VMware vCenter Orchestrator - 5.1 Installation Manual

Installing and Configuring VMware

vCenter Orchestrator

vCenter Orchestrator 5.1

This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.

EN-000736-01

Installing and Configuring VMware vCenter Orchestrator

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2008 – 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

2 VMware, Inc.

Contents

Installing and Configuring VMware vCenter Orchestrator 7

Updated Information 9

Introduction to VMware vCenter Orchestrator 11

1

Key Features of the Orchestrator Platform 11

Orchestrator User Types and Related Responsibilities 12

Orchestrator Architecture 13

Orchestrator System Requirements 15

2

Hardware Requirements for Orchestrator 15

Operating Systems Supported by Orchestrator 15

Supported Directory Services 15

Browsers Supported by Orchestrator 16

Orchestrator Database Requirements 16

Level of Internationalization Support 16

Orchestrator Components Setup 19

3

Orchestrator Configuration Maximums 19

vCenter Server Setup 19

Authentication Methods 20

Orchestrator Database Setup 20

Installing and Upgrading Orchestrator 23

4

Download the vCenter Server Installer 24

Install Orchestrator Standalone 24

Install the Orchestrator Client on a 32-Bit Machine 25

Upgrade Orchestrator 4.2.x Standalone 26

Upgrading Orchestrator 4.0.x Running on a 64-Bit Machine 27

Export the Orchestrator Configuration 27

Uninstall Orchestrator 28

Install Orchestrator Standalone 28

Import the Orchestrator Configuration 29

Upgrading Orchestrator 4.0.x and Migrating the Configuration Data 30

Uninstall Orchestrator 30

VMware, Inc.

Configuring the Orchestrator Server 31

5

Start the Orchestrator Configuration Service 32

Log In to the Orchestrator Configuration Interface 32

Configure the Network Connection 33

Orchestrator Network Ports 33

3

Installing and Configuring VMware vCenter Orchestrator

Import the vCenter Server SSL Certificate 35

Selecting the Authentication Type 36

Configuring vCenter Single Sign On Settings 36

Configuring LDAP Settings 39

Configuring the Orchestrator Database Connection 45

Configure SQL Server Express to Use with Orchestrator 45

Import the Database SSL Certificate 45

Configure the Database Connection 46

Server Certificate 49

Create a Self-Signed Server Certificate 49

Obtain a Server Certificate Signed by a Certificate Authority 50

Import a Server Certificate 50

Export a Server Certificate 51

Changing a Self-Signed Server Certificate 51

Configure the Default Plug-Ins 52

Define the Default SMTP Connection 53

Configure the SSH Plug-In 53

Configure the vCenter Server 5.1 Plug-In 54

Installing a New Plug-In 55

Importing the vCenter Server License 56

Import the vCenter Server License 56

Add the vCenter Server License Key Manually 57

Access Rights to Orchestrator Server 57

Start the Orchestrator Server 58

Additional Configuration Options 59

6

Change the Password of the Orchestrator Configuration Interface 59

Change the Default Configuration Ports on the Orchestrator Client Side 60

Uninstall a Plug-In 60

Activate the Service Watchdog Utility 61

Export the Orchestrator Configuration 62

Orchestrator Configuration Files 62

Import the Orchestrator Configuration 63

Configure the Maximum Number of Events and Runs 64

Import the Plug-In Licenses 65

Orchestrator Log Files 65

Logging Persistence 66

Define the Server Log Level 67

Change the Size of Server Logs 68

Export Orchestrator Log Files 68

Loss of Server Logs 69

Filter the Orchestrator Log Files 69

Configuration Use Cases and Troubleshooting 71

7

Registering Orchestrator with vCenter Single Sign On in the vCenter Server Appliance 71

Setting Up Orchestrator to Work with the vSphere Web Client 72

Check Whether Orchestrator Is Successfully Registered as an Extension 73

Unregister Orchestrator from vCenter Single Sign On 73

4 VMware, Inc.

Enable Orchestrator for Remote Workflow Execution 74

Changing SSL Certificates 75

Generate a New Certificate 75

Install a Certificate from a Certificate Authority 75

Change the Web Views SSL Certificate 76

Change the SSL Certificate of the Orchestrator Configuration Interface 77

Change the SSL Certificate for the Orchestrator Client 77

Back Up the Orchestrator Configuration and Elements 78

Unwanted Server Restarts 80

Orchestrator Server Fails to Start 80

Revert to the Default Password for Orchestrator Configuration 81

Contents

Setting System Properties 83

8

Disable Access to the Orchestrator Client By Nonadministrators 83

Disable Access to Workflows from Web Service Clients 84

Setting Server File System Access for Workflows and JavaScript 84

Rules in the js-io-rights.conf File Permitting Write Access to the Orchestrator System 85

Set Server File System Access for Workflows and JavaScript 86

Manually Create the js-io-rights.conf File 86

Set JavaScript Access to Operating System Commands 87

Set JavaScript Access to Java Classes 88

Set Custom Timeout Property 89

Modify the Number of Objects a Plug-In Search Obtains 89

Modify the Number of Concurrent and Pending Workflows 90

Where to Go From Here 91

9

Index 93

VMware, Inc. 5

Installing and Configuring VMware vCenter Orchestrator

6 VMware, Inc.

Installing and Configuring VMware vCenter Orchestrator

Installing and Configuring VMware vCenter Orchestrator provides information and instructions about installing,
upgrading and configuring VMware® vCenter Orchestrator.

Intended Audience

This information is intended for advanced vSphere administrators and experienced system administrators
who are familiar with virtual machine technology and datacenter operations.

VMware, Inc. 7

Installing and Configuring VMware vCenter Orchestrator

8 VMware, Inc.

Updated Information

Installing and Configuring VMware vCenter Orchestrator is updated with each release of the product or when
necessary.

This table provides the update history of Installing and Configuring VMware vCenter Orchestrator.

Revision Description

EN-000736-01 Updated “Setting Up Orchestrator to Work with the vSphere Web Client,” on page 72 with information

about additional verification steps.

EN-000736-00 Initial release.

VMware, Inc. 9

Installing and Configuring VMware vCenter Orchestrator

10 VMware, Inc.

Introduction to VMware vCenter

Orchestrator 1

VMware vCenter Orchestrator is a development- and process-automation platform that provides a library of
extensible workflows to allow you to create and run automated, configurable processes to manage the VMware
vSphere infrastructure as well as other VMware and third-party technologies.

Orchestrator exposes every operation in the vCenter Server API, allowing you to integrate all of these
operations into your automated processes. Orchestrator also allows you to integrate with other management
and administration solutions through its open plug-in architecture.

This chapter includes the following topics:

n

“Key Features of the Orchestrator Platform,” on page 11

n

“Orchestrator User Types and Related Responsibilities,” on page 12

n

“Orchestrator Architecture,” on page 13

Key Features of the Orchestrator Platform

Orchestrator is composed of three distinct layers: an orchestration platform that provides the common features
required for an orchestration tool, a plug-in architecture to integrate control of subsystems, and a library of
workflows. Orchestrator is an open platform that can be extended with new plug-ins and libraries, and can be
integrated into larger architectures through a SOAP or REST API.

The following list presents the key Orchestrator features.

Persistence

Central management

Check-pointing

Versioning

VMware, Inc. 11

Production grade external databases are used to store relevant information,
such as processes, workflow states, and configuration information.

Orchestrator provides a central way to manage your processes. The application
server-based platform, with full version history, allows you to have scripts and
process-related primitives in one place. This way, you can avoid scripts without
versioning and proper change control spread on your servers.

Every step of a workflow is saved in the database, which allows you to restart
the server without losing state and context. This feature is especially useful for
long-running processes.

All Orchestrator Platform objects have an associated version history. This
feature allows basic change management when distributing processes to
different project stages or locations.

Installing and Configuring VMware vCenter Orchestrator

Scripting engine

Workflow engine

Policy engine

Web 2.0 front end

The Mozilla Rhino JavaScript engine provides a way to create new building
blocks for Orchestrator Platform. The scripting engine is enhanced with basic
version control, variable type checking, name space management and
exception handling. It can be used in the following building blocks:

n

Actions

n

Workflows

n

Policies

The workflow engine allows you to capture business processes. It uses the
following objects to create a step-by-step process automation in workflows:

n

Workflows and actions that Orchestrator provides.

n

Custom building blocks created by the customer

n

Objects that plug-ins add to Orchestrator

Users, other workflows, a schedule, or a policy can start workflows.

The policy engine allows monitoring and event generation to react to changing
conditions in the Orchestrator server or plugged-in technology. Policies can
aggregate events from the platform or any of the plug-ins, which allows you
to handle changing conditions on any of the integrated technologies.

The Web 2.0 front end allows you to integrate Orchestrator functions into Web­based interfaces, using Web views. For example, you can create Web views that
add buttons to start workflows from a page in your company's Intranet. It
provides a library of user customizable components to access vCO orchestrated
objects and uses Ajax technology to dynamically update content without
reloading complete pages.

Security

Orchestrator provides the following advanced security functions:

n

Public Key Infrastructure (PKI) to sign and encrypt content imported and
exported between servers

n

Digital Rights Management (DRM) to control how exported content might
be viewed, edited and redistributed

n

Secure Sockets Layer (SSL) encrypted communications between the
desktop client and the server and HTTPS access to the Web front end.

n

Advanced access rights management to provide control over access to
processes and the objects manipulated by these processes.

Orchestrator User Types and Related Responsibilities

Orchestrator provides different tools and interfaces based on the specific responsibilities of the two global user
roles: Administrators and End Users. Orchestrator developers also have administrative rights and are
responsible for creating workflows and additional applications.

Users with Full Rights

Administrators

This role has full access to all of the Orchestrator platform capabilities. Basic
administrative responsibilities include the following items:

n

Installing and configuring Orchestrator

n

Managing access rights for Orchestrator and applications

12 VMware, Inc.

Chapter 1 Introduction to VMware vCenter Orchestrator

n

Importing and exporting packages

n

Enabling and disabling Web views

n

Running workflows and scheduling tasks

n

Managing version control of imported elements

n

Creating new workflows and plug-ins

Developers

This user type has full access to all of the Orchestrator platform capabilities.
Developers are granted access to the Orchestrator client interface and have the
following responsibilities:

n

n

n

Users with Limited Rights

End Users

This role has access to only the Web front end. End users can run and schedule
workflows and policies that the administrators or developers make available
in a browser by using Web views.

Orchestrator Architecture

Orchestrator contains a workflow library and a workflow engine to allow you to create and run workflows
that automate orchestration processes. You run workflows on the objects of different technologies that
Orchestrator accesses through a series of plug-ins.

Orchestrator provides a standard set of plug-ins, including a plug-in for vCenter Server, to allow you to
orchestrate tasks in the different environments that the plug-ins expose.

Creating applications to extend the Orchestrator platform functionality

Automating processes by customizing existing workflows and creating
new workflows and plug-ins

Customizing Web front ends for automated processes, using Web 2.0 tools.

Orchestrator also presents an open architecture to allow you to plug in external third-party applications to the
orchestration platform. You can run workflows on the objects of the plugged-in technologies that you define
yourself. Orchestrator connects to a directory services server to manage user accounts, and to a database to
store information from the workflows that it runs. You can access Orchestrator, the Orchestrator workflows,
and the objects it exposes through the Orchestrator client interface, through a Web browser, or through Web
services.

VMware, Inc. 13

Orchestrator

database

workflow library

vCenter

Server

XML SSH SQL SMTP

3rd-party

plug-in

workflow engine

browser

access

vCenter

Orchestrator

Client application

vCenter

Server

Directory services

or vCenter

Single Sign On

Web services

REST/SOAP

Installing and Configuring VMware vCenter Orchestrator

Figure 1-1. VMware vCenter Orchestrator Architecture

14 VMware, Inc.

Orchestrator System Requirements 2

Your system must meet the technical requirements that are necessary to install and configure Orchestrator.

For a list of the supported versions of vCenter Server, see VMware Product Interoperability Matrix.

This chapter includes the following topics:

n

“Hardware Requirements for Orchestrator,” on page 15

n

“Operating Systems Supported by Orchestrator,” on page 15

n

“Supported Directory Services,” on page 15

n

“Browsers Supported by Orchestrator,” on page 16

n

“Orchestrator Database Requirements,” on page 16

n

“Level of Internationalization Support,” on page 16

Hardware Requirements for Orchestrator

Verify that your system meets the minimum hardware requirements before you install Orchestrator.

n

2.0GHz or faster Intel or AMD x86 processor. At least two CPUs are recommended. Processor requirements
might differ if your database runs on the same hardware.

n

4GB RAM. You might need more RAM if your database runs on the same hardware.

n

2GB disk space. You might need more storage if your database runs on the same hardware.

n

A free static IP address.

Operating Systems Supported by Orchestrator

You can install the Orchestrator 5.1 server only on 64-bit operating systems.

For a list of the operating systems supported by Orchestrator, see the VMware Compatibility Guide.

Supported Directory Services

Orchestrator requires a working LDAP server.

Orchestrator supports these directory service types.

n

Windows Server 2003 Active Directory

n

Windows Server 2008 Active Directory

n

Novell eDirectory Server 8.8.3

VMware, Inc.

15

Installing and Configuring VMware vCenter Orchestrator

n

Sun Java System Directory Server 6.3

IMPORTANT Multiple domains that have a two-way trust, but are not in the same tree, are not supported and
do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain
tree. Forest and external trusts are unsupported.

Browsers Supported by Orchestrator

The Orchestrator configuration interface and Web views require a Web browser.

You must have one of the following browsers to connect to the Orchestrator configuration interface and Web
views.

n

Microsoft Internet Explorer 7 and 8

n

Mozilla Firefox 3.0 and later

Orchestrator Database Requirements

Orchestrator requires a database. It is recommended that the Orchestrator database is separate from the
standard vCenter Server database. For small-scale deployments, you can use the SQL Server Express database
that is bundled with vCenter Server.

NOTE To ensure efficient CPU and memory usage, you should consider hosting the Orchestrator database
and the Orchestrator server on different machines. Verify that at least 1GB of free disk space is available on
each machine.

Orchestrator supports Oracle, SQL Server 2003, SQL Server 2008, SQL Server Express, PostgreSQL, as well as
the vCenter Server datasource.

Level of Internationalization Support

Orchestrator is compliant with i18n level 1.

Non-ASCII Character Support in Orchestrator

Although Orchestrator is not localized, it can run on a non-English operating system and handle non-English
text.

Table 2-1. Non-ASCII Character Support in Orchestrator GUI

Support for Non-ASCII Characters

Item

Action Yes No No No

Folder Yes Yes - -

Configuration element Yes Yes - No

Package Yes Yes - -

Policy Yes Yes - -

Policy template Yes Yes - -

Resource element Yes Yes - -

Web view Yes Yes - No

Description Field Name Field

Input and Output
Parameters Attributes

16 VMware, Inc.

Chapter 2 Orchestrator System Requirements

Table 2-1. Non-ASCII Character Support in Orchestrator GUI (Continued)

Support for Non-ASCII Characters

Input and Output

Item

Workflow Yes Yes No No

Workflow
presentation display
group and input step

Description Field Name Field

Yes Yes - -

Parameters Attributes

Non-ASCII Character Support for Oracle Databases

To store characters in the correct format in an Oracle database, set the NLS_CHARACTER_SET parameter to

AL32UTF8 before configuring the database connection and building the table structure for Orchestrator. This

setting is crucial for an internationalized environment.

VMware, Inc. 17

Installing and Configuring VMware vCenter Orchestrator

18 VMware, Inc.

Orchestrator Components Setup 3

To enhance the availability and scalability of your Orchestrator setup, install Orchestrator on a computer
different from the computer on which vCenter Server runs. With such separation, you can adjust the operating
system to meet the specific recommendations for each service.

This chapter includes the following topics:

n

“Orchestrator Configuration Maximums,” on page 19

n

“vCenter Server Setup,” on page 19

n

“Authentication Methods,” on page 20

n

“Orchestrator Database Setup,” on page 20

Orchestrator Configuration Maximums

When you configure Orchestrator, verify that you stay at or below the supported maximums.

Table 3-1. Orchestrator Configuration Maximums

Item Maximum

Connected vCenter Server systems 20

Connected ESX/ESXi servers 1280

Connected virtual machines spread over vCenter Server systems 35000

Concurrent running workflows 300

vCenter Server Setup

Increasing the number of vCenter Server instances in your Orchestrator setup causes Orchestrator to manage
more sessions. Each active session results in activity on the corresponding vCenter Server, and too many active
sessions can cause Orchestrator to experience timeouts when more than 10 vCenter Server connections occur.

For a list of the supported versions of vCenter Server, see VMware Product Interoperability Matrix.

NOTE You can run multiple vCenter Server instances on different virtual machines in your Orchestrator setup
if your network has sufficient bandwidth and latency. If you are using LAN to improve the communication
between Orchestrator and vCenter Server, a 100Mb line is mandatory.

VMware, Inc.

19

Installing and Configuring VMware vCenter Orchestrator

Authentication Methods

To authenticate and manage user permissions, Orchestrator requires a connection to an LDAP server or a
connection to a vCenter Single Sign On server.

Orchestrator supports the following directory service types: Active Directory, eDirectory, and Sun Java System
Directory Server.

Connect your system to the LDAP server that is physically closest to your Orchestrator server, and avoid
connections to remote LDAP servers. Long response times for LDAP queries can lead to slower performance
of the whole system.

To improve the performance of the LDAP queries, keep the user and group lookup base as narrow as possible.
Limit the users to targeted groups that need access, rather than to whole organizations with many users who
do not need access. Depending on the combination of database and directory service you choose, the resources
you need can vary. For recommendations, see the documentation for your LDAP server.

To use the vCenter Single Sign On authentication method, you must first install vCenter Single Sign On. If you
install Orchestrator together with vCenter Server, the Orchestrator server is preconfigured to use vCenter
Single Sign On as an authentication method. If you install Orchestrator separately from vCenter Server, and
you want to use vCenter Single Sign On, you must configure the Orchestrator server to use the vCenter Single
Sign On server that you installed and configured.

Orchestrator Database Setup

Orchestrator requires a database to store workflows and actions.

If you install Orchestrator together with vCenter Server, the Orchestrator server is preconfigured to use the
vCenter Server datasource and no additional configuration of the database is required. However, if you need
to use a separate database, you can configure Orchestrator to use a dedicated database by using the
Orchestrator configuration interface.

If you install Orchestrator separately from vCenter Server, you must set up the Orchestrator database. You can
configure the Orchestrator server to use either the vCenter Server datasource, or another database, that you
have created for the Orchestrator server.

Orchestrator server supports Oracle and Microsoft SQL Server databases. Orchestrator can work with
Microsoft SQL Server Express in small-scale environments consisting of up to 5 hosts and 50 virtual machines.

For details about using SQL Server Express with Orchestrator, see “Configure SQL Server Express to Use with

Orchestrator,” on page 45.

The common workflow for setting up the Orchestrator database is the following:

1 Create a new database. For more information about creating a new database, refer to the documentation

of your database provider (Microsoft or Oracle).

