How it Works
VMware
Loading...
V
Loading...
Loading...
vRealize Orchestrator - 7.0
Installation Manual
88 pgs1.33 Mb0
User’s Manual
214 pgs3.04 Mb0
User’s Manual
138 pgs1.83 Mb0
User’s Manual
38 pgs692.1 Kb0
User’s Manual
100 pgs1.3 Mb0
Table of contents
Loading...

VMware vRealize Orchestrator - 7.0 Installation Manual

Download
Page 1
Installing and Configuring VMware
vRealize Orchestrator
vRealize Orchestrator 7.0
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-001859-00
Page 2
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2008–2015 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
2 VMware, Inc.
Page 3

Contents

Installing and Configuring VMware vRealize Orchestrator 7
Introduction to VMware vRealize Orchestrator 9
1
Key Features of the Orchestrator Platform 9
Orchestrator User Types and Related Responsibilities 11
Orchestrator Architecture 11
Orchestrator Plug-Ins 12
Orchestrator System Requirements 13
2
Hardware Requirements for the Orchestrator Appliance 13
Operating Systems Supported by Orchestrator 13
Supported Directory Services 14
Browsers Supported by Orchestrator 14
Orchestrator Database Requirements 14
Software Included in the Orchestrator Appliance 14
Level of Internationalization Support 15
Setting Up Orchestrator Components 17
3
vCenter Server Setup 17
Authentication Methods 17
Setting Up the Orchestrator Database 18
Installing and Upgrading Orchestrator 21
4
Install the Client Integration Plug-In 21
Download and Deploy the Orchestrator Appliance 22
Power On the Orchestrator Appliance and Open the Home Page 23
Change the Root Password 23
Enable or Disable SSH Administrator Login on the vRealize Orchestrator Appliance 24
Configure Network Settings for the Orchestrator Appliance 24
Upgrade Orchestrator Appliance 5.5.x and Later to 7.0 25
Upgrade an Orchestrator Cluster 26
VMware, Inc.
Configuring vRealize Orchestrator in the Orchestrator Appliance 27
5
Log In to Control Center 28
Orchestrator Network Ports 28
Selecting the Authentication Type 29
Configuring LDAP Settings 30
Configuring vRealize Automation Authentication 35
Configuring vCenter Single Sign-On Settings 35
Configuring the Orchestrator Database Connection 37
Import the Database SSL Certificate 38
3
Page 4
Configure the Database Connection 38
Export the Orchestrator Database 40
Import an Orchestrator Database 40
Manage Certificates 40
Import a Self-Signed Certificate to the Orchestrator Trust Store 41
Generate a Self-Signed Server Certificate 42
Import an Orchestrator Server SSL Certificate 42
Package Signing Certificate 43
Configure the Orchestrator Plug-Ins 43
Enable Debug Logging for the Orchestrator Plug-Ins 43
Installing a New Plug-In 44
Reinstall Plug-Ins 44
Start the Orchestrator Server 44
Orchestrator Availability and Scalability 45
Configure an Orchestrator Cluster 45
Configuring a Load Balancer 46
Configuring the Customer Experience Improvement Program 50
Categories of Information That VMware Receives 50
Join the Customer Experience Improvement Program 50
Using the API services 51
6
Managing SSL Certificates and Keystores by Using the REST API 51
Delete an SSL Certificate by Using the REST API 51
Import SSL Certificates by Using the REST API 52
Create a Keystore by Using the REST API 53
Delete a Keystore by Using the REST API 53
Add a Key by Using the REST API 53
Automating the Orchestrator Configuration by Using the Control Center REST API 54
Additional Configuration Options 55
7
Create New Users in Control Center 55
Uninstall a Plug-In 55
Export the Orchestrator Configuration 56
Orchestrator Server Configuration Files 57
Import the Orchestrator Configuration 57
Migrating the Orchestrator Configuration 58
Migrate the Orchestrator Configuration 58
Configure the Workflow Run Properties 59
Orchestrator Log Files 60
Logging Persistence 61
Configure Logs 61
Export Orchestrator Log Files 62
Inspect the Workflow Logs 62
Filter the Orchestrator Logs 63
Configuration Use Cases and Troubleshooting 65
8
Register Orchestrator as a vCenter Server Extension 65
Unregister Orchestrator Authentication 66
4 VMware, Inc.
Page 5
Changing SSL Certificates 66
Adding a Certificate to the Local Store 66
Change the Certificate of the Orchestrator Appliance Management Site 67
Cancel Running Workflows 67
Enable Orchestrator Server Debugging 68
Back Up the Orchestrator Configuration and Elements 68
Backing Up and Restoring vRealize Orchestrator 70
Back Up vRealize Orchestrator 71
Restore a vRealize Orchestrator Instance 72
Disaster Recovery of Orchestrator by Using Site Recovery Manager 73
Configure Virtual Machines for vSphere Replication 73
Create Protection Groups 73
Create a Recovery Plan 74
Organize Recovery Plans in Folders 75
Edit a Recovery Plan 75
Contents
Setting System Properties 77
9
Disable Access to the Orchestrator Client By Nonadministrators 77
Setting Server File System Access for Workflows and JavaScript 78
Rules in the js-io-rights.conf File Permitting Write Access to the Orchestrator System 78
Set Server File System Access for Workflows and JavaScript 78
Set JavaScript Access to Operating System Commands 79
Set JavaScript Access to Java Classes 80
Set Custom Timeout Property 80
Where to Go From Here 83
10
Log In to the Orchestrator Client from the Orchestrator Appliance Web Console 83
Index 85
VMware, Inc. 5
Page 6
6 VMware, Inc.
Page 7

