8192" maxThreads="100" port="${ch.dunes.https-server.port}" scheme="https" secure="true" sslProtocol="TLS" strategy="ms" />
4 Change the keystoreFile and keystorePass attributes to refer to the .keystore file and the password you
created when you ran the keytool utility.
keystoreFile="/PathToKeystore/.keystore" keystorePass="NewKeystorePassword"
5 Save the server.xml file and restart the Orchestrator server.
You changed the SSL certificate that the Orchestrator server uses to control access to Web views.
VMware, Inc. 57
Page 58

Orchestrator Log Files

VMware Technical Support routinely requests diagnostic information from you when a support request is handled. This diagnostic information contains product-specific logs and configuration files from the host on which the product is run. The information is gathered by using a specific script tool for each product.
Table 7-2. Orchestrator Log Files
Filename Location Description
boot.log
boot-state.log
script-logs.log
server.log
vco-configuration.log
vso.log
install_directory
server\server\vmo\log
install_directory
server\server\vmo\log
install_directory
server\server\vmo\log
install_directory
server\server\vmo\log
install_directory
n\jetty\logs
install_directory
\app-
\app-
\app-
\app-
\configuratio
\apps
Provides details about the boot state of the JBoss server. Check the boot.log file when a file from JBoss is missing or the installation is corrupted.
Provides details about the boot state of the vCO server. If the server boots properly, an entry about the vCO server version is written. By default, this information is also included in the server.log file.
Provides a list of the completed workflows and actions. The scripts-logs.log file lets you isolate workflow runs and actions runs from normal vCO operations. This information is also included in the server.log file.
Provides information about everything that happens on the vCO server. It contains the entries from the boot-state.logfile and script-logs.log file, as well as other information. Check the server.log file when you debug vCO or any application that runs on vCO.
Provides information about the configuration and validation of each component of vCO. This is the jetty service running on the vCO server. The request.log file in the same folder might be more useful to view the history of actions taken during the configuration of vCO.
This is the vCO client log. Use this log to detect connection issues with the server and events on the client side.
58 VMware, Inc.
Page 59
Chapter 7 Maintenance and Recovery
Table 7-2. Orchestrator Log Files (Continued)
Filename Location Description
yyyy-mm-dd.request.log
wrapper.log
vCenter_Orchestrator_InstallLog.log
install_directory
n\jetty\logs
install_directory
server\bin
Check file location in the message. This log is created when you cancel
\configuratio
\app-
This log lists the elements that are needed to load and display the pages of the vCO configuration interface. It keeps a history of the actions that were taken during the configuration of vCO and the time when they were completed. Use this log to identify changes in the behavior of the vCO server after a restart. However, the log does not display the value of the changed parameters.
Provides information from the server.log file. Use this log to check whether the VMware vCenter Orchestrator Server service was started by the wrapper or by a user.
the vCO installation or when the installation fails.

Logging Persistence

You can log information in any Orchestrator script (workflow, policy, or action). This information has types and levels. The type can be either persistent or non-persistent. The level can be DEBUG, INFO, WARNING, and
ERROR.
Table 7-3. Creating Persistent and Non-Persistent Logs
Log Level Persistent Type Non-Persistent Type
DEBUG
INFO
WARNING
ERROR
Persistent Logs
Persistent logs (server logs) track past workflow run logs and are stored in the Orchestrator database. To avoid increasing the database infinitely, specify the number of logs stored per element (workflows and policies) in the Orchestrator configuration interface. If you increase the default value of 50MB, the query requires more space and time. To view server logs, you must select a workflow, a completed workflow run, or policy and click the Events tab in the Orchestrator client.
Non-Persistent Logs
When you use a non-persistent log (system log) in your scripting, the Orchestrator server notifies all running Orchestrator applications about this log, but this information is not stored. When the application is restarted, the log information is lost. Non-persistent logs are used for debugging purposes or for live information. To view system logs, you must select a completed workflow run in the Orchestrator client and click Logs on the Schema tab.
Server.debug("short text", "long text"); N/A
Server.log("short text", "long text"); System.log("text");
Server.warn("short text", "long text"); System.warn("text");
Server.error("short text", "long text"); System.error("text");
VMware, Inc. 59
Page 60