2 Enable the database for remote connection. For an example of how to do that, see “Configure SQL Server

Express to Use with Orchestrator,” on page 45.

3 Configure the database connection parameters. For more information, see “Configure the Database

Connection,” on page 46.

The way in which your database is set up can affect Orchestrator performance. Install the database on a machine
other than the one on which the Orchestrator server is installed. This approach avoids the JVM and DB server
having to share CPU, RAM, and I/O.

Storing your database plug-ins in a database separate from the one that Orchestrator uses results in more
modularity when upgrading the system. A dedicated database instance allows you to perform upgrades and
maintenance without impacting other products.

20 VMware, Inc.

Chapter 3 Orchestrator Components Setup

The location of the database is important because almost every activity on the Orchestrator server triggers
operations on the database. To avoid latency in the database connection, connect to the database server that is
geographically closest to your Orchestrator server and that is on the network with the highest bandwidth.

The size of the Orchestrator database varies depending on the setup and how workflow tokens are handled.
Allow for approximately 50KB per vCenter Server object and 4KB per workflow run.

CAUTION Verify that at least 1GB of free disk space is available on the machine where the Orchestrator database
is installed and on the machine where the Orchestrator server is installed.

Insufficient disk storage space might result in unwanted behavior of the Orchestrator server and client.

VMware, Inc. 21

Installing and Configuring VMware vCenter Orchestrator

22 VMware, Inc.

Installing and Upgrading Orchestrator 4

Orchestrator consists of a server component and a client component. You can install the Orchestrator
components on the machine on which vCenter Server is installed or on a separate machine. To improve
performance, install the Orchestrator server component on a separate machine.

After you install or upgrade Orchestrator standalone, you must start the Orchestrator Configuration service,
and configure Orchestrator by using the Orchestrator configuration interface.

You can install the Orchestrator configuration server on 64-bit Windows machines only. The Orchestrator client
can run on both 32-bit and 64-bit Windows machines.

To install Orchestrator, you must be either a local Administrator or a domain user that is a member of the
Administrators group.

You can install and upgrade Orchestrator together during the vCenter Server installation or upgrade. When
you install vCenter Server 5.1, Orchestrator 5.1 is silently installed on your system as an additional component
and requires no further configuration. To use Orchestrator, you must start the Orchestrator Server service and
then start the Orchestrator client. Any user from the vCenter Server administrator group that you have
provided during the vCenter Server installation, is an Orchestrator administrator. If you need to change the
default configuration settings, you must first start the Orchestrator Configuration service, and change the
settings by using the Orchestrator configuration interface.

For information about the vCenter Server software and hardware requirements, prerequisites, and installation
steps, see vSphere Installation and Setup.

VMware, Inc.

For information about upgrading vCenter Server, see vSphere Upgrade.

After you upgrade vCenter Server and Orchestrator, you must reimport the SSL certificate for the licensed
vCenter Server and start the Orchestrator server. For more information about importing the vCenter Server
SSL certificate, see “Import the vCenter Server SSL Certificate,” on page 35.

IMPORTANT Each installation of the Orchestrator server has a unique certificate. To run remote workflows from
one Orchestrator server over another Orchestrator server, ensure that you either replace the SSL keystore, or
maintain separate SSL keypairs and use the trust manager. See “Enable Orchestrator for Remote Workflow

Execution,” on page 74.

This chapter includes the following topics:

n

“Download the vCenter Server Installer,” on page 24

n

“Install Orchestrator Standalone,” on page 24

n

“Install the Orchestrator Client on a 32-Bit Machine,” on page 25

n

“Upgrade Orchestrator 4.2.x Standalone,” on page 26

n

“Upgrading Orchestrator 4.0.x Running on a 64-Bit Machine,” on page 27

23

Installing and Configuring VMware vCenter Orchestrator

n

“Upgrading Orchestrator 4.0.x and Migrating the Configuration Data,” on page 30

n

“Uninstall Orchestrator,” on page 30

Download the vCenter Server Installer

You must download the installer for vCenter Server, the vSphere Client, and associated vCenter components
and support tools.

Procedure

1 Download the zip file for vCenter Server from the VMware downloads page at

http://www.vmware.com/support/.

2 Extract the files from the zip archive.

Install Orchestrator Standalone

For production environments and to enhance the scalability of your Orchestrator setup, install Orchestrator
on a dedicated Windows machine.

You can install the Orchestrator server only on a 64-bit operating system platform.

The Orchestrator client can run on both 32-bit and 64-bit Windows machines.

You can install the Orchestrator client on a 32-bit machine. For more information, see “Install the Orchestrator

Client on a 32-Bit Machine,” on page 25.

NOTE If you try to install Orchestrator 5.1 on a 64-bit machine on which an instance of Orchestrator 4.0.x is
running, the 64-bit installer does not detect the earlier version of Orchestrator. As a result, two versions of
Orchestrator are installed and coexist.

Prerequisites

n

Verify that your hardware meets the Orchestrator system requirements. See “Hardware Requirements for

Orchestrator,” on page 15.

n

Download the vCenter Server 5.1 installer from the VMware Web site.

Procedure

1 Start the Orchestrator installer.

In the software installer directory, browse to the C:\
double-click vCenterOrchestrator.exe.

The file contains installers for the client and the server components.

2 Click Next.

3 Accept the terms in the license agreement and click Next.

4 Either accept the default destination folders or click Change to select another location, and click Next.

install_directory

\vCenter-Server\vCO\ folder and

CAUTION You cannot install Orchestrator in a directory whose name contains non-ASCII characters. If
you are operating in a locale that features non-ASCII characters, you must install Orchestrator in the
default location.

24 VMware, Inc.

Chapter 4 Installing and Upgrading Orchestrator

5 Select the type of installation and click Next.

Option Description

Client

Server

Client-Server

Installs the Orchestrator client application, which allows you to create and
edit workflows.

Installs the Orchestrator server platform.

Installs the Orchestrator client and server.

6 Specify the location for the Orchestrator shortcuts and click Next.

CAUTION The name of the shortcuts directory must contain only ASCII characters.

7 Click Install to complete the installation process.

8 Click Done to close the installer.

What to do next

To start configuring Orchestrator, verify that the VMware vCenter Orchestrator Configuration service is
running and log in to the Orchestrator configuration interface at:
https://orchestrator_server_DNS_name_or_IP_address:8283 or https://localhost:8283.

Install the Orchestrator Client on a 32-Bit Machine

The Orchestrator client is a desktop application that allows you to import packages, run and schedule
workflows, and manage user permissions. If you install vCenter Server, the Orchestrator client is installed
silently on your system. You can install the Orchestrator client on a 32-bit machine.

You can use the standalone Orchestrator client installer on a 32-bit machine only.

Prerequisites

Download the Orchestrator client 32-bit installer from the VMware Web site.

Procedure

1 Log in to the 32-bit machine as an administrator.

2 Double-click the vCenter Orchestrator client distribution file and click Next.

The filename is vCenterOrchestratorClient-5.
and yyy is the build number.

3 Accept the terms in the license agreement and click Next.

4 Either accept the default destination folders or click Change to select another location, and click Next.

CAUTION You cannot install Orchestrator in a directory whose name contains non-ASCII characters. If
you are operating in a locale that features non-ASCII characters, you must install Orchestrator in the
default location.

a.b.-yyy

.exe, where a and b are major and minor version,

5 Specify the location for the Orchestrator shortcuts and click Next.

CAUTION The name of the shortcuts directory must contain only ASCII characters.

6 Review the summary and click Next.

7 Click Install to complete the installation process.

8 Click Done to close the installer.

VMware, Inc. 25

Installing and Configuring VMware vCenter Orchestrator

The Orchestrator client component is installed on your system.

What to do next

You can log in to the Orchestrator client interface and perform general administration tasks and create
workflows.

Upgrade Orchestrator 4.2.x Standalone

To upgrade Orchestrator 4.2.x on a 64-bit Microsoft Windows machine that is different from the machine on
which vCenter Server runs, start the latest version of the Orchestrator standalone installer.

Prerequisites

n

Create a backup of the Orchestrator database.

n

Back up your Orchestrator configuration, as well as custom workflows and packages. See “Back Up the

Orchestrator Configuration and Elements,” on page 78.

n

Log in as Administrator to the Windows machine on which you are performing the upgrade.

n

Download the vCenter Server 5.1 installer from the VMware Web site.

Procedure

1 Stop the Orchestrator server service.

a Select Start > Programs > Administrative Tools > Services.

b In the right pane, right-click VMware vCenter Orchestrator Server and select Stop.

c In the right pane, right-click VMware vCenter Orchestrator Configuration and select Stop.

2 Start the Orchestrator installer.

In the software installer directory, browse to the C:\

install_directory

\vCenter-Server\vCO\ folder and

double-click vCenterOrchestrator.exe.

The file contains installers for the client and the server components.

3 Click Next.

4 Accept the terms in the license agreement and click Next.

5 Select Continue with update to upgrade Orchestrator.

6 When the installer detects the installation directory, click Next.

You cannot change the installation directory when you are upgrading Orchestrator. To change this
parameter, you must perform a fresh installation.

7 Select the type of upgrade that matches your existing installation type and click Next.

Option Description

Client

Server

Client-Server

Upgrades the Orchestrator client application, which allows you to create and
edit workflows.

Upgrades the Orchestrator server platform.

Upgrades the Orchestrator client and server.

For example, if you installed only the Orchestrator client, select Client and then upgrade your Orchestrator
server separately.

IMPORTANT The versions of the Orchestrator client and server must be the same.

26 VMware, Inc.

Chapter 4 Installing and Upgrading Orchestrator

8 Specify the location for the Orchestrator shortcuts and click Next.

CAUTION The name of the shortcuts directory must contain only ASCII characters.

9 Click Install to complete the installation process.

10 Click Done to close the installer.

11 Start the Orchestrator configuration service and log in to the Orchestrator configuration interface.

12 On the Database tab, update the database by clicking Update database.

13 Reimport the SSL certificate for the licensed vCenter Server and start the Orchestrator server.

For more information about importing the vCenter Server SSL certificate, see “Import the vCenter Server

SSL Certificate,” on page 35.

You upgraded to the latest version of Orchestrator. The existing Orchestrator configuration is preserved.

Upgrading Orchestrator 4.0.x Running on a 64-Bit Machine

If vCenter Orchestrator 4.0.x is installed on the same 64-bit machine as vCenter Server 4.0 and the later update
releases, you cannot upgrade Orchestrator by upgrading to vCenter Server 5.1. VMware does not support the
in-place upgrade of a standalone Orchestrator instance running on a 64-bit machine.

To upgrade to Orchestrator 5.1, you must export the Orchestrator configuration settings, uninstall the existing
Orchestrator instance, run the Orchestrator installer, and import the configuration settings.

1 Export the Orchestrator Configuration on page 27

The Orchestrator configuration interface provides a mechanism to export the Orchestrator configuration
settings to a local file. This mechanism allows you to take a snapshot of your system configuration at any
moment and import this configuration into a new Orchestrator instance.

2 Uninstall Orchestrator on page 28

You can remove the Orchestrator client and server components from your system by using Add or
Remove Programs.

3 Install Orchestrator Standalone on page 28

For production environments and to enhance the scalability of your Orchestrator setup, install
Orchestrator on a dedicated Windows machine.

4 Import the Orchestrator Configuration on page 29

You can restore the previously exported system configuration when you reinstall Orchestrator or if a
system failure occurs.

Export the Orchestrator Configuration

The Orchestrator configuration interface provides a mechanism to export the Orchestrator configuration
settings to a local file. This mechanism allows you to take a snapshot of your system configuration at any
moment and import this configuration into a new Orchestrator instance.

You should export and save your configuration settings on a regular basis, especially when making
modifications, performing maintenance tasks, or upgrading the system.

For a list of exported configuration settings, see “Orchestrator Configuration Files,” on page 62.

IMPORTANT Keep the file with the exported configuration safe and secure, because it contains sensitive
administrative information.

VMware, Inc. 27

Installing and Configuring VMware vCenter Orchestrator

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Export Configuration.

3 (Optional) Type a password to protect the configuration file.

Use the same password when you import the configuration.

4 Click Export.

Orchestrator creates a vmo_config_

dateReference

.vmoconfig file on the machine on which the Orchestrator

server is installed. You can use this file to clone or to restore the system.

Uninstall Orchestrator

You can remove the Orchestrator client and server components from your system by using Add or Remove
Programs.

Prerequisites

n

Save the Orchestrator configuration settings to a local file. For more details, see “Export the Orchestrator

Configuration,” on page 27.

n

Back up custom workflows and plug-ins.

Procedure

1 From the Windows Start menu, select Settings > Control Panel > Add or Remove Programs.

2 Select vCenter Orchestrator and click Remove.

3 Click Uninstall in the Uninstall vCenter Orchestrator window.

A message confirms that all items have been successfully removed.

4 Click Done.

Orchestrator is uninstalled from your system.

Install Orchestrator Standalone

For production environments and to enhance the scalability of your Orchestrator setup, install Orchestrator
on a dedicated Windows machine.

You can install the Orchestrator server only on a 64-bit operating system platform.

The Orchestrator client can run on both 32-bit and 64-bit Windows machines.

You can install the Orchestrator client on a 32-bit machine. For more information, see “Install the Orchestrator

Client on a 32-Bit Machine,” on page 25.

NOTE If you try to install Orchestrator 5.1 on a 64-bit machine on which an instance of Orchestrator 4.0.x is
running, the 64-bit installer does not detect the earlier version of Orchestrator. As a result, two versions of
Orchestrator are installed and coexist.

Prerequisites

n

Verify that your hardware meets the Orchestrator system requirements. See “Hardware Requirements for

Orchestrator,” on page 15.

n

Download the vCenter Server 5.1 installer from the VMware Web site.

28 VMware, Inc.

Procedure

1 Start the Orchestrator installer.

Chapter 4 Installing and Upgrading Orchestrator

In the software installer directory, browse to the C:\

install_directory

\vCenter-Server\vCO\ folder and

double-click vCenterOrchestrator.exe.

The file contains installers for the client and the server components.

2 Click Next.

3 Accept the terms in the license agreement and click Next.

4 Either accept the default destination folders or click Change to select another location, and click Next.

CAUTION You cannot install Orchestrator in a directory whose name contains non-ASCII characters. If
you are operating in a locale that features non-ASCII characters, you must install Orchestrator in the
default location.

5 Select the type of installation and click Next.

Option Description

Client

Server

Client-Server

Installs the Orchestrator client application, which allows you to create and
edit workflows.

Installs the Orchestrator server platform.

Installs the Orchestrator client and server.

6 Specify the location for the Orchestrator shortcuts and click Next.

CAUTION The name of the shortcuts directory must contain only ASCII characters.

7 Click Install to complete the installation process.

8 Click Done to close the installer.

What to do next

To start configuring Orchestrator, verify that the VMware vCenter Orchestrator Configuration service is
running and log in to the Orchestrator configuration interface at:
https://orchestrator_server_DNS_name_or_IP_address:8283 or https://localhost:8283.

Import the Orchestrator Configuration

You can restore the previously exported system configuration when you reinstall Orchestrator or if a system
failure occurs.

If you use the import procedure for cloning the Orchestrator configuration, the vCenter Server plug-in
configuration becomes invalid and non-working, because a new ID of the vCenter Server plug-in is generated.
After you import the Orchestrator configuration, you must provide a valid password for each registered
vCenter Server instance. For more information about configuring the vCenter Server plug-in, see “Configure

the vCenter Server 5.1 Plug-In,” on page 54.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Import Configuration.

3 Type the password you used when exporting the configuration.

This step is not necessary if you have not specified a password.

VMware, Inc. 29

Installing and Configuring VMware vCenter Orchestrator

4 Browse to select the .vmoconfig file you exported from your previous installation.

5 Select whether to override the Orchestrator internal certificate and network settings.

Select the check box only if you want to restore your Orchestrator configuration and the .vmoconfig file
is the backup file of the same Orchestrator configuration.

If you import the configuration to duplicate the Orchestrator environment, for example for scaling
purposes, leave the check box unselected. Otherwise you might have problems with the certificates when
Orchestrator tries to identify against vCenter Server, vCenter Single Sign On or the vSphere Web Client.

6 Click Import.

A message states that the configuration is successfully imported. The new system replicates the old
configuration completely.

Upgrading Orchestrator 4.0.x and Migrating the Configuration Data

Instead of performing an in-place upgrade of Orchestrator, you might want to use a different machine for your
upgrade.

The vCenter Server 5.0 installation media includes a data migration tool that you can use to migrate
Orchestrator and vCenter Server configuration data from your existing installation on a 32-bit
vCenter Server machine to a new installation on the 64-bit machine. This data migration tool is not supported
for vCenter Server 5.1 and Orchestrator 5.1. You cannot directly migrate an existing Orchestrator installation
to a different machine during an upgrade to version 5.1. You can migrate an existing Orchestrator installation
to a different machine during the upgrade to version 4.2, and then perform an in-place upgrade from version

4.2 to version 5.1. See the version 4.2 of Installing and Configuring VMware vCenter Orchestrator documentation.

Uninstall Orchestrator

You can remove the Orchestrator client and server components from your system by using Add or Remove
Programs.

Prerequisites

n

Save the Orchestrator configuration settings to a local file. For more details, see “Export the Orchestrator

Configuration,” on page 27.

n

Back up custom workflows and plug-ins.

Procedure

1 From the Windows Start menu, select Settings > Control Panel > Add or Remove Programs.

2 Select vCenter Orchestrator and click Remove.

3 Click Uninstall in the Uninstall vCenter Orchestrator window.

A message confirms that all items have been successfully removed.

4 Click Done.

Orchestrator is uninstalled from your system.

30 VMware, Inc.

Configuring the Orchestrator Server 5

The Orchestrator Web Configuration tool is installed silently with vCenter Server or when you install
Orchestrator standalone. To use the tool, you must first start the Orchestrator Configuration Service.

You can use the Orchestrator Web Configuration tool to configure the components that are related to the
Orchestrator engine, such as network, database, server certificate, and so on. The correct configuration of these
components ensures the proper functioning of the applications running on the Orchestrator platform.

When you install Orchestrator 5.1 together with vCenter Server 5.1, Orchestrator is automatically configured
to work. However, you must start the Orchestrator server service and then start the Orchestrator client. Any
user from the vCenter Server administrator group that you have provided during the vCenter Server
installation, is an Orchestrator administrator. You can modify the configuration settings if your organization
requires that. For instructions about how to start the Orchestrator Server service, see “Start the Orchestrator

Configuration Service,” on page 32 and “Start the Orchestrator Server,” on page 58. For more information

about starting the Orchestrator client and using it, see Using the VMware vCenter Orchestrator Client.

When you install Orchestrator 5.1 standalone, Orchestrator is not configured, and you must configure the
Orchestrator settings manually. Perform all of the configuration steps to have the Orchestrator server
configured correctly.

IMPORTANT When you configure Orchestrator, you must make sure that the clocks of the Orchestrator server
machine and the Orchestrator client machine are synchronized.

VMware, Inc.