Installing and Configuring VMware vRealize Orchestrator

Installing and Configuring VMware vRealize Orchestrator provides information and instructions about installing, upgrading and configuring VMware® vRealize Orchestrator.
Intended Audience
This information is intended for advanced vSphere administrators and experienced system administrators who are familiar with virtual machine technology and datacenter operations.
VMware, Inc. 7
Page 8
8 VMware, Inc.
Page 9
Introduction to
VMware vRealize Orchestrator 1
VMware vRealize Orchestrator is a development- and process-automation platform that provides a library of extensible workflows to allow you to create and run automated, configurable processes to manage VMware products as well as other third-party technologies.
vRealize Orchestrator automates management and operational tasks of both VMware and third-party applications such as service desks, change management systems, and IT asset management systems.
This chapter includes the following topics:
“Key Features of the Orchestrator Platform,” on page 9
n
“Orchestrator User Types and Related Responsibilities,” on page 11
n
“Orchestrator Architecture,” on page 11
n
“Orchestrator Plug-Ins,” on page 12
n

Key Features of the Orchestrator Platform

Orchestrator is composed of three distinct layers: an orchestration platform that provides the common features required for an orchestration tool, a plug-in architecture to integrate control of subsystems, and a library of workflows. Orchestrator is an open platform that can be extended with new plug-ins and libraries, and can be integrated into larger architectures through a REST API.
The following list presents the key Orchestrator features.
Persistence
Central management
VMware, Inc. 9
Production grade databases are used to store relevant information, such as processes, workflow states, and configuration information.
Orchestrator provides a central way to manage your processes. The application server-based platform, with full version history, allows you to have scripts and process-related primitives in one place. This way, you can avoid scripts without versioning and proper change control spread on your servers.
Page 10
Check-pointing
Control Center
Versioning
Scripting engine
Every step of a workflow is saved in the database, which allows you to restart the server without losing state and context. This feature is especially useful for long-running processes.
The Control Center interface increases the administrative efficiency of vRealize Orchestrator instances by providing a centralized administrative interface for runtime operations, workflow monitoring, unified log access and configurations, and correlation between the workflow runs and system resources. The vRealize Orchestrator logging mechanism has been optimized with an additional log file that gathers various performance metrics for vRealize Orchestrator engine throughput.
All Orchestrator Platform objects have an associated version history. This feature allows basic change management when distributing processes to different project stages or locations.
The Mozilla Rhino JavaScript engine provides a way to create new building blocks for Orchestrator Platform. The scripting engine is enhanced with basic version control, variable type checking, name space management and exception handling. It can be used in the following building blocks:
Actions
n
Workflows
n
Policies
n
Workflow engine
Policy engine
Security
The workflow engine allows you to capture business processes. It uses the following objects to create a step-by-step process automation in workflows:
Workflows and actions that Orchestrator provides.
n
Custom building blocks created by the customer
n
Objects that plug-ins add to Orchestrator