Define the Server Log Level

In the Orchestrator configuration interface, you can set the level of server log that you require. The default server log level is INFO. Changing the log level affects any new messages that the server writes to the server log and the number of active connections to the database.
CAUTION Only set the log level to DEBUG or ALL to debug a problem. Do not use this setting in a production environment because it can seriously impair performance.
Procedure
1 Log in to the Orchestrator configuration interface as vmware.
2 Click Log.
3 Select an option from the Log level drop-down menu.
Option Description
FATAL
ERROR
WARN
INFO
DEBUG
ALL
OFF
Only fatal errors are written to the log file.
Errors and fatal errors are written to the log file.
Warnings, errors, and fatal errors are written to the log file.
Information, warnings, errors, and fatal errors are written to the log file.
Debug information, information messages, warnings, errors, and fatal errors are written to the log file.
Events are not filtered. All events are written to the log file.
No entries are written to the log file and no log updates are made.
NOTE The log contains messages of the selected level and all higher levels. If you select the INFO level, all
INFO messages and higher-level messages (INFO, WARN, ERROR, and FATAL) are written to the log file.
4 Click Apply changes.
5 (Optional) Click the Generate log report link to export the log files.
This operation creates a ZIP archive of all log files.
The new log level is applied to any new messages that the server generates, without restarting the server. The logs are stored in
install_directory
\app-server\server\vmo\log\.

Change the Size of Server Logs

If a server log regenerates multiple times a day, it becomes difficult to determine what causes problems. To prevent this, you can change the default size of the server log. The default size of the server log is 5MB.
Procedure
1 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the vCenter Server installer
If you installed the standalone version of Orchestrator
Go to
install_directory
server\server\vmo\conf.
Go to
install_directory
server\server\vmo\conf.
\VMware\Infrastructure\Orchestrator\app-
\VMware\Orchestrator\app-
60 VMware, Inc.
Page 61
Chapter 7 Maintenance and Recovery
2 Open the log4j.xml file in a text editor and locate the following code block:
<appender class="org.jboss.logging.appender.RollingFileAppender" name="FILE"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/server.log"/> <param name="Append" value="true"/>
<!-- Rollover at 5MB and allow 4 rollover files --> <param name="MaxFileSize" value="5120KB"/> <param name="MaxBackupIndex" value="4"/>
<layout class="org.apache.log4j.PatternLayout"> <!-- The default pattern: Date Priority [Category] Message\n --> <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSSZ} %-5p [%c{1}] %m%n"/> </layout> </appender>
3 Change the following lines:
<param name="MaxFileSize" value="5120KB"/> <param name="MaxBackupIndex" value="4"/>
The MaxFileSize parameter controls the size of the log file, and the MaxBackupIndex parameter controls the number of files for the rollover.
NOTE Before you save the file, make sure it does not contain typos. If the file contains typos, the logs will be lost.
The system reads this file dynamically. You do not need to reboot the server.

Export Orchestrator Log Files

Orchestrator provides a workflow that generates a ZIP archive of troubleshooting information containing configuration, server, wrapper, and installation log files.
Prerequisites
Verify that you created the c:/orchestrator folder at the root of the Orchestrator server system or set write access rights to another folder in which to store the generated ZIP archive. See “Set Server File System Access
for Workflows and JavaScript,” on page 49.
You must be logged in to the Orchestrator client as a member of the vCO admin group.
Procedure
1 Click the Workflows view in the Orchestrator client.
2 In the workflows hierarchical list, open Library > Troubleshooting and navigate to the Export logs and
application settings workflow.
3 Right-click the Export logs and application settings workflow and select Start workflow.
4 (Optional) Type the path to the folder on the vCO server in which to store the output ZIP archive.
If you do not type a path, the generated ZIP archive is stored in the c:/orchestrator folder.
5 Click Submit to run the workflow.
The troubleshooting information is stored in a ZIP archive named
vCO_troubleshooting_
VMware, Inc. 61
dateReference_xxxxxx
.zip.
Page 62