This chapter includes the following topics:

n

“Start the Orchestrator Configuration Service,” on page 32

n

“Log In to the Orchestrator Configuration Interface,” on page 32

n

“Configure the Network Connection,” on page 33

n

“Orchestrator Network Ports,” on page 33

n

“Import the vCenter Server SSL Certificate,” on page 35

n

“Selecting the Authentication Type,” on page 36

n

“Configuring the Orchestrator Database Connection,” on page 45

n

“Server Certificate,” on page 49

n

“Configure the Default Plug-Ins,” on page 52

n

“Importing the vCenter Server License,” on page 56

n

“Start the Orchestrator Server,” on page 58

31

Installing and Configuring VMware vCenter Orchestrator

Start the Orchestrator Configuration Service

If you have installed Orchestrator as a part of the vCenter Server installation, the Orchestrator Configuration
service does not start by default. You must start it manually before you try to access the Orchestrator
configuration interface.

If you installed Orchestrator standalone, the Orchestrator Configuration service is already started.

Procedure

1 On the machine on which Orchestrator is installed, select Start > Programs > Administrative Tools >

Services.

2 In the Services window, right-click VMware vCenter Orchestrator Configuration and select Start.

3 (Optional) Set up the service to start automatically on the next reboot.

a Right-click VMware vCenter Orchestrator Configuration and select Properties.

b In the VMware vCenter Orchestrator Configuration Properties (Local Computer) window, from the

Startup type drop-down menu select Automatic.

The Orchestrator Configuration service is now running and Orchestrator configuration interface is available
for use.

What to do next

You can log in to the Orchestrator configuration interface and start the process of configuring Orchestrator.

Log In to the Orchestrator Configuration Interface

To start the configuration process, you must access the Orchestrator configuration interface.

Prerequisites

Verify that the VMware vCenter Orchestrator Configuration service is running.

Procedure

1 Start the Orchestrator configuration interface.

n

If you are logged in to the Orchestrator server machine as the user who installed Orchestrator, select

Start > Programs > VMware > vCenter Orchestrator Configuration, and click Orchestrator
Configuration.

n

Go to http://localhost:8282 in a Web browser and click Orchestrator Configuration.

n

If you want to connect to the Orchestrator configuration from a remote computer, navigate to
https://your_orchestrator_server_IP_or_DNS_name:8283.

You can log in to the Orchestrator configuration interface remotely only over HTTPS.

2 Log in with the default credentials.

n

User name: vmware.

You cannot change the default user name.

n

Password: vmware.

When you log in to the Orchestrator configuration interface with the default password, you see the
Welcome page prompting you to change the default password of the Orchestrator configuration interface.

32 VMware, Inc.

3 Change the default password, and click Apply changes.

The next time you log in to the Orchestrator configuration interface, you can use your new password.

You successfully logged in to the Orchestrator configuration interface.

Configure the Network Connection

When you install Orchestrator, the IP address that the Orchestrator client interface uses to communicate to the
server is not set automatically. To change this, you must configure the network settings used by Orchestrator.

Prerequisites

Make sure that the network provides a fixed IP, which is obtained by using a properly configured DHCP server
(using reservations) or by setting a static IP. The Orchestrator server requires that the IP address remains
constant while it is running.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Network.

3 From the IP address drop-down menu, select the IP address to which you want to bind the Orchestrator

server.

Chapter 5 Configuring the Orchestrator Server

Orchestrator discovers the IP address of the machine on which the server is installed.

The corresponding DNS name appears. If no network name is found, the IP address appears in the DNS
name text box. Use this IP address to log in to the Orchestrator client interface.

4 Set up the communication ports.

For more information about default ports, see “Orchestrator Network Ports,” on page 33.

5 Click Apply changes.

What to do next

Click SSL Trust Manager to load the vCenter Server SSL certificate in Orchestrator.

Orchestrator Network Ports

Orchestrator uses specific ports that allow communication with the other systems. Some of the communication
ports you must set are a subset of the standard ports that the Orchestrator JBoss application server uses. The
ports are set with a default value, but you can change these values at any time. When you make the changes,
verify that all ports are free on your host, and if necessary, open these ports on firewalls as required.

Default Configuration Ports

To provide the Orchestrator service, you must set the default ports and configure your firewall to allow
incoming TCP connections.

NOTE Other ports might be required if you are using custom plug-ins.

VMware, Inc. 33

Installing and Configuring VMware vCenter Orchestrator

Table 5-1. VMware vCenter Orchestrator Default Configuration Ports

Port Number Protocol Source Target Description

Lookup port 8230 TCP Orchestrator

Command port 8240 TCP Orchestrator

Messaging port 8250 TCP Orchestrator

Data port 8244 TCP Orchestrator

HTTP server
port

HTTPS server
port

Orchestrator
home page
access port

Web
configuration
HTTPS access
port

8280 TCP End-user

8281 TCP End-user

8282 TCP End-user

8283 TCP End-user

client

client

client

client

Web browser

Web browser

Web browser

Web browser

Orchestrator
server

Orchestrator
server

Orchestrator
server

Orchestrator
server

Orchestrator
server

Orchestrator
server

Orchestrator
home page

Orchestrator
configuration

The main port to communicate with the Orchestrator
server (JNDI port). All other ports communicate with
the Orchestrator client through this port. It is part of
the JBoss application server infrastructure.

The application communication port (RMI container
port) used for loading the Orchestrator client
remotely. It is part of the JBoss application server
infrastructure.

The Java messaging port used for dispatching events.
It is part of the JBoss application server infrastructure.

The port used for accessing all Orchestrator data
models, such as workflows and policies. It is part of
the JBoss application server infrastructure.

The port used by the Orchestrator server to connect to
the Web view front end through HTTP.

The requests sent to Orchestrator default HTTP Web
port 8280 are redirected to the default HTTPS Web
port 8281.

The SSL secured HTTP protocol used to connect to the
Web view front end and to communicate with the
vCenter Server API.

The access port for the Web Orchestrator home page.

The SSL access port for the Web UI of Orchestrator
configuration.

External Communication Ports

You must configure your firewall to allow outgoing connections so that Orchestrator can communicate with
external services.

Table 5-2. VMware vCenter Orchestrator External Communication Ports

Port Number Protocol Source Target Description

LDAP 389 TCP Orchestrator

server

LDAP using
SSL

LDAP using
Global Catalog

vCenter Single
Sign On server

SQL Server 1433 TCP Orchestrator

PostgreSQL 5432 TCP Orchestrator

636 TCP Orchestrator

server

3268 TCP Orchestrator

server

7444 TCP Orchestrator

server

server

server

LDAP server The lookup port of your LDAP Authentication server.

LDAP server The lookup port of your secure LDAP Authentication

server.

Global Catalog
server

vCenter Single
Sign On server

Microsoft SQL
Server

PostgreSQL
Server

The port to which Microsoft Global Catalog server
queries are directed.

The port used to communicate with the vCenter Single
Sign On server.

The port used to communicate with the Microsoft SQL
Server or SQL Server Express instances that are
configured as the Orchestrator database.

The port used to communicate with the PostgreSQL
Server that is configured as the Orchestrator database.

34 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

Table 5-2. VMware vCenter Orchestrator External Communication Ports (Continued)

Port Number Protocol Source Target Description

Oracle 1521 TCP Orchestrator

SMTP Server
port

vCenter Server
API port

25 TCP Orchestrator

443 TCP Orchestrator

server

server

server

Oracle DB
Server

SMTP Server The port used for email notifications.

vCenter Server The vCenter Server API communication port used by

Import the vCenter Server SSL Certificate

The Orchestrator configuration interface uses a secure connection to communicate with vCenter Server,
relational database management system (RDBMS), LDAP, vCenter Single Sign On, or other servers. You can
import the required SSL certificate from a URL or file.

You can import the vCenter Server SSL certificate from the SSL Trust Manager tab in the Orchestrator
configuration interface.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Network.

3 In the right pane, click the SSL Trust Manager tab.

The port used to communicate with the Oracle
Database Server that is configured as the Orchestrator
database.

Orchestrator to obtain virtual infrastructure and
virtual machine information from the orchestrated
vCenter Server instances.

4 Load the vCenter Server SSL certificate in Orchestrator from a URL address or file.

Option Action

Import from URL

Specify the URL of the vCenter Server:

https://

your_vcenter_server_IP_address

or

your_vcenter_server_IP_address:port

Import from file

Obtain the vCenter Server certificate file. The file is usually available at the
following locations:

n

C:\Documents and
Settings\AllUsers\ApplicationData\VMware\VMware
VirtualCenter\SSL\rui.crt

n

/etc/vmware/ssl/rui.crt

5 Click Import.

A message confirming that the import is successful appears.

6 Repeat the steps for each vCenter Server instance that you want to add to the Orchestrator server.

The imported certificate appears in the Imported SSL certificates list. On the Network tab, the red triangle
changes to a green circle to indicate that the component is now configured correctly.

What to do next

Each time you want to specify the use of an SSL connection to a vCenter Server instance, you must return to
SSL Trust Manager on the Network tab and import the corresponding vCenter Server SSL certificate.

VMware, Inc. 35

Installing and Configuring VMware vCenter Orchestrator

Selecting the Authentication Type

Orchestrator requires an authentication method to work properly and manage user permissions. You must
select an authentication method so that you can work with Orchestrator.

Orchestrator 5.1 supports two types of authentications:

LDAP authentication

vCenter Single Sign On
authentication

IMPORTANT If you want to use vCenter Orchestrator through the vSphere Web Client for managing vSphere
inventory objects, you must configure Orchestrator to authenticate through vCenter Single Sign On.

Orchestrator connects to a working LDAP server.

Orchestrator authenticates through vCenter Single Sign On.

Configuring vCenter Single Sign On Settings

VMware vCenter Single Sign On is an authentication service that implements the brokered authentication
architectural pattern. You can configure Orchestrator to connect to a vCenter Single Sign On server.

The vCenter Single Sign On server provides an authentication interface called Security Token Service (STS).
Clients send authentication messages to the STS, which checks the user's credentials against one of the identity
sources. Upon successful authentication, STS generates a token.

In vCenter Server versions earlier than vCenter Server 5.1, when a user connects to vCenter Server,
vCenter Server authenticates the user by validating the user against an Active Directory domain or the list of
local operating system users. In vCenter Server 5.1, users authenticate through vCenter Single Sign On.

The vCenter Single Sign On administrative interface is part of the vSphere Web Client. To configure vCenter
Single Sign On and manage vCenter Single Sign On users and groups, you log in to the vSphere Web Client
as a user with vCenter Single Sign On administrator privileges. This might not be the same user as the
vCenter Server administrator. Enter the credentials on the vSphere Web Client login page and upon
authentication, you can access the vCenter Single Sign On administration tool to create users and assign
administrative permissions to other users.

Using the vSphere Web Client, you authenticate to vCenter Single Sign On by entering your credentials on the
vSphere Web Client login page. You can then view all of the vCenter Server instances for which you have
permissions. After you connect to vCenter Server, no further authentication is required. The actions that you
can perform on objects depend on the user's vCenter Server permissions on those objects.

For more information about vCenter Single Sign On, see vSphere Security.

After you configure Orchestrator to authenticate through vCenter Single Sign On, make sure that you configure
it to work with the vCenter Server instances registered with the vSphere Web Client using the same vCenter
Single Sign On instance.

When you log in to the vSphere Web Client, the Orchestrator Web plug-in communicates with the Orchestrator
server on behalf of the user profile you used to log in.

Import the vCenter Single Sign On SSL Certificate

To register Orchestrator as a vCenter Single Sign On solution and configure it to work with vCenter Single
Sign On, first import the vCenter Single Sign On SSL certificate.

You can import the vCenter Single Sign On SSL certificate from the SSL Trust Manager tab in the Orchestrator
configuration interface.

Prerequisites

Install and configure vCenter Single Sign On.

36 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Network.

3 In the right pane, click the SSL Trust Manager tab.

4 Load the vCenter Single Sign On SSL certificate from a URL or a file.

Option Action

Import from URL

Import from file

Type the URL of the vCenter Single Sign On server:

https://

or

Obtain the vCenter Single Sign On SSL certificate file and browse to import
it.

your_vcenter_single_sign_on_server_IP_address:7444

your_vcenter_single_sign_on_server_IP_address:7444

5 Click Import.

A message confirming that the import is successful appears.

6 Click Startup Options.

7 Click Restart the vCO configuration server to restart the Orchestrator Configuration service after adding

a new SSL certificate.

You successfully imported the vCenter Single Sign On certificate.

What to do next

Register Orchestrator as an vCenter Single Sign On extension and configure additional vCenter Single Sign
On settings.

Register Orchestrator as a vCenter Single Sign On Solution in Basic Mode

You can register the Orchestrator server with a vCenter Single Sign On server by using the simple mode
registration form in the Orchestrator configuration interface. The simple mode registration is easier and initially
you should only provide the URL of your vCenter Single Sign On server and the credentials of the vCenter
Single Sign On admin.

Prerequisites

Install and configure VMware vCenter Single Sign On and verify that your vCenter Single Sign On server is
running.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select SSO Authentication from the Authentication mode drop-down menu.

4 In the Host text box, type the URL for the machine on which you have installed the vCenter Single Sign

On server.

https://

your_vcenter_single_sign_on_server

:7444

5 In the Admin user name and Admin password text boxes, type the credentials of the vCenter Single Sign

On admin.

The account is temporarily used only for registering or removing Orchestrator as a solution.

6 Click Register Orchestrator.

VMware, Inc. 37

Installing and Configuring VMware vCenter Orchestrator

7 Complete the vCenter Single Sign On configuration.

a (Optional) Filter the list of available groups by typing search criteria in the Groups filter text box and

pressing Enter.

b Select a vCO Admin domain and group from the drop-down menu.

c (Optional) Modify the value for the time difference between a client clock and a domain controller

clock.

The default clock tolerance value is 300 seconds.

8 Click Accept Orchestrator Configuration.

You successfully registered Orchestrator with vCenter Single Sign On.

Register Orchestrator as a vCenter Single Sign On Solution in Advanced Mode

You can register the Orchestrator server with a vCenter Single Sign On server by using the advanced mode
registration form in the Orchestrator configuration interface. In the advanced mode you manually type the
token service URL, the administration service URL, and they are not automatically generated for you.

Prerequisites

Install and configure vCenter Single Sign On and verify that your vCenter Single Sign On server is running.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select SSO Authentication from the Authentication mode drop-down menu.

4 Click the Advanced settings link.

5 In the Token service URL text box, type the URL for the vCenter Single Sign On token service interface.

https://

your_vcenter_single_sign_on_server

:7444/ims/STSService

6 In the Admin service URL text box, type the URL for the vCenter Single Sign On administration service

interface.

https://

your_vcenter_single_sign_on_server

:7444/sso-adminserver/sdk

7 In the Admin user name and Admin password text boxes, type the credentials of the vCenter Single Sign

On admin.

The account is temporarily used only for registering or removing Orchestrator as a solution.

8 Click Register Orchestrator.

9 Complete the vCenter Single Sign On configuration.

a (Optional) Filter the list of available groups by typing search criteria in the Groups filter text box and

pressing Enter.

b Select a vCO Admin domain and group from the drop-down menu.

c (Optional) Modify the value for the time difference between a client clock and a domain controller

clock.

The default clock tolerance value is 300 seconds.

10 Click Accept Orchestrator Configuration.

You successfully registered Orchestrator with vCenter Single Sign On.

38 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

Configuring LDAP Settings

You can configure Orchestrator to connect to a working LDAP server on your infrastructure to manage user
permissions.

If you are using secure LDAP over SSL, Windows Server 2003 or 2008, and AD, verify that the LDAP Server
Signing Requirements group policy is disabled on the LDAP server.

If you configure Orchestrator to work with LDAP, you will not be able to use the Orchestrator Web Client for
managing vSphere inventory objects.

IMPORTANT Multiple domains that are not in the same tree, but have a two-way trust, are not supported and
do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain
tree. Forest and external trusts are not supported.

1 Import the LDAP Server SSL Certificate on page 39

If your LDAP server uses SSL, you can import the SSL certificate file to the Orchestrator configuration
interface and activate secure connection between Orchestrator and LDAP.

2 Generate the LDAP Connection URL on page 40

The LDAP service provider uses a URL to configure the connection to the directory server. To generate
the LDAP connection URL, you must specify the LDAP host, port, and root.

3 Specify the Browsing Credentials on page 42

Orchestrator must read your LDAP structure to inherit its properties. You can specify the credentials
that Orchestrator uses to connect to an LDAP server.

4 Define the LDAP User and Group Lookup Paths on page 42

You can define the users and groups lookup information.

5 Define the LDAP Search Options on page 43

You can customize the LDAP search queries and make searching in LDAP more effective.

6 Common Active Directory LDAP Errors on page 44

When you encounter the LDAP:error code 49 error message and experience problems connecting to your
LDAP authentication server, you can check which LDAP function is causing the problem.

Import the LDAP Server SSL Certificate

If your LDAP server uses SSL, you can import the SSL certificate file to the Orchestrator configuration interface
and activate secure connection between Orchestrator and LDAP.

You can import the LDAP SSL certificate from the SSL Trust Manager tab in the Orchestrator configuration
interface.

Prerequisites

n

If you are using LDAP servers, Windows 2003 or 2008, and AD, verify that the LDAP Server Signing
Requirements group policy is disabled on the LDAP server.

n

Obtain a self-signed server certificate or a certificate that is signed by a Certificate Authority.

n

Configure your LDAP server for SSL access. See the documentation of your LDAP server for instructions.

n

Explicitly specify the trusted certificate to perform the SSL authorization correctly.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Network.

VMware, Inc. 39

Installing and Configuring VMware vCenter Orchestrator

3 In the right pane, click the SSL Trust Manager tab.

4 Browse to select a certificate file to import.

5 Load the LDAP SSL certificate from a URL or a file.

Option Action

Import from URL

Import from file

6 Click Import.

A message confirming that the import is successful appears.

7 Click Startup Options.

8 Click Restart the vCO configuration server to restart the Orchestrator Configuration service after adding

a new SSL certificate.

The imported certificate appears in the Imported SSL certificates list. The secure connection between
Orchestrator and your LDAP server is activated.

Type the URL of the LDAP server:

https://

your_LDAP_server_IP_address:port

Obtain the LDAP SSL certificate file and browse to import it.

your_LDAP_server_IP_address

or

What to do next

When you generate the LDAP connection URL you should enable SSL on the Authentication tab in the
Orchestrator configuration interface.

Generate the LDAP Connection URL

The LDAP service provider uses a URL to configure the connection to the directory server. To generate the
LDAP connection URL, you must specify the LDAP host, port, and root.

The supported directory service types are Active Directory, eDirectory, and Sun Java System Directory Server.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select LDAP Authentication from the Authentication mode drop-down menu.

4 From the LDAP client drop-down menu, select the directory server type that you are using as the LDAP

server.

NOTE If you change the LDAP server or type after you set permissions on Orchestrator objects (such as
access rights on workflows or actions), you must reset these permissions.