n
Users, other workflows, a schedule, or a policy can start workflows.
The policy engine allows monitoring and event generation to react to changing conditions in the Orchestrator server or plugged-in technology. Policies can aggregate events from the platform or any of the plug-ins, which allows you to handle changing conditions on any of the integrated technologies.
Orchestrator provides the following advanced security functions:
Public Key Infrastructure (PKI) to sign and encrypt content imported
n
and exported between servers
Digital Rights Management (DRM) to control how exported content
n
might be viewed, edited and redistributed
Secure Sockets Layer (SSL) encrypted communications between the
n
desktop client and the server and HTTPS access to the Web front end.
Advanced access rights management to provide control over access to
n
processes and the objects manipulated by these processes.
10 VMware, Inc.
Page 11
Chapter 1 Introduction to VMware vRealize Orchestrator

Orchestrator User Types and Related Responsibilities

Orchestrator provides different tools and interfaces based on the specific responsibilities of the global user roles. In Orchestrator, you can have users with full rights, that are a part of the administrator group (Administrators) and users with limited rights, that are not part of the administrator group (End Users).
Users with Full Rights
Orchestrator administrators and developers have equal administrative rights, but are divided in terms of responsibilities.
Administrators
Developers
Users with Limited Rights
End Users
This role has full access to all of the Orchestrator platform capabilities. Basic administrative responsibilities include the following items:
Installing and configuring Orchestrator
n
Managing access rights for Orchestrator and applications
n
Importing and exporting packages
n
Running workflows and scheduling tasks
n
Managing version control of imported elements
n
Creating new workflows and plug-ins
n
This user type has full access to all of the Orchestrator platform capabilities. Developers are granted access to the Orchestrator client interface and have the following responsibilities:
Creating applications to extend the Orchestrator platform functionality
n
Automating processes by customizing existing workflows and creating
n
new workflows and plug-ins
End users can run and schedule workflows and policies that the administrators or developers make available in the Orchestrator client.

Orchestrator Architecture

Orchestrator contains a workflow library and a workflow engine to allow you to create and run workflows that automate orchestration processes. You run workflows on the objects of different technologies that Orchestrator accesses through a series of plug-ins.
Orchestrator provides a standard set of plug-ins, including a plug-in for vCenter Server, to allow you to orchestrate tasks in the different environments that the plug-ins expose.
Orchestrator also presents an open architecture to allow you to plug in external third-party applications to the orchestration platform. You can run workflows on the objects of the plugged-in technologies that you define yourself. Orchestrator connects to an authentication provider to manage user accounts, and to a database to store information from the workflows that it runs. You can access Orchestrator, the Orchestrator workflows, and the objects it exposes through the Orchestrator client interface, or through Web services.
VMware, Inc. 11
Page 12
Authentication
Providers
vCenter
Server
Orchestrator
database
vRealize Orchestrator
Client application
Web services REST
workflow libraryworkflow engine
vCenter
Server
XML SSH SQL SMTP 3rd-party
plug-in
Figure 11. VMware vRealize Orchestrator Architecture