Loss of Server Logs

You might experience loss of logs if you use the vmo.bat file to restart the Orchestrator server.
Problem
If you start the Orchestrator server as a service and you then restart the Orchestrator server by running the
vmo.bat file directly, you can experience a potential loss of logs.
Cause
Logs can be lost if you start the Orchestrator server as a service and restart it by using the vmo.bat. This behavior can cause the server to run with different permissions.
Solution
1 Right-click My Computer on your desktop and select Manage.
2 In the Computer Management dialog box, expand Services and Applications and select Services.
3 In the right pane, right-click and select VMware vCenter Orchestrator Server > Restart.

Maintaining the Orchestrator Database

After your Orchestrator database instance and Orchestrator server are installed and operational, perform standard database maintenance processes.
Maintaining your Orchestrator database involves several tasks:
n
Monitoring the growth of the log file and compacting the database log file, as needed. See the documentation for the database type that you are using.
n
Scheduling regular backups of the database.
n
Backing up the database before you upgrade Orchestrator. See your database documentation for information about backing up your database.
62 VMware, Inc.
Page 63

Index

A
actions
adding 37 creating 37 duplicating 38 encrypting 38 exporting 38 finding elements that implement 39 importing 39 moving 39 referencing 39
relocating 39 Actions view 17 API Explorer, accessing 12 attributes 23, 24
C
Command scripting class 51 configuration elements 24 Configurations view 15 contextual menu in inventory 18 create the js-io-rights.conf file 50
D
database maintenance 62 default password 56 disable access to Orchestrator client 47 disabling Web service access 48
F
file system
access from workflows 48
set workflow access 49
G
getWorkflowsWithName operation 22
I
icons, workflow 16 input parameters 24
J
JavaScript 51 js-io-rights.conf file 48–50
L
logs
non-persistent logs 59 persistent logs 59
M
maximum concurrent workflows 54 maximum pending workflows 54 My Orchestrator view 11
O
operating system commands, accessing 51 Orchestrator API
file system access 48, 49 js-io-rights.conf file 48, 49
Orchestrator client
credentials 11 customizing 13 disable access 47 login 11
output parameters 24
P
packages
create 41 deleting 45 digital rights management 41 exporting 43 getting 44 importing 44 permissions 42 removing 45 restricting reuse 43 signature 41 signing 43
synchronizing 44 Packages view 15 parameters 23 plug-ins, searching 53 policies 19 policy templates 19
R
read-only resources 26 recurrent workflows 30
VMware, Inc.
63
Page 64
resource elements
adding to Web views 34 adding to workflows 33 editing 32 importing 32 save to file 33 updating 33 viewing 31
resource locking 26
S
Scheduler view 16 scheduling 29 schema 23, 25 scripting
access to Java classes 51 accessing operating system commands 51 shutter system property 51
server log
exporting 60
log level 60 standard workflows 21 system properties 47, 51, 52, 54
workflow token 25 workflow token attributes 25 workflow token states 26 workflows
icon 16 library 21 name changes 22 permissions 23, 27 recurrence 30 running 27 scheduling 16, 29 standard 21
Workflows view 16
T
timeout 52 token 23 Troubleshooting options
cancel runs 55
clean directories 55
remove runs 55
reset current version 55
suspend tasks 55
U
updated information 9 user interactions, responding 28
V
VMware vCenter Orchestrator Server 56
W
Web service, disabling access 48 Web view
starting 18
weboperator 18 Web views, change SSL certificate 57
weboperator 18 workflow attributes 24 workflow credentials 24 workflow name changes 22 workflow parameters 24 workflow schema, viewing 25
64 VMware, Inc.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use