If you change the LDAP settings after configuring custom applications that capture and store user
information, the LDAP authentication records created in the database become invalid when used against
the new LDAP database.

5 In the Primary LDAP host text box, type the IP address or the DNS name of the host on which your primary

LDAP service runs.

This is the first host on which the Orchestrator configuration interface verifies user credentials.

40 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

6 (Optional) In the Secondary LDAP host text box, type the IP address or the DNS name of the host on

which your secondary LDAP service runs.

If the primary LDAP host becomes unavailable, Orchestrator verifies user credentials on the secondary
host.

7 In the Port text box, type the value for the lookup port of your LDAP server.

NOTE Orchestrator supports the Active Directory hierarchical domains structure. If your domain
controller is configured to use Global Catalog, you must use port 3268. You cannot use the default port
389 to connect to the Global Catalog server.

8 In the Root text box, type the root element of your LDAP service.

If your domain name is company.org, your root LDAP is dc=company,dc=org.

This is the node used for browsing your service directory after typing the appropriate credentials. For
large service directories, specifying a node in the tree narrows the search and improves performance. For
example, rather than searching in the entire directory, you can specify ou=employees,dc=company,dc=org.
This displays all the users in the Employees group.

9 (Optional) Select Use SSL to activate encrypted certification for the connection between Orchestrator and

LDAP.

If your LDAP uses SSL, you must first import the SSL certificate and restart the Orchestrator Configuration
service. See “Import the LDAP Server SSL Certificate,” on page 39.

10 (Optional) Select Use Global Catalog to allow LDAP referrals when the LDAP client is Active Directory.

The LDAP server lookup port number changes to 3268. Orchestrator follows the LDAP referrals to find
users and groups in a subdomain that is part of the Active Directory tree to which Orchestrator is
connected. You can add permissions on any groups that can be accessed from your Global Catalog.

Example: Values and Resulting LDAP Connection URL Addresses

Examples of the values that you enter in the required fields and the resulting LDAP connection URL.

n

LDAP host: DomainController

n

Port: 389

n

Root: ou=employees,dc=company,dc=org

Connection URL: ldap://DomainController:389/ou=employees,dc=company,dc=org

n

LDAP host using Global Catalog: 10.23.90.130

n

Port: 3268

n

Root: dc=company,dc=org

Connection URL: ldap://10.23.90.130:3268/dc=company,dc=org

What to do next

Assign credentials to Orchestrator to ensure its access to the LDAP server. See “Specify the Browsing

Credentials,” on page 42.

VMware, Inc. 41

Installing and Configuring VMware vCenter Orchestrator

Specify the Browsing Credentials

Orchestrator must read your LDAP structure to inherit its properties. You can specify the credentials that
Orchestrator uses to connect to an LDAP server.

Prerequisites

Ensure that you have a working LDAP service in your infrastructure and have generated the LDAP connection
URL.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select LDAP Authentication from the Authentication mode drop-down menu.

4 Specify the primary and secondary LDAP hosts, the lookup port of the LDAP server, and the root element.

5 Type a valid user name (LDAP string) in the User name text box for a user who has browsing permissions

on your LDAP server.

The possible formats in which you can specify the user name in Active Directory are as follows:

n

Bare user name format, for example user.

n

Distinguished name format: cn=user,ou=employees,dc=company,dc=org.

Use this format with Sun and eDirectory. Do not use spaces between the comma and the next
identifier.

n

Principal name format: user@company.org.

n

NetBEUI format: COMPANY\user.

6 In the Password text box, type the password for the user name you entered in Step 5.

Orchestrator uses the credentials to connect to the LDAP server.

What to do next

Define the LDAP containers for Orchestrator to look up users and groups.

Define the LDAP User and Group Lookup Paths

You can define the users and groups lookup information.

Two global roles are identified in Orchestrator: Developers and Administrators. The users in the Developers
role have editing privileges on all elements. The users in the Administrators role have unrestricted privileges.
Administrators can manage permissions, or discharge administration duties on a selected set of elements to
any other group or user. These two groups must be contained in the Group lookup base.

Prerequisites

You must have a working LDAP service on your infrastructure.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select LDAP Authentication from the Authentication mode drop-down menu.

42 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

4 Specify the primary and secondary LDAP hosts, the lookup port of the LDAP server, the root element,

and the browsing credentials.

5 Define the User lookup base.

This is the LDAP container (the top-level domain name or organizational unit) where Orchestrator
searches for potential users.

a Click Search and type the top-level domain name or organizational unit.

Searching for company returns dc=company,dc=org and other common names containing the search
term. If you type dc=company,dc=org as a search term, no results are found.

b Click the LDAP connection string for the discovered branch to insert it in the User lookup base text

box.

If no matches are found, check your LDAP connection string in the main LDAP page.

NOTE You can connect to the Global Catalog Server through port 3268. It issues LDAP referrals that
Orchestrator follows to find the account or group in a subdomain.

6 Define the Group lookup base.

This is the LDAP container where Orchestrator looks up groups.

a Click Search and type the top-level domain name or organizational unit.

b Click the LDAP string for the discovered branch to insert it in the Group lookup base text box.

7 Define the vCO Admin group.

This must be an LDAP group (like Domain Users) to which you grant administrative privileges for
Orchestrator.

a Click Search and type the top-level group name.

b Click the LDAP string for the discovered branch to insert it in the vCO Admin group text box.

IMPORTANT In eDirectory installations, only the eDirectory administrator can see users or user groups that
have administration rights. If you are using an eDirectory LDAP server, and you log in to Orchestrator as
a member of the vCO Admin group but you are not the eDirectory administrator, you can create users or
user groups with administration rights, but you cannot see those users. This problem does not apply to
other LDAP servers.

8 Click the Test Login tab and type credentials for a user to test whether they can access the Orchestrator

smart client.

After a successful login, the system checks if the user is part of the Orchestrator Administrator group.

What to do next

Define the LDAP search options and apply your changes.

Define the LDAP Search Options

You can customize the LDAP search queries and make searching in LDAP more effective.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Select LDAP Authentication from the Authentication mode drop-down menu.

VMware, Inc. 43

Installing and Configuring VMware vCenter Orchestrator

4 In the Request timeout text box, type a value in milliseconds.

This value determines the period during which the Orchestrator server sends a query to the service
directory, the directory searches, and sends a reply. If the timeout period elapses, modify this value to
check whether the timeout occurs in the Orchestrator server.

5 (Optional) For all links to be followed before the search operation is performed, select the Dereference

links check box.

Sun Java System Directory Server does not support reference links. If you are using it, you must select the
Dereference links check box.

6 (Optional) To filter the attributes that the search returns, select the Filter attributes check box.

Selecting this check box makes searching in LDAP faster. However, you might need to use some extra
LDAP attributes for automation later.

7 (Optional) Select the Ignore referrals check box to disable referral handling.

When you select the check box, the system does not display any referrals.

8 In the Host reachable timeout text box, type a value in milliseconds.

This value determines the timeout period for the test checking the status of the destination host.

9 Click Apply changes.

On the Authentication tab, the red triangle changes to a green circle to indicate that the component is now
configured correctly.

What to do next

Configure the database. For more information, see “Configuring the Orchestrator Database Connection,” on
page 45.

Common Active Directory LDAP Errors

When you encounter the LDAP:error code 49 error message and experience problems connecting to your LDAP
authentication server, you can check which LDAP function is causing the problem.

Table 5-3. Common Active Directory Authentication Errors

Error Description

525 The user is not found.

52e The user credentials are not valid.

530 The user is not allowed to log in at this time.

531 The user is not allowed to log in to this workstation.

532 The password has expired.

533 This user account has been disabled.

701 This user account has expired.

773 The user must reset their password.

775 The user account has been locked.

44 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

Configuring the Orchestrator Database Connection

The Orchestrator server requires a database in which to store data. To establish a connection with the database,
you must configure the connection parameters.

Install a relational database management system (RDBMS) and create a new database for Orchestrator. You
can also use the vCenter Server datasource. For more information about creating a new database for
Orchestrator, see “Orchestrator Database Setup,” on page 20. If you decide to use a separate database, configure
the database for remote connection. For an example of configuring SQL Server Express for remote connection,
see “Configure SQL Server Express to Use with Orchestrator,” on page 45.

Configure SQL Server Express to Use with Orchestrator

You can use Microsoft SQL Server Express in small-scale environments.

Orchestrator can work with SQL Server Express when the deployment does not exceed 5 hosts and 50 virtual
machines.

To use SQL Server Express with Orchestrator, you must configure the database to enable TCP/IP.

Procedure

1 Log in as an administrator to the machine on which SQL Server Express is installed.

2 Click Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server

Configuration Manager.

3 Expand in the list on the left.

4 Click Protocols for SQLEXPRESS.

5 Right-click TCP/IP and select Enable.

6 Right-click TCP/IP and select Properties.

7 Click the IP Addresses tab.

8 Under IP1, IP2, and IPAll, set the TCP Port value to 1433.

9 Click OK.

10 Click on the left.

11 Restart the SQL Server.

What to do next

Configure the Orchestrator database connection parameters.

Import the Database SSL Certificate

If your database uses SSL, you must import the SSL certificate to the Orchestrator configuration interface and
activate secure connection between Orchestrator and the database.

You can import the database SSL certificate from the SSL Trust Manager tab in the Orchestrator configuration
interface.

Prerequisites

n

Configure your database for SSL access. See your database documentation for instructions.

n

Obtain a self-signed server certificate or a certificate that is signed by a Certificate Authority.

n

Explicitly specify the trusted certificate to perform the SSL authorization correctly.

VMware, Inc. 45

Installing and Configuring VMware vCenter Orchestrator

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Network.

3 In the right pane, click the SSL Trust Manager tab.

4 Load the database SSL certificate from a URL or a file.

Option Action

Import from URL

Import from file

5 Click Import.

A message confirming that the import is successful appears.

6 Click Startup Options.

7 Click Restart the vCO configuration server to restart the Orchestrator Configuration service after adding

a new SSL certificate.

Type the URL of the database server:

https://

your_database_server_IP_address:port

Obtain the database SSL certificate file and browse to import it.

your_database_server_IP_address

or

The imported certificate appears in the Imported Certificates list. The secure connection between Orchestrator
and your database is activated.

What to do next

When you configure the database connection you should enable SSL on the Database tab in the Orchestrator
configuration interface.

Configure the Database Connection

To establish a connection to the Orchestrator database, you must configure the database connection parameters.

Prerequisites

n

Set up a new database to use with the Orchestrator server. See “Orchestrator Database Setup,” on
page 20.

n

If you are using an SQL Server database, verify that the SQL Server Browser service is running.

n

To store characters in the correct format in an Oracle database, set the NLS_CHARACTER_SET parameter to

AL32UTF8 before configuring the database connection and building the table structure for Orchestrator.

This setting is crucial for an internationalized environment.

n

To configure Orchestrator to communicate with the database over a secure connection, make sure that
you import the database SSL certificate. For more information, see “Import the Database SSL

Certificate,” on page 45.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Database.

46 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

3 From the Select the database type drop-down menu, select the type of database that you want

Orchestrator server to use.

Option Description

Oracle

SQL Server

MySQL

PostgreSQL

Configures Orchestrator to work with an Oracle database instance.

Configures Orchestrator to work with a Microsoft SQL Server or Microsoft
SQL Server Express database instance.

Configures Orchestrator to work with a MySQL database instance.

Configures Orchestrator to work with a PostgreSQL database instance.

4 Define the database connection parameters and click Apply changes.

Option Description

User name

Password (if any)

Use SSL

Database server IP address or DNS
name

Port

Database name

Instance name (if any)

Domain

Use Windows authentication mode
(NTLMv2)

The user name that Orchestrator uses to connect and operate the selected
database. The name you select must be a valid user on the target database
with db_owner rights.

This option is applicable for all databases.

The password for the user name.

This option is applicable for all databases.

Specifies whether you want to use SSL connection to the database. To use
this option you must make sure that you import the database SSL certificate
into Orchestrator.

This option is applicable for all databases.

The database server IP address or DNS name.

This option is applicable for all databases.

The database server port that allows communication to your database.

This option is applicable for all databases.

The full unique name of your database. The database name is specified by
the SERVICE_NAMES parameter in the initialization parameter file.

This option is valid only for SQL Server, MySQL, and PostgreSQL databases.

The name of the database instance that can be identified by the
INSTANCE_NAME parameter in the database initialization parameter file.

This option is valid only for SQL Server and Oracle databases.

To use Windows authentication, type the domain name of the SQL Server
machine, for example company.org.

To use SQL authentication, leave this text box blank.

This option is valid only for SQL server and specifies whether you want to
use Windows or SQL Server authentication.

Select to send NTLMv2 responses when using Windows authentication.

This option is valid only for SQL Server.

If the specified parameters are correct, a message states that the connection to the database is successful.

NOTE Although Orchestrator has established a connection to the database, the database configuration is
not yet complete. You must build or update the database table structure.

VMware, Inc. 47

Installing and Configuring VMware vCenter Orchestrator

5 (Optional) Build or update the table structure for Orchestrator.

Option Description

Create the database tables

Update the database

After the database is populated, you can reset the database access rights to db_dataread and
db_datawrite.

6 Click Apply changes.

The database connection is successfully configured. On the Database tab, the red triangle changes to a green
circle to indicate that the component is now configured correctly.

Example: Configure Orchestrator to Work with SQL Server Express by Using
Windows Authentication Mode

If you want to use Orchestrator in small scale deployments for testing purposes, you might want to use SQL
Server Express 2008 which you can install together with vCenter Server. After you create a new database for
example vco, and enable it for remote connection, to configure the database connection perform the following
steps:

Builds a new table structure for the Orchestrator database.

Uses the database from your previous Orchestrator installation and updates
the table structure.

1 Log in to the Orchestrator configuration interface as vmware.

2 Click the Database tab.

3 From the Select the database type drop-down menu, select SQLServer.

4 In the User name and Password (if any) text boxes, type your Windows credentials.

5 In the Database server IP address or DNS name text box, type the IP address of the machine on which

Orchestrator and the database are installed.

6 In the Port text box, type the TCP/IP port of SQL Server, which usually is 1433.

7 In the Database name text box, type the name of the SQL Server Express database you created, for example

vco.

8 In the Instance name (if any) text box, type the name of the database instance.

You can leave this field blank, if you have only one instance of SQL Server installed on the machine.

9 In the Domain text box either type the domain name of the machine on which Orchestrator and the

database are installed, or type localhost.

10 Select Use Windows authentication mode (NTLMv2).

11 Click Apply.

12 Build or update the database as necessary and click Apply changes.

You successfully configured Orchestrator to work with SQL Server Express by using Windows authentication
mode.

48 VMware, Inc.

Server Certificate

The server certificate is a form of digital identification that is used to authenticate Web applications. Issued for
a particular server and containing information about the server’s public key, the certificate allows you to sign
all elements created in Orchestrator and guarantee authenticity. When the client receives an element from your
server, typically this is a package, the client verifies your identity and decides whether to trust your signature.

n

Create a Self-Signed Server Certificate on page 49

Installing Orchestrator or deploying the Orchestrator requires that you create a certificate. You can create
a self-signed certificate to guarantee encrypted communication and a signature for your packages.
However, the recipient cannot be sure that the self-signed package that you are sending is in fact a
package issued by your server and not a third party claiming to be you.

n

Obtain a Server Certificate Signed by a Certificate Authority on page 50

To provide recipients with an acceptable level of trust that the package was created by your server,
certificates are typically signed by a certificate authority (CA). Certificate authorities guarantee that you
are who you claim to be, and as a token of their verification, they sign your certificate with their own.

n

Import a Server Certificate on page 50

You can import a server certificate and use it with Orchestrator.

n

Export a Server Certificate on page 51

The server certificate private key is stored in the vmo_keystore table of the Orchestrator database. In case
you lose or delete this key, or if you bind the Orchestrator server to a different database, the contents of
the exported packages signed with this certificate become unavailable. To ensure that packages are
decrypted on import, you must save this key to a local file.

Chapter 5 Configuring the Orchestrator Server

n

Changing a Self-Signed Server Certificate on page 51

If you want to sign your packages with a server certificate different from the one you used for the initial
Orchestrator configuration, you must export all your packages and change the Orchestrator database.

Create a Self-Signed Server Certificate

Installing Orchestrator or deploying the Orchestrator requires that you create a certificate. You can create a
self-signed certificate to guarantee encrypted communication and a signature for your packages. However,
the recipient cannot be sure that the self-signed package that you are sending is in fact a package issued by
your server and not a third party claiming to be you.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Server Certificate.

3 Click Create certificate database and self-signed server certificate.

4 Type the relevant information.

5 From the drop-down menu, select a country.

6 Click Create.

Orchestrator generates a server certificate that is unique to your environment. The details about the certificate's
public key appear in the Server Certificate window. The certificate's private key is stored in the vmo_keystore
table of the Orchestrator database.

What to do next

For disaster recovery purposes, you can save the certificate private key to a local file.

VMware, Inc. 49

Installing and Configuring VMware vCenter Orchestrator

Obtain a Server Certificate Signed by a Certificate Authority

To provide recipients with an acceptable level of trust that the package was created by your server, certificates
are typically signed by a certificate authority (CA). Certificate authorities guarantee that you are who you claim
to be, and as a token of their verification, they sign your certificate with their own.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Server Certificate.

3 Generate a Certificate Signing Request (CSR).

a Click Export certificate signing request.

b Save the VSOcertificate.csr file in your file system when prompted.

4 Send the CSR file to a Certificate Authority, such as VeriSign or Thawte.

Procedures might vary from one CA to another, but they all require a valid proof of your identity.

The CA returns a certificate that you must import.

5 Click Import certificate signing request signed by CA and select the file sent by your CA.

Orchestrator uses the server certificate to perform the following tasks:

n

Signs all packages before they are exported by attaching your certificate’s public key to each one.

n

Displays a user prompt after users import a package that contains elements signed by untrusted
certificates.

What to do next

You can import this certificate on other servers.

Import a Server Certificate

You can import a server certificate and use it with Orchestrator.

IMPORTANT You can import a certificate only if you have not created a self-signed certificate. If you have already
created a certificate in the database, the option to import a certificate is not available.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Server Certificate.

3 Click Import certificate database.

4 Browse to select the certificate file to import.

5 Type the password used to decrypt the content of the imported keystore database.

The details about the imported server certificate appear in the Server Certificate panel.

50 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

Export a Server Certificate

The server certificate private key is stored in the vmo_keystore table of the Orchestrator database. In case you
lose or delete this key, or if you bind the Orchestrator server to a different database, the contents of the exported
packages signed with this certificate become unavailable. To ensure that packages are decrypted on import,
you must save this key to a local file.

Prerequisites

You must have created or imported a server certificate.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Server Certificate.

3 Click Export certificate database.

4 Type a password to encrypt the content of the exported keystore database.

You must enter this password again when importing the file.

5 Click Export.

6 Save the vmo-server.vmokeystore file when prompted.

Changing a Self-Signed Server Certificate

If you want to sign your packages with a server certificate different from the one you used for the initial
Orchestrator configuration, you must export all your packages and change the Orchestrator database.