Orchestrator Plug-Ins

Plug-ins allow you to use Orchestrator to access and control external technologies and applications. Exposing an external technology in an Orchestrator plug-in allows you to incorporate objects and functions in workflows that access the objects and functions of that external technology.
The external technologies that you can access by using plug-ins can include virtualization management tools, email systems, databases, directory services, and remote control interfaces.
Orchestrator provides a set of standard plug-ins that you can use to incorporate into workflows such technologies as the VMware vCenter Server API and email capabilities. By using the plug-ins, you can automate the delivery of new IT services or adapt the capabilities of existing vRealize Automation infrastructure and application services. In addition, you can use the Orchestrator open plug-in architecture to develop plug-ins to access other applications.
The Orchestrator plug-ins that VMware develops are distributed as .vmoapp files. For more information about the Orchestrator plug-ins that VMware develops and distributes, see
http://www.vmware.com/support/pubs/vco_plugins_pubs.html. For more information about third-party
Orchestrator plug-ins, see https://solutionexchange.vmware.com/store/vco.
12 VMware, Inc.
Page 13

Orchestrator System Requirements 2

Your system must meet the technical requirements that are necessary for Orchestrator to work properly.
For a list of the supported versions of vCenter Server, the vSphere Web Client, vRealize Automation, and other VMware solutions, as well as compatible database versions, see VMware Product Interoperability
Matrix.
This chapter includes the following topics:
“Hardware Requirements for the Orchestrator Appliance,” on page 13
n
“Operating Systems Supported by Orchestrator,” on page 13
n
“Supported Directory Services,” on page 14
n
“Browsers Supported by Orchestrator,” on page 14
n
“Orchestrator Database Requirements,” on page 14
n
“Software Included in the Orchestrator Appliance,” on page 14
n
“Level of Internationalization Support,” on page 15
n

Hardware Requirements for the Orchestrator Appliance

The Orchestrator Appliance is a preconfigured Linux-based virtual machine. Before you deploy the appliance, verify that your system meets the minimum hardware requirements.
The Orchestrator Appliance has the following hardware configuration:
2 CPUs
n
4 GB of memory
n
12 GB hard disk
n
Do not reduce the default memory size, because the Orchestrator server requires at least 2 GB of free memory.

Operating Systems Supported by Orchestrator

You can install the Orchestrator server only on 64-bit operating systems.
Orchestrator is also available as a virtual appliance running on a SUSE Linux Enterprise Server.
VMware, Inc.
13
Page 14

Supported Directory Services

If you plan to use an LDAP server for authentication, ensure that you set up and configure a working LDAP server.
NOTE LDAP authentication is deprecated.
Orchestrator supports these directory service types.
Windows Server Active Directory
n
OpenLDAP
n
IMPORTANT Multiple domains that have a two-way trust, but are not in the same tree, are not supported and do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain tree. Forest and external trusts are not supported.

Browsers Supported by Orchestrator

Control Center requires a Web browser.
You must use one of the following browsers to connect to Control Center.
Microsoft Internet Explorer 10 or later
n
Mozilla Firefox
n
Google Chrome
n

Orchestrator Database Requirements

The Orchestrator server requires a database. The preconfigured in Orchestrator PostgreSQL database is production ready and suitable for small-scale and medium-scale environments. You can also use an external database, depending on your needs.
For a list of the supported database versions, see VMware Product Interoperability Matrix.