This workflow describes the process to change the Orchestrator self-signed certificate.

1 Export all your packages by using the Orchestrator client.

a Select Administer from the drop-down menu in the left upper corner of the Orchestrator client.

b Click the Packages view.

c Right-click the package to export and select Export package.

d Browse to select a location to save the package to and click Save.

e Leave the View content, Add to package, and Edit contents options selected.

CAUTION Do not sign the package with your current certificate. You must not encrypt the package.
When you delete the certificate database, the private key is lost and the contents of the exported
package become unavailable.

f (Optional) Deselect the Export version history check box if you do not want to export the version

history.

g Click Save.

2 Create a new database and configure Orchestrator to work with it.

You configure the Orchestrator database connection by using the Orchestrator configuration interface. For
more information about setting up the Orchestrator database, see “Configure the Database

Connection,” on page 46.

3 (Optional) Export the Orchestrator configuration to back up your configuration data in case you want to

use the old database and the old SSL certificate.

VMware, Inc. 51

Installing and Configuring VMware vCenter Orchestrator

You can export the Orchestrator configuration by using the Orchestrator configuration interface. For more
information, see “Export the Orchestrator Configuration,” on page 27.

4 (Optional) Back up your database if you want to retain the old data.

The database that you bind Orchestrator to must not contain records in the vmo_keystore table.

5 Create a new self-signed certificate or import a server certificate signed by a certification authority.

You can create and import self-signed certificates by using the Orchestrator configuration interface. For
more information, see “Server Certificate,” on page 49.

6 Configure your license settings.

You can configure the license settings from the Orchestrator configuration interface. For more information,
see “Import the vCenter Server License,” on page 56.

7 Reinstall the default Orchestrator plug-ins.

a On the Orchestrator configuration interface, click the Troubleshooting tab.

b Click the Reset current version link.

8 Restart the Orchestrator server.

a On the Orchestrator configuration interface, click the Startup options tab.

b Click the Restart service link.

9 Reimport your packages.

a Select Administer from the drop-down menu in the left upper corner of the Orchestrator client.

b Click the Packages view.

c Right-click under the available packages, and from the pop-up menu, select Import package.

d Browse to select the package to import and click Open.

e Click Import or Import and trust provider.

f Click Import checked elements.

The server certificate change is effective at the next package export.

Configure the Default Plug-Ins

To deploy the set of default plug-ins when the Orchestrator server starts, the Orchestrator system must
authenticate against an LDAP or vCenter Single Sign On server. You first specify the administrative credentials
that Orchestrator uses with the plug-ins, and enable or disable plug-ins.

If you change the Orchestrator database after configuring and installing the default plug-ins, you must click
the Reset current version link on the Troubleshooting tab. This operation deletes the

server\server\vmo\plugins\_VSOPluginInstallationVersion.xml file, which contains information about the

version of the plug-ins already installed, and forces plug-in reinstallation.

Prerequisites

install_directory

\app-

Set up an LDAP or vCenter Single Sign On server and configure the Orchestrator authentication settings.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Plug-ins.

52 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

3 Type the credentials for a user who is a member of the Orchestrator administrators group that you specified

on the Authentication tab.

When the Orchestrator server starts, the system uses these credentials to set up the plug-ins. The system
checks the enabled plug-ins and performs any necessary internal installations such as package import,
policy run, script launch, and so on.

4 (Optional) To disable a plug-in, deselect the check box next to it.

This action does not remove the plug-in file.

5 Click Apply changes.

The first time the server starts, it installs the selected plug-ins.

What to do next

You can configure the settings for Mail, SSH, and vCenter Server plug-ins.

Define the Default SMTP Connection

The Mail plug-in is installed with Orchestrator Server and is used for email notifications. The only option
available for this plug-in is to use default values for new mail messages. You can set the default email account.

Avoid load balancers when configuring mail in Orchestrator. You might receive SMTP_HOST_UNREACHABLE error.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Mail.

3 Select the Define default values check box and fill in the required text boxes.

Text box Description

SMTP host

SMTP port

User name

Password

From name and address

Enter the IP address or domain name of your SMTP server.

Enter a port number to match your SMTP configuration.

The default SMTP port is 25.

Enter a valid email account.

This is the email account Orchestrator uses to send emails.

Enter the password associated with the user name.

Enter the sender information to appear in all emails sent by Orchestrator.

4 Click Apply changes.

Configure the SSH Plug-In

You can set up the SSH plug-in to ensure encrypted connections.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click SSH.

3 Click New connection.

VMware, Inc. 53

Installing and Configuring VMware vCenter Orchestrator

4 In the Host name text box, type the host to access with SSH through Orchestrator.

NOTE No username and password are required because Orchestrator uses the credentials of the currently

logged-in user to run SSH commands. You must reproduce the accounts you want to work on SSH on
target hosts from the LDAP server.

5 Click Apply changes.

The host is added to the list of SSH connections.

6 (Optional) Configure an entry path on the server.

a Click New root folder.

b Enter the new path and click Apply changes.

The SSH host is available in the Inventory view of the Orchestrator client.

Configure the vCenter Server 5.1 Plug-In

You can configure Orchestrator to connect to your vCenter Sever instances to run workflows over the objects
in your vSphere infrastructure.

To manage the objects in your vSphere inventory by using the vSphere Web Client, make sure that you
configure the Orchestrator server to work with the vCenter Server instance registered with the
vSphere Web Client that uses the same vCenter Single Sign On instance with which you registered
Orchestrator.

Prerequisites

Import the SSL certificates for each vCenter Server instance you define.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click vCenter Server, and click the New vCenter Server Host tab.

3 From the Available drop-down menu, select Enabled.

4 In the Host text box, type the IP address or the DNS name of the machine on which the vCenter Server

instance you want to add is installed.

5 In the Port text box, retain the default value, 443.

6 (Optional) Select the Secure channel check box to establish a secure connection to your vCenter Server

machine.

7 In the Path text box, retain the default value, /sdk.

This value is the location of the SDK that you use to connect to your vCenter Server instance.

54 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

8 Select the method you want to use to manage user access on the vCenter Server system.

Option Description

Share a unique session

Session per user

Allows Orchestrator to create only one connection to vCenter Server.

In the User name and Password text boxes, type the credentials for
Orchestrator to use to establish the connection to the vCenter Server host.

The user that you select must be a valid user with privileges to manage
vCenter Server extensions and a set of custom defined privileges.
Orchestrator uses these credentials to monitor the vCenter Web service,
typically to operate Orchestrator system workflows.

Creates a new session to vCenter Server. This might rapidly use CPU,
memory, and bandwidth.

Select this option only if your vCenter Server is in an Active Directory
domain or if vCenter Server Sign On is enabled.

The user that you select must be a valid user with privileges to manage
vCenter Server extensions.

You can leave the User name and Password text boxes empty, because the
credentials are used only for connection check.

The user account that you select is also used by the policy engine to collect statistical and other data. If the
user that you select does not have enough privileges, the policy engine cannot access the necessary parts
of the vCenter Server inventory and thus cannot collect the necessary data.

9 Click Apply changes.

The URL to the newly configured vCenter Server host is added to the list of defined hosts.

10 Repeat Step 2 through Step 9 for each vCenter Server instance.

Installing a New Plug-In

After you configure the default Orchestrator plug-ins, you might want to install a new plug-in.

All Orchestrator plug-ins are installed from the Orchestrator configuration interface. The allowed file
extensions are .vmoapp and .dar. A .vmoapp file can contain a collection of several .dar files and can be installed
as an application, while a .dar file contains all the resources associated with one plug-in.

You install .vmoapp files from the General tab of the Orchestrator configuration interface, and .dar files from
the Plug-ins tab.

Install a New Plug-In as a DAR File

After you configure the default Orchestrator plug-ins you might want to install a new .dar plug-in.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click the Plug-ins tab.

3 Click the magnifying glass icon under Install new plug-in.

4 Browse to locate the .dar file, and click Open.

5 Click Upload and install.

The installed plug-in file is stored in the

VMware, Inc. 55

install_directory

\app-server\server\vmo\plugins folder.

Installing and Configuring VMware vCenter Orchestrator

Install a New Plug-In as a VMOAPP File

After you configure the default Orchestrator plug-ins, you might want to install a new .vmoapp plug-in.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Install Application.

3 Click the magnifying glass icon.

4 Browse to locate the .vmoapp file, and click Open.

5 Click Install.

The tab for the plug-in appears in the Orchestrator configuration interface.

6 On the Startup Options tab, click Restart service to complete the plug-in installation.

You successfully installed the plug-in. Every time you install a .vmoapp plug-in, a validation is made on the
server configuration. In most cases, you must perform additional configuration steps on a tab that the new
application adds to the Orchestrator configuration interface.

Importing the vCenter Server License

To complete the configuration process for the Orchestrator server, you must import the vCenter Server license.
The set of plug-ins delivered with Orchestrator does not require a license. If you add a plug-in that requires a
license, you must import the license.

You can install the plug-in licenses in the same manner as you add a vCenter Server license manually.

Import the vCenter Server License

If the version of your vCenter Server is later than version 4.0, you must import the vCenter Server license.

Prerequisites

Import the SSL certificate for the licensed vCenter Server host. See “Import the vCenter Server SSL

Certificate,” on page 35.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Licenses.

3 On the vCenter Server License tab, specify the details about the vCenter Server host on which Orchestrator

must verify the license key.

a In the Host text box, type the IP address or the DNS name of the vCenter Server host.

b In the Port text box, leave the default value, 443.

c (Optional) Select the Secure channel check box to establish a secure connection to the

vCenter Server host.

56 VMware, Inc.

Chapter 5 Configuring the Orchestrator Server

d In the Path text box, use the default value, /sdk.

This is the location of the SDK that you use to connect to your vCenter Server instance.

e In the User name and Password text boxes, type the credentials that Orchestrator must use to establish

the connection to vCenter Server.

The user you select must be a valid user with administrative privileges on your vCenter Server,
preferably at the top of the vSphere tree structure.

4 (Optional) To view details of the license to import, click License details.

5 Click Apply changes.

6 (Optional) To view the license details, click the name of the imported license.

7 Start the Orchestrator server.

The Orchestrator server is now configured correctly.

Add the vCenter Server License Key Manually

If the version of your vCenter Server is earlier than version 4.0, you must add the license key manually.

Prerequisites

Import the SSL certificate for the licensed vCenter Server host. See “Import the vCenter Server SSL

Certificate,” on page 35.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Licenses.

3 On the vCenter Server License tab, select the Add vCenter Server license manually radio button.

4 In the Serial number text box, type your vCenter Server license key.

5 In the License owner text box, type a name for the owner of the license.

6 Click Apply changes.

7 Start the Orchestrator server.

Access Rights to Orchestrator Server

The type of vCenter Server license you apply in the Orchestrator configuration interface determines whether
you get read-only or full access to the Orchestrator server capabilities.

Table 5-4. Orchestrator Server Modes

vCenter Server License Edition vCenter Orchestrator Mode Description

Standard Server You are granted full read and write

privileges to all Orchestrator elements.
You can run and edit workflows.

Foundation Player You are granted read privileges on all

Orchestrator elements. You can run
workflows but you cannot edit them.

VMware, Inc. 57

Installing and Configuring VMware vCenter Orchestrator

Table 5-4. Orchestrator Server Modes (Continued)

vCenter Server License Edition vCenter Orchestrator Mode Description

Essentials Player You are granted read privileges on all

Evaluation Server You are granted full read and write

NOTE All predefined workflows are locked as read-only by design. To edit a standard workflow, you must
duplicate the workflow and make changes to the duplicated workflow.

Start the Orchestrator Server

To work with Orchestrator, ensure that the Orchestrator server service has started.

When you install Orchestrator separately from vCenter Server, you must first install the Orchestrator server
as a service. You can install the Orchestrator server as a service from the Startup Options tab of the Orchestrator
configuration interface. When you do this, you can start, stop, and restart the service from the Orchestrator
configuration interface.

Prerequisites

n

If you installed Orchestrator standalone, verify that your system has at least 2GB of RAM. The Orchestrator
server might not start if your system does not meet this requirement.

n

All of the status indicators must display a green circle. You cannot start the Orchestrator server if any of
the components is not configured properly.

Orchestrator elements. You can run
workflows but you cannot edit them.

privileges to all Orchestrator elements.
You can run and edit workflows.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Startup Options.

3 (Optional) Click Install vCO server as service.

The Orchestrator server is installed as a Windows service.

4 Click Start service.

The Orchestrator server status appears as Service is starting. The first boot can take 5-10 minutes
because it is installing the Orchestrator plug-ins content in the database tables.

A message states that the service is started successfully. The Orchestrator server status appears at the
bottom of each configuration tab, and is one of the following:

n

Running

n

Not available

n

Stopped

5 (Optional) To see the Orchestrator server status, update the page by clicking the Refresh link.

What to do next

Log in to the Orchestrator client, run, and schedule workflows on the vCenter Server inventory objects or other
objects that Orchestrator accesses through its plug-ins. If you installed Orchestrator together with
vCenter Server, log in as a user from the vCenter Server administrator group. Any user from the
vCenter Server administrator group that you have provided during the vCenter Server installation, is an
Orchestrator administrator.

58 VMware, Inc.

Additional Configuration Options 6

You can use the Orchestrator configuration interface to change the default Orchestrator behavior.

This chapter includes the following topics:

n

“Change the Password of the Orchestrator Configuration Interface,” on page 59

n

“Change the Default Configuration Ports on the Orchestrator Client Side,” on page 60

n

“Uninstall a Plug-In,” on page 60

n

“Activate the Service Watchdog Utility,” on page 61

n

“Export the Orchestrator Configuration,” on page 62

n

“Import the Orchestrator Configuration,” on page 63

n

“Configure the Maximum Number of Events and Runs,” on page 64

n

“Import the Plug-In Licenses,” on page 65

n

“Orchestrator Log Files,” on page 65

Change the Password of the Orchestrator Configuration Interface

VMware, Inc.

You can change the Orchestrator configuration interface password at anytime to avoid potential security issues.

Prerequisites

Verify that the VMware vCenter Orchestrator Configuration service is running.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Change Password.

3 In the Current password text box, enter your current password.

4 In the New password text box, enter the new password.

5 Reenter the new password to confirm it.

6 Click Apply changes.

59

Installing and Configuring VMware vCenter Orchestrator

Change the Default Configuration Ports on the Orchestrator Client Side

If you change the default network ports in the Orchestrator configuration interface, your changes are applied
only on the Orchestrator server side. To connect to the server with the client, you must change the configuration
of all Orchestrator client instances or connect to the server by using your Orchestrator server DNS name or IP
address followed by the new lookup port number.

The main port to communicate with the Orchestrator server is the lookup port. The Orchestrator client
discovers all other ports through this port. If you change the default lookup port value in the Orchestrator
configuration interface after you install the Orchestrator client instances, you can add a vmo.properties
configuration file for each Orchestrator client instance and define the new lookup port by adding the

ch.dunes.net.jboss-server.port system property.

Procedure

1 Log in as an administrator on the machine where the Orchestrator client is installed.

2 Navigate to the apps folder.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

3 In a text editor, create a file that contains the lookup port value.

Go to

install_directory

Go to

install_directory

\VMware\Infrastructure\Orchestrator\apps.

\VMware\Orchestrator\apps.

ch.dunes.net.jboss-server.port=

4 Save the file as vmo.properties.

5 Repeat the procedure for every Orchestrator client instance.

You can connect to the Orchestrator server by using the Orchestrator client without adding the lookup port
number to the Orchestrator server DNS name or IP address.

Uninstall a Plug-In

You can disable an Orchestrator plug-in from the Plug-ins tab, but this does not remove the plug-in file from
the file system. To remove the plug-in file, you must log in to the machine on which the Orchestrator server is
installed and remove the plug-in file manually.

Procedure

1 Log in as an administrator to the machine on which the Orchestrator server is installed.

2 Navigate to the Orchestrator installation folder.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

3 Delete the .dar and .war archives that contain the plug-in to remove.

new_lookup_port_number

Go to

install_directory

server\server\vmo\plugins.

Go to

install_directory

server\server\vmo\plugins.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

60 VMware, Inc.

Chapter 6 Additional Configuration Options

4 Restart the vCenter Orchestrator services.

The plug-in is removed from the Orchestrator configuration interface.

5 Delete the plug-in configuration files.

n

If the plug-in has its configuration stored in a configuration file in the default configuration directory,
delete that file from the following path:

n

If the plug-in has a configuration tab in the Orchestrator Configuration interface, you can remove the

install_directory

/app-server/server/vmo/conf/plugins/.

tab, by deleting the files it from the following path:

install_directory

/configuration/jetty/contexts/.

6 Log in to the Orchestrator client.

7 Select Administer from the drop-down menu in the left upper corner.

8 Click the Packages view.

9 Right-click the package to delete, and select Delete element with content.

NOTE Orchestrator elements that are locked in the read-only state, for example workflows in the standard
library, are not deleted.

10 Click Delete all.

11 Restart the vCenter Orchestrator services.

You removed all custom workflows and actions, policies, Web views, configurations, settings, and resources
that the plug-in contains.

Activate the Service Watchdog Utility

Orchestrator provides a watchdog utility that checks whether the Orchestrator server service is running. The
utility pings the Orchestrator server service periodically, and restarts it if a certain timeout period is exceeded.

By default, the watchdog utility is deactivated.

You can activate the service watchdog utility by setting the timeout period for the service's response to the
ping from the utility. You can set the timeout period for the response from the Orchestrator server service in
the wrapper.conf configuration file. The wrapper.conf file defines the wrapping of the Orchestrator server in
the host system.

Prerequisites

The Orchestrator server must be running as a Windows service.

Procedure

1 Log in as an administrator to the machine on which the Orchestrator server is installed.

2 Navigate to the wrapper.conf configuration file and open the file in a text editor.

The wrapper configuration file is in the following location:

install_directory

/app-server/bin/wrapper.conf

3 Locate the -wrapper.ping.timeout parameter in the wrapper.conf file, or add it to the file if it does not

exist.

VMware, Inc. 61

Installing and Configuring VMware vCenter Orchestrator

4 Set the number of seconds to allow between a ping from the watchdog utility and the response from the

service.

The default timeout is 0 seconds, which means that the utility is deactivated.

For example, you can increase the timeout period to 30 seconds by setting the parameter as follows:

-wrapper.ping.timeout=30

5 Save and close the wrapper.conf file.

6 Log in to the Orchestrator configuration interface as vmware.

7 On the Startup Options tab, click Restart Service to restart the Orchestrator server.

You activated the Orchestrator watchdog utility by setting the timeout.

Export the Orchestrator Configuration

The Orchestrator configuration interface provides a mechanism to export the Orchestrator configuration
settings to a local file. This mechanism allows you to take a snapshot of your system configuration at any
moment and import this configuration into a new Orchestrator instance.

You should export and save your configuration settings on a regular basis, especially when making
modifications, performing maintenance tasks, or upgrading the system.

For a list of exported configuration settings, see “Orchestrator Configuration Files,” on page 62.

IMPORTANT Keep the file with the exported configuration safe and secure, because it contains sensitive
administrative information.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Export Configuration.

3 (Optional) Type a password to protect the configuration file.

Use the same password when you import the configuration.

4 Click Export.

Orchestrator creates a vmo_config_

dateReference

.vmoconfig file on the machine on which the Orchestrator

server is installed. You can use this file to clone or to restore the system.

Orchestrator Configuration Files

When you export the system configuration, a vmo_config_

dateReference

the machine on which the Orchestrator server is installed. It contains all the Orchestrator configuration data.

NOTE Some of the configuration files that are created during the export are empty. For example, the server
configuration data is not exported because the startup options for the Orchestrator server are unique for each
machine where the Orchestrator server is installed. These empty files must be reconfigured, even when a
working configuration was previously imported.

.vmoconfig file is created locally on

62 VMware, Inc.

Table 6-1. Settings Not Saved During Configuration Export

Setting Description

Chapter 6 Additional Configuration Options

Licenses Manually imported licenses are not exported. They are

Server The server configuration is reset to Unknown. You must

stored in the Orchestrator database.

install the Orchestrator server as a Windows service again.

Table 6-2. Settings Saved During Configuration Export

Setting Description

passwordencryptor.key The key used to encrypt the sensitive data. If the file is not valid, the sensitive data

hashes stored in the database become unusable.

General The maximum number of completed events and workflows recorded, and the Web

view development and configuration.

Network The IP binding address and the TCP ports used by the different elements of the

Orchestrator server.

Database The database configuration.

Certificate The certificates added as trusted authorities.

LDAP The LDAP server configuration.

Log The log settings information.

Plug-ins The list of disabled plug-ins and the account name.

Mail plug-in The SMTP host, SMTP port, user name, password, sender's name, and sender's

email address.

vCenter Server plug-in The vCenter Server plug-in configuration.

Each vCenter Server plug-in has an ID element , for example <guid>36907986­d951-4f9a-9542-c561f4b94c3f</guid>, which is used as an identifier of the
vCenter Server instance.

In case you do not use the export for backup purposes, make sure that you change
the unique ID of the vCenter Server plug-in.

License The details about the vCenter Server host on which Orchestrator verifies the license

key.

jssecacerts The certificates added as trusted authorities.

dunes-pk The internal private key generated for each Orchestrator server instance. It is used

as an identifier. The vCenter Server plug-in uses this key to register to the
vCenter Server instances and uses it for logging in to the vCenter Server instances.
If the key changes, the vCenter Server plug-in cannot log in anymore.

Import the Orchestrator Configuration

You can restore the previously exported system configuration when you reinstall Orchestrator or if a system
failure occurs.

If you use the import procedure for cloning the Orchestrator configuration, the vCenter Server plug-in
configuration becomes invalid and non-working, because a new ID of the vCenter Server plug-in is generated.
After you import the Orchestrator configuration, you must provide a valid password for each registered
vCenter Server instance. For more information about configuring the vCenter Server plug-in, see “Configure

the vCenter Server 5.1 Plug-In,” on page 54.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Import Configuration.

VMware, Inc. 63

Installing and Configuring VMware vCenter Orchestrator

3 Type the password you used when exporting the configuration.

This step is not necessary if you have not specified a password.

4 Browse to select the .vmoconfig file you exported from your previous installation.

5 Select whether to override the Orchestrator internal certificate and network settings.

Select the check box only if you want to restore your Orchestrator configuration and the .vmoconfig file
is the backup file of the same Orchestrator configuration.

If you import the configuration to duplicate the Orchestrator environment, for example for scaling
purposes, leave the check box unselected. Otherwise you might have problems with the certificates when
Orchestrator tries to identify against vCenter Server, vCenter Single Sign On or the vSphere Web Client.

6 Click Import.

A message states that the configuration is successfully imported. The new system replicates the old
configuration completely.

Configure the Maximum Number of Events and Runs

You can define the maximum number of events stored in the Orchestrator database and the maximum number
of workflow runs.

Each event corresponds to a change in the state of a workflow or policy and is stored in the database. When
the maximum number of events set for a workflow or policy is reached, the database deletes the oldest event
to store the new event.

Each time you run a workflow, a workflow token is created in the database. This token contains all parameters
related to the running of the workflow. For example, if you run a workflow three times, three workflow tokens
are created. The three tokens appear in the Orchestrator client below the workflow.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Advanced Configuration.

3 Fill in the Maximum number of events text box.

To track every change in your infrastructure, type 0. This means that the server never rolls over, but it
might become unavailable. Database administrators must periodically clean the server and archive events.

4 Fill in the Maximum number of runs text box.

After you reach the maximum number of runs, the rollover process starts. If you do not want the rollover
process to start, type 0 in this text box. If you type 0, your database continues to extend.

5 (Optional) To set the default login credentials, fill in the User name for automatic Web login and Password

for automatic Web login text boxes.

This feature allows you to generate URLs that enable you to run, answer, schedule, or monitor a workflow
without having to specify your credentials. Use your default operator credentials for these text boxes.

6 Fill in the Web view directory text box.

This is the root folder from which development Web views are loaded. Files for each Web view must be
in a separate subfolder, and the name of this subfolder must be the same as the URL folder defined in the
client.

7 (Optional) To put the server in Web view development mode, select the Enable Web view

development check box.

8 Click Apply changes.

64 VMware, Inc.

Import the Plug-In Licenses

The set of plug-ins that Orchestrator includes does not require a license. If you add a plug-in that requires a
license, you must import it in the Orchestrator configuration interface.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Licenses.

3 On the Licenses tab, click Plug-in Licenses.

4 In the Serial number text box, type your plug-in license key.

5 Click Apply changes.

What to do next

To view details, click the name of the imported license.

Orchestrator Log Files

VMware Technical Support routinely requests diagnostic information from you when a support request is
handled. This diagnostic information contains product-specific logs and configuration files from the host on
which the product is run. The information is gathered by using a specific script tool for each product.

Chapter 6 Additional Configuration Options

Table 6-3. Orchestrator Log Files

Filename Location Description

boot.log

boot-state.log

script-logs.log

server.log

install_directory

server\server\vmo\log

install_directory

server\server\vmo\log

install_directory

server\server\vmo\log

install_directory

server\server\vmo\log

\app-

\app-

\app-

\app-

Provides details about the boot
state of the JBoss server. Check the
boot.log file when a file from
JBoss is missing or the installation
is corrupted.

Provides details about the boot
state of the vCO server. If the
server boots properly, an entry
about the vCO server version is
written. By default, this
information is also included in the
server.log file.

Provides a list of the completed
workflows and actions. The
scripts-logs.log file lets you
isolate workflow runs and actions
runs from normal vCO operations.
This information is also included
in the server.log file.

Provides information about
everything that happens on the
vCO server. It contains the entries
from the boot-state.logfile and
script-logs.log file, as well as
other information. Check the
server.log file when you debug
vCO or any application that runs
on vCO.

VMware, Inc. 65

Installing and Configuring VMware vCenter Orchestrator

Table 6-3. Orchestrator Log Files (Continued)

Filename Location Description

vco-configuration.log

vso.log

yyyy-mm-dd.request.log

wrapper.log

vCenter_Orchestrator_InstallLog.log

install_directory

n\jetty\logs

install_directory

install_directory

n\jetty\logs

install_directory

server\bin

Check file location in the message. This log is created when you cancel

\configuratio

\apps

\configuratio

\app-

Provides information about the
configuration and validation of
each component of vCO. This is the
jetty service running on the vCO
server. The request.log file in the
same folder might be more useful
to view the history of actions taken
during the configuration of vCO.

This is the vCO client log. Use this
log to detect connection issues with
the server and events on the client
side.

This log lists the elements that are
needed to load and display the
pages of the vCO configuration
interface. It keeps a history of the
actions that were taken during the
configuration of vCO and the time
when they were completed. Use
this log to identify changes in the
behavior of the vCO server after a
restart. However, the log does not
display the value of the changed
parameters.

Provides information from the
server.log file. Use this log to
check whether the VMware
vCenter Orchestrator Server
service was started by the wrapper
or by a user.

the vCO installation or when the
installation fails.

Logging Persistence

You can log information in any Orchestrator script (workflow, policy, or action). This information has types
and levels. The type can be either persistent or non-persistent. The level can be DEBUG, INFO, WARNING, and

ERROR.

Table 6-4. Creating Persistent and Non-Persistent Logs

Log Level Persistent Type Non-Persistent Type

DEBUG

INFO

WARNING

ERROR

66 VMware, Inc.

Server.debug("short text", "long text"); N/A

Server.log("short text", "long text"); System.log("text");

Server.warn("short text", "long text"); System.warn("text");

Server.error("short text", "long text"); System.error("text");

Chapter 6 Additional Configuration Options

Persistent Logs

Persistent logs (server logs) track past workflow run logs and are stored in the Orchestrator database. To avoid
increasing the database infinitely, specify the number of logs stored per element (workflows and policies) in
the Orchestrator configuration interface. If you increase the default value of 50MB, the query requires more
space and time. To view server logs, you must select a workflow, a completed workflow run, or policy and
click the Events tab in the Orchestrator client.

Non-Persistent Logs

When you use a non-persistent log (system log) in your scripting, the Orchestrator server notifies all running
Orchestrator applications about this log, but this information is not stored. When the application is restarted,
the log information is lost. Non-persistent logs are used for debugging purposes or for live information. To
view system logs, you must select a completed workflow run in the Orchestrator client and click Logs on the
Schema tab.

Define the Server Log Level

In the Orchestrator configuration interface, you can set the level of server log that you require. The default
server log level is INFO. Changing the log level affects any new messages that the server writes to the server
log and the number of active connections to the database.

CAUTION Only set the log level to DEBUG or ALL to debug a problem. Do not use this setting in a production
environment because it can seriously impair performance.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Log.

3 Select an option from the Log level drop-down menu.

Option Description

FATAL

ERROR

WARN

INFO

DEBUG

ALL

OFF

Only fatal errors are written to the log file.

Errors and fatal errors are written to the log file.

Warnings, errors, and fatal errors are written to the log file.

Information, warnings, errors, and fatal errors are written to the log file.

Debug information, information messages, warnings, errors, and fatal errors
are written to the log file.

Events are not filtered. All events are written to the log file.

No entries are written to the log file and no log updates are made.

NOTE The log contains messages of the selected level and all higher levels. If you select the INFO level, all

INFO messages and higher-level messages (INFO, WARN, ERROR, and FATAL) are written to the log file.

4 Click Apply changes.

5 (Optional) Click the Generate log report link to export the log files.

This operation creates a ZIP archive of all log files.

The new log level is applied to any new messages that the server generates, without restarting the server. The
logs are stored in

VMware, Inc. 67

install_directory

\app-server\server\vmo\log\.

Installing and Configuring VMware vCenter Orchestrator

Change the Size of Server Logs

If a server log regenerates multiple times a day, it becomes difficult to determine what causes problems. To
prevent this, you can change the default size of the server log. The default size of the server log is 5MB.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

2 Open the log4j.xml file in a text editor and locate the following code block:

<appender class="org.jboss.logging.appender.RollingFileAppender" name="FILE">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="File" value="${jboss.server.home.dir}/log/server.log"/>
<param name="Append" value="true"/>

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

<!-- Rollover at 5MB and allow 4 rollover files -->
<param name="MaxFileSize" value="5120KB"/>
<param name="MaxBackupIndex" value="4"/>

<layout class="org.apache.log4j.PatternLayout">
<!-- The default pattern: Date Priority [Category] Message\n -->
<param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSSZ} %-5p [%c{1}] %m%n"/>
</layout>
</appender>

3 Change the following lines:

<param name="MaxFileSize" value="5120KB"/>
<param name="MaxBackupIndex" value="4"/>

The MaxFileSize parameter controls the size of the log file, and the MaxBackupIndex parameter controls
the number of files for the rollover.

NOTE Before you save the file, make sure it does not contain typos. If the file contains typos, the logs will
be lost.

The system reads this file dynamically. You do not need to reboot the server.

Export Orchestrator Log Files

Orchestrator provides a workflow that generates a ZIP archive of troubleshooting information containing
configuration, server, wrapper, and installation log files.

Prerequisites

Verify that you created the c:/orchestrator folder at the root of the Orchestrator server system or set write
access rights to another folder in which to store the generated ZIP archive. See “Set Server File System Access

for Workflows and JavaScript,” on page 86.

You must be logged in to the Orchestrator client as a member of the vCO admin group.

68 VMware, Inc.

Chapter 6 Additional Configuration Options

Procedure

1 Click the Workflows view in the Orchestrator client.

2 In the workflows hierarchical list, open Library > Troubleshooting and navigate to the Export logs and

application settings workflow.

3 Right-click the Export logs and application settings workflow and select Start workflow.

4 (Optional) Type the path to the folder on the vCO server in which to store the output ZIP archive.

If you do not type a path, the generated ZIP archive is stored in the c:/orchestrator folder.

5 Click Submit to run the workflow.

The troubleshooting information is stored in a ZIP archive named

vCO_troubleshooting_

dateReference_xxxxxx

.zip.

Loss of Server Logs

You might experience loss of logs if you use the vmo.bat file to restart the Orchestrator server.

Problem

If you start the Orchestrator server as a service and you then restart the Orchestrator server by running the

vmo.bat file directly, you can experience a potential loss of logs.

Cause

Logs can be lost if you start the Orchestrator server as a service and restart it by using the vmo.bat. This behavior
can cause the server to run with different permissions.

Solution

1 Right-click My Computer on your desktop and select Manage.

2 In the Computer Management dialog box, expand Services and Applications and select Services.

3 In the right pane, right-click and select VMware vCenter Orchestrator Server > Restart.

Filter the Orchestrator Log Files

You can filter the Orchestrator server logs for a specific workflow run and collect diagnostic data about the
workflow run.

The Orchestrator logs contain a lot of useful information, but not every log entry has diagnostic context. When
multiple instances of the same workflow are running at the same time, you can track the different workflow
runs by filtering the diagnostic data about each run in the Orchestrator logs.

Procedure

1 Log in as an administrator to the machine on which the Orchestrator server is installed.

2 Navigate to the log4j.xml file and open it in a text editor.

Option Action

If you installed the standalone
version of Orchestrator

If the vCenter Server installed
Orchestrator

Go to

install_directory

server\server\vmo\conf\log4j.xml.

Go to

install_directory

server\server\vmo\conf\log4j.xml.

\VMware\Orchestrator\app-

\VMware\Infrastructure\Orchestrator\app-

VMware, Inc. 69

Installing and Configuring VMware vCenter Orchestrator

3 Find the following entry:

<layout class="org.apache.log4j.PatternLayout"> <param
name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSSZ} %-5p
[%c{1}] %m%n"/> </layout>

4 Change the conversion pattern.

<layout class="org.apache.log4j.PatternLayout"> <param
name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSSZ} %-5p
[%c{1}][%X{

value_name

}] %m%n"/> </layout>

Where value_name is the name of the available diagnostic values. The possible names are:

Option Description

username

workflowName

workflowId

token

process

full

5 Save and close the file.

The name of the user who started the workflow

The name of the running workflow

The ID of the running workflow

The token of the running workflow

The workflow ID and token, separated by a colon

The name of the user who started the workflow, the name of the running
workflow, the workflow ID, and the workflow token, separated by colons.

The Orchestrator logs are filtered according to the changes you made to the file.

70 VMware, Inc.

Configuration Use Cases and

Troubleshooting 7

You can configure the Orchestrator server to work with the vCenter Server appliance, you can also uninstall
plug-ins from Orchestrator, or change the self-signed certificates.

The configuration use cases provide task flows that you can perform to meet specific configuration
requirements of your Orchestrator server system, as well as troubleshooting topics to understand and solve a
problem, if a workaround exists.

This chapter includes the following topics:

n

“Registering Orchestrator with vCenter Single Sign On in the vCenter Server Appliance,” on page 71

n

“Setting Up Orchestrator to Work with the vSphere Web Client,” on page 72

n

“Check Whether Orchestrator Is Successfully Registered as an Extension,” on page 73

n

“Unregister Orchestrator from vCenter Single Sign On,” on page 73

n

“Enable Orchestrator for Remote Workflow Execution,” on page 74

n

“Changing SSL Certificates,” on page 75

n

“Back Up the Orchestrator Configuration and Elements,” on page 78

n

“Unwanted Server Restarts,” on page 80

n

“Orchestrator Server Fails to Start,” on page 80

n

“Revert to the Default Password for Orchestrator Configuration,” on page 81

Registering Orchestrator with vCenter Single Sign On in the vCenter Server Appliance

If you want to configure Orchestrator to work with the VMware vCenter Server Appliance, and want to run
workflows by using the vSphere Web Client, you must configure the Orchestrator server to work with vCenter
Single Sign On, which is prebuilt in the appliance.

IMPORTANT Ensure that the clocks of the Orchestrator server machine and the vCenter Server Appliance are
synchronized. Otherwise you might receive cryptic vCenter Single Sign On errors.

This workflow describes the process to change the self-signed certificate.

1 Download and deploy the VMware vCenter Server Appliance.

See vSphere Installation and Setup for instructions.

2 Import the SSL and vCenter Single Sign On certificates of the vCenter Server instance running in the

vCenter Server Appliance into Orchestrator.

VMware, Inc.

71

Installing and Configuring VMware vCenter Orchestrator

You import certificates from the Orchestrator configuration interface. For more information about
importing certificates, see “Import the vCenter Server SSL Certificate,” on page 35 and “Import the vCenter

Single Sign On SSL Certificate,” on page 36.

n

For importing the SSL certificate of the vCenter Server instance running in the appliance, in the Import
from URL text box, type

n

For importing the vCenter Single Sign On certificate, in the Import from URL text box, type

your_vcenter_server_appliance_ip_address:single_sign_on_port

3 In the Orchestrator configuration interface, click Authentication and select SSO Authentication.

4 Register Orchestrator to work with vCenter Single Sign On:

your_vcenter_server_appliance_ip_address:vcenter_server_api_port

.

.

a In the Host text box, type

your_vcenter_server_appliance_ip_address:single_sign_on_port

b In the Admin user name and the Admin password text boxes, type the credentials of the root user

of the vCenter Server Appliance.

c Click Register Orchestrator.

d Complete the registration by selecting the vCO Admin domain and group from the drop-down menu.

Setting Up Orchestrator to Work with the vSphere Web Client

You can set up Orchestrator to work with the vSphere Web Client and run workflows on the objects in your
vSphere inventory.

1 Install vCenter Single Sign On, vCenter Inventory Service, vCenter Server, and vCenter Orchestrator.

Orchestrator is silently installed on your system when you install vCenter Server. For more information
about installing vCenter Single Sign On, vCenter Inventory Service and vCenter Server, see vSphere
Installation and Setup.

2 Install the vSphere Web Client and configure it to work with vCenter Single Sign On, which you have

installed in the previous step.

For more information, see vSphere Installation and Setup.