Software Included in the Orchestrator Appliance

The Orchestrator Appliance is a preconfigured virtual machine optimized for running Orchestrator. The appliance is distributed with preinstalled software.
The Orchestrator Appliance package contains the following software:
SUSE Linux Enterprise Server 11 Update 3 for VMware, 64-bit edition
n
Embedded PostgreSQL
n
In-Process ApacheDS LDAP
n
Orchestrator
n
The default Orchestrator Appliance database configuration is suitable for small- or medium-scale environment. The default in-process LDAP configuration is suitable for experimental and testing purposes only. To use the Orchestrator Appliance in a production environment, you must set up a new directory service, and configure the Orchestrator server to work with it. You can also configure the Orchestrator
14 VMware, Inc.
Page 15
server to work with VMware vCenter Single Sign-On. For more information about configuring external LDAP or Single Sign-On, see “Selecting the Authentication Type,” on page 29. For information about configuring a database for production environments, see “Setting Up the Orchestrator Database,” on page 18.
NOTE LDAP authentication is deprecated.

Level of Internationalization Support

Orchestrator supports internationalization level 1.
Non-ASCII Character Support in Orchestrator
Although Orchestrator is not localized, it can run on a non-English operating system and support non­ASCII text.
Table 21. Non-ASCII Character Support in Orchestrator GUI
Support for Non-ASCII Characters
Orchestrator Item Description Field Name Field
Action Yes No No No
Folder Yes Yes - -
Configuration element Yes Yes - No
Package Yes Yes - -
Policy Yes Yes - -
Policy template Yes Yes - -
Resource element Yes Yes - -
Workflow Yes Yes No No
Workflow presentation display group and input step
Yes Yes - -
Chapter 2 Orchestrator System Requirements
Input and Output Parameters Attributes
Non-ASCII Character Support for Oracle Databases
To store characters in the correct format in an Oracle database, set the NLS_CHARACTER_SET parameter to
AL32UTF8 before configuring the database connection and building the table structure for Orchestrator. This
setting is crucial for an internationalized environment.
VMware, Inc. 15
Page 16
16 VMware, Inc.
Page 17

Setting Up Orchestrator Components 3

When you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured. After deployment, the service starts automatically.
To enhance the availability and scalability of your Orchestrator setup, follow these guidelines :
Install and configure a database and configure Orchestrator to connect to it.
n
Install and configure an authentication provider and configure Orchestrator to work with it.
n
This chapter includes the following topics:
“vCenter Server Setup,” on page 17
n
“Authentication Methods,” on page 17
n
“Setting Up the Orchestrator Database,” on page 18
n

vCenter Server Setup

Increasing the number of vCenter Server instances in your Orchestrator setup causes Orchestrator to manage more sessions. Each active session results in activity on the corresponding vCenter Server, and too many active sessions can cause Orchestrator to experience timeouts when more than 10 vCenter Server connections occur.
For a list of the supported versions of vCenter Server, see VMware Product Interoperability Matrix.
NOTE You can run multiple vCenter Server instances on different virtual machines in your Orchestrator setup if your network has sufficient bandwidth and latency. If you are using LAN to improve the communication between Orchestrator and vCenter Server, a 100 Mb line is mandatory.

Authentication Methods

To authenticate and manage user permissions, Orchestrator requires a connection to an LDAP server, a connection to a Single Sign-On server, or a connection to vRealize Automation.
NOTE LDAP authentication is deprecated.
When you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the in-process ApacheDS LDAP server distributed with the appliance. The default in-process LDAP configuration is suitable testing purposes only. To use Orchestrator in a production environment, you must set up either an LDAP server, a vCenter Single Sign-On server, or set up a connection with vRealize Automation and configure Orchestrator to work with it.
VMware, Inc.
17
Page 18
Connect to the LDAP server that is physically closest to your Orchestrator server to avoid long response times for LDAP queries that slow down system performance. Orchestrator supports the Active Directory and OpenLDAP service types.
To improve the performance of the LDAP queries, keep the user and group lookup base as narrow as possible. Limit the users to targeted groups that need access, rather than including whole organizations with many users who do not need access. The resources that you need depend on the combination of database and directory service you choose. For recommendations, see the documentation for your LDAP server.
To use the vCenter Single Sign-On authentication method, you must first install vCenter Single Sign-On. You must configure the Orchestrator server to use the vCenter Single Sign-On server that you installed and configured.
You can use Single Sign-On authentication through vRealize Automation and vSphere from the authentication settings in Control Center.