3 Start the Orchestrator Configuration Service and log in to the Orchestrator configuration interface.

You installed Orchestrator as a part of the vCenter Server installation, and the Orchestrator Configuration
service does not start by default. You must start it manually before you try to access the Orchestrator
configuration interface. For instructions, see “Start the Orchestrator Configuration Service,” on page 32
and “Log In to the Orchestrator Configuration Interface,” on page 32.

4 Verify that the correct IP is selected from the IP address drop-down menu on the Network tab in the

Orchestrator configuration interface.

5 Verify that the vCenter Server 5.1 plug-in in the Orchestrator configuration interface is properly

configured, provide the correct credentials, and save the changes.

If you installed Orchestrator separately from vCenter Server, you have to add your vCenter Server instance
as a host. For more information, see “Configure the vCenter Server 5.1 Plug-In,” on page 54.

6 Start the Orchestrator server.

For more information see “Start the Orchestrator Server,” on page 58.

7 Log in to the vSphere Web Client and configure the default vCenter Orchestrator instance.

IMPORTANT Verify that you log in as a user who has at least View and Execute permissions in Orchestrator,
and permissions to manage vCenter Server objects.

72 VMware, Inc.

Chapter 7 Configuration Use Cases and Troubleshooting

If you want to see more workflows displayed in the pop-up menu when you right-click a vSphere
inventory object, you can associate workflows with the different vSphere object types.

For more information, see vCenter Server and Host Management.

You can now run Orchestrator workflows on the objects in your vSphere inventory by using the vSphere Web
Client.

Check Whether Orchestrator Is Successfully Registered as an Extension

After you register Orchestrator server with vCenter Single Sign On and configure it to work with
vCenter Server, you can check whether Orchestrator is successfully registered as an extension with
vCenter Server.

Procedure

1 In a Web browser navigate to the managed object browser of your vCenter Server instance.

https://your_vcenter_server_ip/mob

2 Log in with your vCenter Server credentials.

3 Under Properties, click content.

4 On the Data Object Type: ServiceContent page, under Properties, click ExtensionManager.

5 On the Managed Object Type page, under Properties, click the Orchestrator extension string.

extensionList["com.vmware.orchestrator.universally-unique-ID"]

The universally unique ID is the ID of the Orchestrator server. The ID is stored in the vCenter Server plug­in configuration VC.xml file on the machine on which Orchestrator is installed.

6 On the Data Object Type: Extension page, under Properties, click server.

You can see information about the Orchestrator server registered as an extension, such as serverThumbprint
and url. The serverThumbprint property is the SHA-1 thumbprint of the Orchestrator server certificate, which
is a unique identifier of the Orchestrator server. The url property is the service URL of the Orchestrator server.
There is one record per IP address. If the Orchestrator server has two IP addresses, both of them are displayed
as service URLs.

Unregister Orchestrator from vCenter Single Sign On

You can unregister Orchestrator from vCenter Single Sign On, for example, when you no longer want to use
the vSphere Web Client, when you want to change vCenter Single Sign On with LDAP, or when you want to
register Orchestrator with another vCenter Single Sign On instance.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 Click Authentication.

3 Type the administrator password in the Admin password text box.

The Host and Admin name text boxes must contain the values you typed when you registered
Orchestrator with vCenter Single Sign On.

4 Click Unregister Orchestrator.

If for some reason the operation cannot be completed, for example if the vCenter Single Sign On server is
not running, delete the vCenter Single Sign On configuration data stored locally on your system by clicking
Delete SSO configuration.

VMware, Inc. 73

Installing and Configuring VMware vCenter Orchestrator

What to do next

You can register Orchestrator with another vCenter Single Sign On server or change the authentication type
to LDAP authentication.

Enable Orchestrator for Remote Workflow Execution

Remote workflow execution might not start.

Problem

When you try to run a remote workflow from one Orchestrator server over another Orchestrator server, the
workflow might not start.

Cause

Orchestrator does not permit the usage of the default SSL certificates. After you install or upgrade Orchestrator,
a new self-signed certificate is generated. The newly generated SSL certificate is unique for each Orchestrator
instance. To run remote workflows, the primary Orchestrator server must trust the SSL certificate of the remote
Orchestrator server.

Solution

1 Verify that the remote and the primary Orchestrator servers are up and running.

2 Log in to the Orchestrator configuration interface of the primary Orchestrator server.

3 Click Network.

4 From the IP address drop-down menu select the IP address, which corresponds to the correct subnet (do

not use multi adapter addresses such as 0.0.0.0).

5 Click Apply Changes.

6 In the right pane, click the SSL Trust Manager tab.

7 In the Import from URL text box, type the IP address and port number of the remote Orchestrator server:

remote_orchestrator_server_IP:8250

8 Click Import.

9 Click the Startup options tab.

10 Click Restart service to restart the Orchestrator server.

Solution

If your company policy permits the distribution of SSL keys to multiple servers, you can replicate the SSL
keystore. To do that, copy the contents of the

install_directory

\VMware\Infrastructure\Orchestrator\jre\security\jssecacerts folder from the

primary Orchestrator server machine and paste it to the same location on the remote Orchestrator server
machine.

74 VMware, Inc.

Changing SSL Certificates

By default, the Orchestrator server uses a self-signed SSL certificate to communicate remotely with the
Orchestrator client. Orchestrator also provides an SSL certificate that controls user access to Web views. You
can change the SSL certificates, for example if your company security policy requires you to use its SSL
certificates.

Generate a New Certificate

To change an SSL certificate, you can generate a new certificate. You can generate the new certificate on the
same computer on which Orchestrator is installed or on another computer.

Prerequisites

To generate the new certificate, you must use the Java keytool utility. You can find the utility on the system
on which Orchestrator is installed.

Procedure

1 Navigate to the keytool utility at the command prompt.

Option Action

If you installed the standalone
version of Orchestrator

If the vCenter Server installed
Orchestrator

2 Create a local certificate.

Go to

install_directory

Go to

install_directory

n\keytool.

Chapter 7 Configuration Use Cases and Troubleshooting

\VMware\Orchestrator\jre\bin\keytool.

\VMware\Infrastructure\Orchestrator\jre\bi

keytool -genkey -alias mySslCertificate -keyalg RSA -keystore <your_keystore_filename> \

-keysize 2048 -sigalg SHA512withRSA

The keytool utility generates a file called <your_keystore_filename> by using the information and
password that you provide when you run the command.

What to do next

You can create a signing request and submit the certificate to a Certificate Authority. You can then import the
signed certificate into your local keystore.

You can also change the Web views SSL certificate, the SSL certificate for the Orchestrator configuration
interface, or the SSL certificate for the Orchestrator client with the certificate you generated.

Install a Certificate from a Certificate Authority

To install a certificate signed from a Certificate Authority you must obtain an SSL certificate from a CA and
import it in your local keystore.

Prerequisites

Make sure that you have generated a new SSL certificate.

Procedure

1 (Optional) Create a certificate signing request by running the following command in the Java utility.

keytool -certreq -alias mySslCertificate -file certreq.csr \

-keystore <your_keystore_filename>

The utility generates a file called certreq.csr.

VMware, Inc. 75

Installing and Configuring VMware vCenter Orchestrator

2 (Optional) Submit the certreq.csr file to a certificate authority, such as VeriSign or Thawte.

Procedures might vary from one CA to another, but they all require a valid proof of your identity.

The CA returns a certificate that you must import.

3 (Optional) Import the SSL certificate in your local keystore.

a Download a root certificate from the CA that signed your certificate.

b Import the root certificate in your keystore by running following command in the Java utility.

keytool -import -alias root -keystore <your_keystore_filename> \

-trustcacerts -file <filename_of_the_root_certificate>

c Import the SSL certificate signed by the CA (the SSL certificate must be in X509 format).

keytool -import -alias mySslCertificate -keystore <your_keystore_filename> \

-trustcacerts -file <your_certificate_filename>

The SSL certificate is installed. You can change the Web views SSL certificate, the SSL certificate for the
Orchestrator configuration interface, or the SSL certificate for the Orchestrator client.

Change the Web Views SSL Certificate

Orchestrator provides an SSL certificate that controls user access to Web views. You can configure Orchestrator
to use a different SSL certificate to control access to Web views, for example if your company security policy
requires you to use their SSL certificates.

Prerequisites

Make sure that you have generated or installed an SSL certificate signed by a CA.

Procedure

1 Open the following Orchestrator application server configuration file in a text editor.

Option Action

If you installed the standalone
version of Orchestrator

If the vCenter Server installed
Orchestrator

Go to

install_directory

server\server\vmo\deploy\jboss-deploy-tomcat\jbossweb­tomcat55.sar\server.xml.

Go to

install_directory

server\server\vmo\deploy\jboss-deploy-tomcat\jbossweb­tomcat55.sar\server.xml.

\VMware\Orchestrator\app-

\VMware\Infrastructure\Orchestrator\app-

2 Find the following entry in the server.xml file.

<!-- Define a SSL HTTP/1.1 Connector on port ${ch.dunes.https-server.port} -->
<Connector address="${jboss.bind.address}" protocol="HTTP/1.1" SSLEnabled="true"
clientAuth="false" emptySessionPath="true"
keystoreFile="${java.home}/lib/security/jssecacerts"
keystorePass="dunesdunes"

3 Change the keystoreFile and keystorePass attributes to refer to the <your_keystore_filename> file and

the password you created when you ran the keytool utility.

keystoreFile="/PathToKeystore/<your_keystore_filename>"
keystorePass="NewKeystorePassword"

The keystoreFile attribute should contain slashes as directory separators.

4 Save the server.xml file and restart the Orchestrator server.

76 VMware, Inc.

Chapter 7 Configuration Use Cases and Troubleshooting

You changed the SSL certificate that the Orchestrator server uses to control access to Web views.

Change the SSL Certificate of the Orchestrator Configuration Interface

You can configure the Orchestrator configuration server to use a different SSL certificate, for example if your
company security policy requires you to use their SSL certificates.

Prerequisites

Make sure that you have generated or installed an SSL certificate signed by a CA.

Procedure

1 Open the following Orchestrator application server configuration file in a text editor.

Option Action

If you installed the standalone
version of Orchestrator

If the vCenter Server installed
Orchestrator

2 In the jetty.xml file, find the following entry:

Go to

install_directory

tc\jetty.xml.

Go to

install_directory

uration\jetty\etc\jetty.xml.

\VMware\Orchestrator\configuration\jetty\e

\VMware\Infrastructure\Orchestrator\config

<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">8283</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="handshakeTimeout">2000</Set>
<Set name="keystore"><SystemProperty name="jetty.home"
default="." />/etc/jssecacerts</Set>
<Set name="password">dunesdunes</Set>
<Set name="keyPassword">dunesdunes</Set>
<Set name="truststore"><SystemProperty name="jetty.home"
default="." />/etc/jssecacerts</Set>
<Set name="trustPassword">dunesdunes</Set>

3 Change the keystore, truststore, password, keyPassword and trustPassword values to refer to your

<your_keystore_filename> file and password.

4 Save the jetty.xml file.

5 Restart the Orchestrator configuration server.

You successfully changed the SSL certificate for the Orchestrator configuration interface.

Change the SSL Certificate for the Orchestrator Client

By default, the Orchestrator server uses the predefined SSL certificate while communicating remotely with the
Orchestrator client. You can change the SSL certificate for the Orchestrator client, for example if your company
security policy requires you to use its SSL certificates.

Prerequisites

Make sure that you have generated or installed an SSL certificate signed by a CA.

VMware, Inc. 77

Installing and Configuring VMware vCenter Orchestrator

Procedure

1 Open the following Orchestrator application server service file in a text editor.

Option Action

If you installed the standalone
version of Orchestrator

If the vCenter Server installed
Orchestrator

2 Find the following entry in the jboss-service.xml file.

<!-- The SSL domain setup -->
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="Security:name=JaasSecurityDomain,domain=dunes">
<constructor>
<arg type="java.lang.String" value="dunes"/>
</constructor>
<attribute name="KeyStoreURL">${java.home}/lib/security/jssecacerts</attribute>
<attribute name="KeyStorePass">dunesdunes</attribute>
</mbean>

Go to

install_directory

server\server\vmo\conf\jboss-service.xml.

Go to

install_directory

server\server\vmo\conf\jboss-service.xml.

\VMware\Orchestrator\app-

\VMware\Infrastructure\Orchestrator\app-

3 Change the keystoreURL and keystorePass attributes to refer to the path to the

<your_keystore_filename> file and the password you created when you ran the keytool utility.

keystoreURL="/PathToKeystore/<your_keystore_filename>"
keystorePass="NewKeystorePassword"

The keystoreURL attribute is a URL and must contain slashes as directory separators.

4 Save the jboss-service.xml file and restart the Orchestrator server.

The Orchestrator client authenticates the Orchestrator server by using the SSL certificate you changed.

Back Up the Orchestrator Configuration and Elements

You can take a snapshot of your system configuration at any moment and import this configuration into a new
Orchestrator instance to back up your Orchestrator configuration. You can also back up the Orchestrator
elements that you modified.

If you edit any standard workflows, actions, policies, Web views, or configuration elements, and then import
a package containing the same elements with a higher version number, your changes to the elements are lost.
To make modified and custom elements available after the upgrade, you must export them in a package before
you start the upgrade procedure.

Each Orchestrator server instance has unique certificates and each vCenter Server plug-in instance has a unique
ID. The certificates and the unique ID define the identity of the Orchestrator server and the vCenter Server
plug-in. If you do not export the Orchestrator configuration or back up the Orchestrator elements for backup
purposes, make sure that you change these identifiers.

Procedure

1 Log in to the Orchestrator configuration interface as vmware.

2 On the General tab, click Export Configuration.

3 (Optional) Type a password to protect the configuration file.

Use the same password when you import the configuration.

4 Click Export.

78 VMware, Inc.

Chapter 7 Configuration Use Cases and Troubleshooting

5 Log in to the Orchestrator client application.

6 Create a package that contains all the Orchestrator elements that you created or edited.

a Click the Packages view.

b Click the menu button in the title bar of the Packages list and select Add package.

c Name the new package and click OK.

The syntax for package names is

com.vmware.myfolder.mypackage.

domain.your_company.folder.package_name

. For example,

d Right-click the package and select Edit.

e On the General tab, add a description for the package.

f From the Workflows tab, add workflows to the package.

g (Optional) On the Policies, Actions, Web View, Configurations, Resources, and Used Plug-Ins tabs,

add policy templates, actions, Web views, configuration elements, resource elements, and plug-ins
to the package.

7 Export the package.

a Right-click the package to export and select Export package.

b Browse to select a location where you want to save the package and click Open.

c (Optional) Sign the package with a specific certificate.

d (Optional) Impose restrictions on the exported package.

e (Optional) Deselect the Export version history check box if you do not want to export the version

history of the package.

f Click Save.

8 Import the Orchestrator configuration to the new Orchestrator server instance.

a Log in to the Orchestrator configuration interface of the new Orchestrator instance as vmware.

b On the General tab, click Import Configuration.

c Type the password you used when exporting the configuration.

This step is not necessary if you have not specified a password.

d Browse to select the .vmoconfig file you exported from your previous installation.

e Select whether to override the Orchestrator internal certificate and network settings.

Select the check box only to restore your Orchestrator configuration and the .vmoconfig file is the
backup file of the same Orchestrator configuration.

f Click Import.

9 Import the exported package to the new Orchestrator instance.

a Log in to the Orchestrator client application of the new Orchestrator instance.

b From the drop-down menu in the Orchestrator client, select Administer.

c Click the Packages view.

d Right-click within the left pane and select Import package.

e Browse to select the package that you want to import and click Open.

Certificate information about the exporter appears.

VMware, Inc. 79

Installing and Configuring VMware vCenter Orchestrator

f Review the package import details and select Import or Import and trust provider.

The Import package view appears. If the version of the imported package element is later than the
version on the server, the system selects the element for import.

g Deselect the elements that you do not want to import. For example, deselect custom elements for

which later versions exist.

h Click Import selected elements.

Unwanted Server Restarts

You might experience unwanted server restarts if you have activated the service watchdog utility.

Problem

In certain circumstances, if the response time exceeds the watchdog timeout period, the watchdog utility can
falsely detect a JVM error, which causes a server restart.

Cause

The problem occurs when the Orchestrator server is running with a heavy load, for example if you have
connected Orchestrator to many vCenter Server instances that are running many virtual machines, or if the
server is performing swapping.

Solution

If you experience this behavior, extend the watchdog timeout period by increasing the timeout parameter in
the wrapper.conf configuration file. If the problem still persists, deactivate the watchdog utility by setting the
timeout parameter back to zero (0). See “Activate the Service Watchdog Utility,” on page 61.

Orchestrator Server Fails to Start

The VMware vCenter Orchestrator Server service might fail to start when not enough RAM is available for the
JVM to start the server.

Problem

The server status appears as Starting in the configuration interface and it is not updated when you refresh
the page. When you select My Computer > Services and Applications > Services, the server fails to start and
you receive a timeout error.

Cause

The Orchestrator server might not start in the following circumstances:

n

Orchestrator runs on a host with less than 2GB of RAM.

n

Orchestrator and vCenter Server run on a shared host with less than 4GB of RAM.

n

The Orchestrator database runs on the same host as Orchestrator.

n

Orchestrator is installed in a directory whose name contains non-ASCII characters.

Solution

If you installed Orchestrator standalone, verify that your system has at least 2GB of RAM.

If you installed Orchestrator silently with vCenter Server, verify that your system has at least 4GB of RAM.

Verify that the Orchestrator database is running on a dedicated server.

Verify that the Orchestrator components are configured properly and that all of the status indicators in the
configuration interface display a green circle.

80 VMware, Inc.

Chapter 7 Configuration Use Cases and Troubleshooting

Revert to the Default Password for Orchestrator Configuration

If the default password for the Orchestrator configuration interface is changed, you cannot retrieve it because
Orchestrator uses encryption to encode passwords. You can revert to the default password vmware if the current
password is not known.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

2 Open the password.properties file in a text editor.

3 Delete the content of the file.

Go to

install_directory

uration\jetty\etc.

Go to

install_directory

tc.

\VMware\Infrastructure\Orchestrator\config

\VMware\Orchestrator\configuration\jetty\e

4 Add the following line to the password.properties file.

vmware=92963abd36c896b93a36b8e296ff3387

5 Save the password.properties file.

6 Restart the vCenter Orchestrator Configuration service.

You can log in to the Orchestrator configuration interface with the default credentials.

n

User name: vmware

n

Password: vmware

VMware, Inc. 81

Installing and Configuring VMware vCenter Orchestrator

82 VMware, Inc.

Setting System Properties 8

You can set system properties to change the default Orchestrator behavior.

This chapter includes the following topics:

n

“Disable Access to the Orchestrator Client By Nonadministrators,” on page 83

n

“Disable Access to Workflows from Web Service Clients,” on page 84

n

“Setting Server File System Access for Workflows and JavaScript,” on page 84

n

“Set JavaScript Access to Operating System Commands,” on page 87

n

“Set JavaScript Access to Java Classes,” on page 88

n

“Set Custom Timeout Property,” on page 89

n

“Modify the Number of Objects a Plug-In Search Obtains,” on page 89

n

“Modify the Number of Concurrent and Pending Workflows,” on page 90

Disable Access to the Orchestrator Client By Nonadministrators

You can configure the Orchestrator server to deny access to the Orchestrator client to all users who are not
members of the Orchestrator administrator group.

VMware, Inc.

By default, all users who are granted execute permissions can connect to the Orchestrator client. However, you
can limit access to the Orchestrator client to Orchestrator administrators by setting a system property in the

vmo.properties Orchestrator configuration file.

IMPORTANT If the vmo.properties configuration file does not contain this property, or if the property is set to
false, Orchestrator permits access to the Orchestrator client by all users.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

2 Open the vmo.properties configuration file in a text editor.

83

Installing and Configuring VMware vCenter Orchestrator

3 Add the following line to the vmo.properties configuration file.

#Disable Orchestrator client connection
com.vmware.o11n.smart-client-disabled = true

4 Save the vmo.properties file.

5 Restart the Orchestrator server.

You disabled access to the Orchestrator client to all users other than members of the Orchestrator administrator
group.

Disable Access to Workflows from Web Service Clients

You can configure the Orchestrator server to deny access to Web service requests, to prevent malicious attempts
from Web service clients to access sensitive servers.

By default, Orchestrator permits access to workflows from Web service clients. You disable access to workflows
from Web service clients by setting a system property in the Orchestrator configuration file, vmo.properties.

IMPORTANT If the vmo.properties configuration file does not contain this property, or if the property is set to
false, Orchestrator permits access to workflows from Web services.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

2 Open the vmo.properties configuration file in a text editor.

3 Add the following line to the vmo.properties configuration file.

#Disable Web service access
com.vmware.o11n.web-service-disabled = true

4 Save the vmo.properties file.

5 Restart the Orchestrator server.

You disabled access to workflows Web service clients. The Orchestrator server only answers Web service client
calls from the echo() or echoWorkflow() methods, for testing purposes.

Setting Server File System Access for Workflows and JavaScript

Orchestrator limits access to the server file system from workflows and JavaScript to specific directories. You
can extend access to other parts of the server file system by modifying the js-io-rights.conf Orchestrator
configuration file.

The js-io-rights.conf file is created when a workflow tries to access the Orchestrator server file system. If
the js-io-rights.conf file does not exist on your system, you can create it manually with the default content.
For more information, see “Manually Create the js-io-rights.conf File,” on page 86.

84 VMware, Inc.

Chapter 8 Setting System Properties

Rules in the js-io-rights.conf File Permitting Write Access to the Orchestrator System

The js-io-rights.conf file contains rules that permit write access to defined directories in the server file
system.

Mandatory Content of the js-io-rights.conf File

Each line of the js-io-rights.conf file must contain the following information.

n

A plus (+) or minus (-) sign to indicate whether rights are permitted or denied

n

The read (r), write (w), and execute (x) levels of rights

n

The path on which to apply the rights

Default Content of the js-io-rights.conf File

The default content of the js-io-rights.conf configuration file is:

-rwx c:/

+rwx c:/orchestrator
+rx ../../configuration/jetty/logs/
+rx ../server/vmo/log/
+rx ../bin/
+rx ./boot.properties
+rx ../server/vmo/conf/
+rx ../server/vmo/conf/plugins/
+rx ../server/vmo/deploy/vmo-server/vmo-ds.xml
+rx ../../apps/
+r ../../version.txt

The first two entries in the default js-io-rights.conf configuration file allow the following access rights:

-rwx c:/

+rwx c:/orchestrator

All access to the file system is denied.

Read, write, and execute access is permitted in the c:/orchestrator directory.

Rules in the js-io-rights.conf File

Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override
the previous lines.

In the default js-io-rights.conf configuration file, the second line partially overrides the first line because

c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies access

to the rest of the file system under c:/.

The default configuration allows workflows and the Orchestrator API to write to the c:/orchestrator
directory, but nowhere else.

IMPORTANT You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf
file. However, doing so represents a high security risk.

VMware, Inc. 85

Installing and Configuring VMware vCenter Orchestrator

Set Server File System Access for Workflows and JavaScript

To change the parts of the server file system that workflows and the Orchestrator API can access, modify the

js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow tries to access

the Orchestrator server file system.

If the js-io-rights.conf file does not exist on your system, you can create it manually with the default content.
For more information, see “Manually Create the js-io-rights.conf File,” on page 86.

Orchestrator has read, write, and execute rights to a folder named orchestrator, at the root of the server system.
Although workflows have permission to read, write, and execute in this folder, you must create the folder on
the server system.

Procedure

1 Create the c:/orchestrator folder at the root of the Orchestrator server system.

2 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

3 Open the js-io-rights.conf configuration file in a text editor.

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

4 Add the necessary lines to the js-io-rights.conf file to allow or deny access to parts of the file system.

For example, the following line denies the execution rights in the c:/orchestrator/noexec directory:

-x c:/orchestrator/noexec

By adding the preceding line, c:/orchestrator/exec retains execution rights, but

c:/orchestrator/noexec/bar does not. Both directories remain readable and writable.

You modified the access rights to the file system from workflows and from the Orchestrator API.

Manually Create the js-io-rights.conf File

You can extend access to other parts of the Orchestrator server file system by modifying the js-io-

rights.conf Orchestrator configuration file. If the js-io-rights.conf file does not exist on your system, you

can create it manually with the default content.

IMPORTANT Manually creating the js-io-rights.conf file is applicable only for Windows systems. The
recommended way to generate the js-io-rights.conf file is to run a workflow attempting to access the
Orchestrator server file system, for example, the Export logs and application settings workflow from the
Troubleshooting folder in the Orchestrator workflow library.

Procedure

1 Log in as an administrator to the machine on which the Orchestrator server is installed.

86 VMware, Inc.

2 Navigate to the Orchestrator configuration directory.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed Orchestrator
standalone

Go to

install_directory

ver\server\vmo\conf.

Go to

install_directory

o\conf.

\VMware\Infrastructure\Orchestrator\appser

\VMware\Orchestrator\appserver\server\vm

3 Create the js-io-rights.conf file and open it in a text editor.

4 Type the default js-io-rights.conf file content.

-rwx C:/

+rwx C:/orchestrator
+rx ../../configuration/jetty/logs/
+rx ../server/vmo/log/
+rx ../bin/
+rx ./boot.properties
+rx ../server/vmo/conf/
+rx ../server/vmo/conf/plugins
+rx ../server/vmo/deploy/vmo-server/vmo-ds.xml
+rx ../../apps/
+r ../../version.txt

Chapter 8 Setting System Properties

5 Save and close the file.

You can now set the access to the server file system for workflows and JavaScript.

Set JavaScript Access to Operating System Commands

The Orchestrator API provides a scripting class, Command, that runs commands in the Orchestrator server host
operating system. To prevent unauthorized access to the Orchestrator server host, by default, Orchestrator
applications do not have permission to run the Command class. If Orchestrator applications require permission
to run commands on the host operating system, you can activate the Command scripting class.

You grant permission to use the Command class by setting a system property in the vmo.properties properties
file.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

2 Open the vmo.properties configuration file in a text editor.

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

3 Set the com.vmware.js.allow-local-process system property by adding the following line to the

vmo.properties file.

com.vmware.js.allow-local-process=true

4 Save the vmo.properties file.

VMware, Inc. 87

Installing and Configuring VMware vCenter Orchestrator

5 Restart the Orchestrator server.

You granted permissions to Orchestrator applications to run local commands in the Orchestrator server host
operating system.

NOTE By setting the com.vmware.js.allow-local-process system property to true, you allow the Command
scripting class to write anywhere in the file system. This property overrides any file system access permissions
that you set in the js-io-rights.conf file for the Command scripting class only. The file system access permissions
that you set in the js-io-rights.conf file still apply to all scripting classes other than Command.

Set JavaScript Access to Java Classes

By default, Orchestrator restricts JavaScript access to a limited set of Java classes. If you require JavaScript
access to a wider range of Java classes, you must set an Orchestrator system property to allow this access.

Allowing the JavaScript engine full access to the Java virtual machine (JVM) presents potential security issues.
Malformed or malicious scripts might have access to all of the system components to which the user who runs
the Orchestrator server has access. Consequently, by default the Orchestrator JavaScript engine can access only
the classes in the java.util.* package.

If you require JavaScript access to classes outside of the java.util.* package, you can list in a configuration
file the Java packages to which to allow JavaScript access. You then set the com.vmware.scripting.rhino-

class-shutter-file system property to point to this file.

Procedure

1 Create a text configuration file to store the list of Java packages to which to allow JavaScript access.

For example, to allow JavaScript access to all the classes in the java.net package and to the

java.lang.Object class, you add the following content to the file.

java.net.*
java.lang.Object

2 Save the configuration file with an appropriate name and in an appropriate place.

3 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

4 Open the vmo.properties configuration file in a text editor.

5 Set the com.vmware.scripting.rhino-class-shutter-file system property by adding the following line

to the vmo.properties file.

com.vmware.scripting.rhino-class-shutter-file=

path_to_your_configuration_file

6 Save the vmo.properties file.

7 Restart the Orchestrator server.

The JavaScript engine has access to the Java classes that you specified.

88 VMware, Inc.

Set Custom Timeout Property

When vCenter is overloaded, it takes more time to return the response to the Orchestrator server than the 20000
milliseconds set by default. To prevent this situation, you must modify the Orchestrator configuration file to
increase the default timeout period.

If the default timeout period expires before the completion of certain operations, the Orchestrator server log
contains errors.

Operation 'getPropertyContent' total time : '5742228' for 1823 calls, mean time : '3149.0', min
time : '0', max time : '32313'

Timeout, unable to get property 'info' com.vmware.vmo.plugin.vi4.model.TimeoutException

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

2 Open the vmo.properties configuration file in a text editor.

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

Chapter 8 Setting System Properties

\VMware\Orchestrator\app-

3 Set the com.vmware.vmo.plugin.vi4.waitUpdatesTimeout system property by adding the following line to

the vmo.properties file.

com.vmware.vmo.plugin.vi4.waitUpdatesTimeout=

<milliseconds>

4 Save the vmo.properties file.

5 Restart the Orchestrator server.

The value you set overrides the default timeout setting of 20000 milliseconds.

Modify the Number of Objects a Plug-In Search Obtains

By default, using the Orchestrator client to search for objects through a plug-in returns 20 objects at a time.
You can modify the plug-in configuration file to increase the number of objects that are returned.

Prerequisites

You must have installed a plug-in in the Orchestrator server.

Procedure

1 Navigate to the plug-in configuration folder on the Orchestrator server system.

This folder contains an XML configuration file for each plug-in you have installed in the Orchestrator
server.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

Go to

install_directory

server\server\vmo\conf\plugins.

Go to

install_directory

server\server\vmo\conf\plugins.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

VMware, Inc. 89

Installing and Configuring VMware vCenter Orchestrator

2 Open the XML configuration file of the plug-in for which you want to change the number of search results.

3 Add the following line to the XML configuration file for the plug-in.

<entry key="ch.dunes.database.fetch-limit">50</entry>

This line sets the number of search results to return to 50.

4 Save the XML configuration file.

5 (Optional) Repeat Step 2 through Step 4 for each plug-in to modify.

6 Restart the Orchestrator server.

You increased the number of search results Orchestrator displays for a particular plug-in.

Modify the Number of Concurrent and Pending Workflows

By default, Orchestrator permits 300 workflows to run at the same time. When the Orchestrator server has to
run more than 300 concurrent workflows, the pending workflow runs are queued. When an active workflow
run completes, the next workflow in the queue starts to run. If the maximum number of queued workflows is
reached, the next workflow runs fail until one of the pending workflows starts to run.

By setting system properties in the Orchestrator vmo.properties configuration file, you can control the number
of workflows that are running at the same time and the number of pending workflows that are waiting in a
queue.

IMPORTANT If your system is configured with one CPU, the recommended maximum value of the

com.vmware.vco.workflow-engine.executors-count property is 100. If the number of concurrent workflows is

higher than 100, you might reach the maximum number of threads per processor.

Procedure

1 Navigate to the following folder on the Orchestrator server system.

Option Action

If you installed Orchestrator with the
vCenter Server installer

If you installed the standalone
version of Orchestrator

Go to

install_directory

server\server\vmo\conf.

Go to

install_directory

server\server\vmo\conf.

\VMware\Infrastructure\Orchestrator\app-

\VMware\Orchestrator\app-

2 Open the vmo.properties configuration file in a text editor.

3 Set the com.vmware.vco.workflow-engine.executors-count and com.vmware.vco.workflow-

engine.executors-max-queue-size properties by adding the following lines to the vmo.properies file.

com.vmware.vco.workflow-engine.executors-count=
com.vmware.vco.workflow-engine.executors-max-queue-size=

200

5000

4 Save the vmo.properties file.

5 Restart the Orchestrator server.

You set the maximum values for concurrent and pending workflows. You can run up to 200 workflows and
5000 workflows can be queued if the number of actively running workflows is reached.

90 VMware, Inc.

Where to Go From Here 9

When you have installed and configured vCenter Orchestrator, you can use Orchestrator to automate
frequently repeated processes related to the management of the virtual environment.

n

Log in to the Orchestrator client, run, and schedule workflows on the vCenter Server inventory objects or
other objects that Orchestrator accesses through its plug-ins.

n

Publish the weboperator Web view and provide browser access to Orchestrator workflows to users and
user groups.

n

Duplicate and modify the standard Orchestrator workflows and write your own actions and workflows
to automate operations in vCenter Server.

n

Develop plug-ins, Web services, and Web views to extend the Orchestrator platform.

n

Run workflows on your vSphere inventory objects by using the vSphere Web Client.

VMware, Inc.

91

Installing and Configuring VMware vCenter Orchestrator

92 VMware, Inc.

Index

A

additional configuration options 59
audience 7
authentication type 36
availability 19

B

back up, configuration 78

C

certificate database 51
changing the Orchestrator Lookup port 60
check-pointing 11
Command scripting class 87
configuration

config files 62
database connection 45, 46
default plug-ins 52
export configuration settings 27, 62
import configuration settings 29, 63
LDAP settings 42

network connection 33
configuration maximums 19
configuring

Orchestrator in the vSphere Web Client 72

Orchestrator with vCenter Server

appliance 71
content, js-io-rights.conf file 85
conversion pattern 69
create the js-io-rights.conf file 86

D

data migration 30
database

connection parameters 46
import SSL certificate 45
installation 20
Oracle 20
server size 20
setup 20
SQL Server 20

SQL Server Express 20
default password 81
default ports

command port 33

data port 33
HTTP port 33
HTTPS port 33
LDAP port 33
LDAP with Global Catalog 33
LDAP with SSL 33
lookup port 33
messaging port 33
Oracle port 33
SMTP port 33
SQL Server port 33
vCenter API port 33
Web configuration HTTP access port 33

Web configuration HTTPS access port 33
dereference links 43
disable access to Orchestrator client 83
disabling Web service access 84
download the vCenter Server installer 24

E

enable remote workflow 74
events 64

F

file system

access from workflows 84

set workflow access 86
filter attributes 43
filtering, Orchestrator log files 69

G

generate a certificate 75
get a certificate signed by a CA 75

I

i18n support 16
ignore referrals 43
import, SSL certificate 74

import SSL certificate, vCenter Single Sign

On 36

install

.dar plug-in 55

.vmoapp plug-in 56

SSL certificate from a CA 75
installing, plug-in 55

VMware, Inc. 93

Installing and Configuring VMware vCenter Orchestrator

installing Orchestrator

vCenter Orchestrator client installers 25
vCenter Orchestrator standalone installer 24,

28

internationalization 16

J

JavaScript 88
js-io-rights.conf file 84, 86
js-io-rights.conf file, content 85
js-io-rights.conf file, rules 85

L

LDAP

browsing credentials 42
connection URL 40
LDAP Server Signing Requirements 39
lookup paths 42
SSL certificate 39

LDAP errors

525 44
52e 44
530 44
531 44
532 44
533 44
701 44
773 44

775 44
levels or rights, js-io-rights.conf file 85
license

adding vCenter Server license manually 57

importing plug-in licenses 65

importing vCenter Server license 56

Orchestrator server access rights 57
load balancing 53
log files 69
login 32
logs

non-persistent logs 66

persistent logs 66

M

maximum concurrent workflows 90
maximum pending workflows 90

N

non-ASCII characters 16, 24, 28, 46

O

operating system commands, accessing 87
Orchestrator, register as an extension 73

Orchestrator API

file system access 84, 86

js-io-rights.conf file 84, 86
Orchestrator architecture 13
Orchestrator client

change the SSL certificate 77

disable access 83
Orchestrator configuration interface, change SSL

certificate 77

Orchestrator elements, back up 78
Orchestrator installed on a 64-bit machine 27
Orchestrator overview 11
overview of, vCenter Single Sign On 36

P

password 59
persistence 11
plug-ins

removing a plug-in 60

searching 89
plug-ins configuration

Mail plug-in 53

SSH plug-in 53

vCenter Server plug-in 54
policy engine 11

R

remote workflows 74
replicate SSL certificate 74
right denial, js-io-rights.conf file 85
right permission, js-io-rights.conf file 85
rules, js-io-rights.conf file 85
runs 64

S

scalability 19
scenario 71
scripting

access to Java classes 88

accessing operating system commands 87

shutter system property 88
scripting engine 11
security 11
server certificate

CA-signed 49, 50

exporting 49, 51

importing 50

removing 51

self-signed 49
server log

exporting 67

log level 67

94 VMware, Inc.

Index

service watchdog utility

timeout parameter 61
troubleshooting server restarts 80

services

starting 32, 58
VMware vCenter Orchestrator

Configuration 32

VMware vCenter Orchestrator Server 58

setup guidelines

directory services 20
LDAP server 20
vCenter Server 19

vCenter Single Sign On 20
SMTP connection 53
SQL Express, configuring SQL Express 45
SSL certificate 35
SSL certificate, import 36
SSL certificates 75
system properties 83, 88–90
system requirements

directory services 15

hardware 15

operating systems 15

supported browsers 16

supported databases 16

simple registration 37

unregister Orchestrator 73
versioning 11
VMware vCenter Orchestrator Server, installing

as Windows service 58

vSphere Web Client, enable Orchestrator

workflows 72

W

watchdog utility 61
Web service, disabling access 84

Web views, change SSL certificate 76
what to do next 91
workflow engine 11

T

timeout 89
timeouts 43
trust remote server SSL certificate 74

U

uninstalling 28, 30
unregister, Orchestrator from vCenter Single Sign

On 73
updated information 9
upgrading Orchestrator 23
upgrading Orchestrator 4.2 standalone 26
use case 71
user permissions 36
user roles 12

V

vCenter Server

downloading the installer 24
extension manager 73
managed object browser 73

vCenter Single Sign On

advanced registration 38
import SSL certificate 36
register Orchestrator 71
running in the vCenter Server Appliance 71

VMware, Inc. 95

Installing and Configuring VMware vCenter Orchestrator

96 VMware, Inc.