Setting Up the Orchestrator Database

Orchestrator requires a database to store workflows and actions.
The Orchestrator server is preconfigured to use an embedded database, which is suitable for small-scale production purposes only. If you want to use Orchestrator in a full-scale environment, you must configure Orchestrator to use a separate database by using Control Center. When the database is In-process (DerbyDB), you cannot set up Orchestrator to work in a cluster, or change the license and the server certificate from Control Center.
To use Orchestrator in a production environment, you must configure the Orchestrator server to use a dedicated separate Orchestrator database.
When you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the embedded PostgreSQL database distributed with the appliance. The default Orchestrator Appliance database configuration is production ready, but suitable for a small-scale environment. To use Orchestrator in a full-scale production environment, you must set up a separate database and configure Orchestrator to work with it.
Orchestrator server supports Oracle, Microsoft SQL Server, and PostgreSQL databases.
The common workflow for setting up the Orchestrator database consists of the following steps:
1 Create a new database. For more information about creating a new database, see the documentation of
your database provider.
2 Enable the database for remote connection.
3 Configure the database connection parameters. For more information, see “Configuring the
Orchestrator Database Connection,” on page 37.
If you plan to set up an Orchestrator cluster, you must configure the database to accept multiple connections so that it can accept connections from the different Orchestrator server instances in the cluster.
The database setup can affect Orchestrator performance. Install the database on a machine other than the one on which the Orchestrator server is installed. This approach ensures that the JVM and database server do not share CPU, RAM, and I/O.
The location of the database is important because almost every activity on the Orchestrator server triggers operations on the database. To avoid latency in the database connection, connect to the database server that is geographically closest to your Orchestrator server and that is on the network with the highest available bandwidth.
18 VMware, Inc.
Page 19
Chapter 3 Setting Up Orchestrator Components
The size of the Orchestrator database varies depending on the setup and how workflow tokens are handled. Allow for approximately 50 KB for each vCenter Server object and 4 KB for each workflow run.
CAUTION Verify that at least 1 GB of disk space is available on the machine where the Orchestrator database is installed and on the machine where the Orchestrator server is installed.
Insufficient disk storage space might cause the Orchestrator server and client to not function correctly.
VMware, Inc. 19
Page 20
20 VMware, Inc.
Page 21
Installing and Upgrading
Orchestrator 4
Orchestrator consists of a server component and a client component.
The Orchestrator installable client can run on 64-bit Windows, Linux, and Mac machines.
To use Orchestrator, you must start the Orchestrator Server service and then start the Orchestrator client.
You can change the default Orchestrator configuration settings by using the Orchestrator Control Center.
This chapter includes the following topics:
“Install the Client Integration Plug-In,” on page 21
n
“Download and Deploy the Orchestrator Appliance,” on page 22
n
“Upgrade Orchestrator Appliance 5.5.x and Later to 7.0,” on page 25
n
“Upgrade an Orchestrator Cluster,” on page 26
n

Install the Client Integration Plug-In

The Client Integration Plug-in provides access to a virtual machine's console in the vSphere Web Client, and provides access to other vSphere infrastructure features. The Client Integration Plug-in also lets you log in to the vSphere Web Client by using Windows session credentials.
VMware, Inc.
You use the Client Integration Plug-in to deploy OVF or OVA templates and transfer files with the datastore browser. You can also use the Client Integration Plug-in to connect virtual devices that reside on a client computer to a virtual machine.
Install the Client Integration Plug-in only once to enable all the functionality the plug-in delivers. You must close the Web browser before installing the plug-in.
If you install the Client Integration Plug-in from an Internet Explorer browser, you must first disable Protected Mode and enable pop-up windows on your Web browser. Internet Explorer identifies the Client Integration Plug-in as being on the Internet instead of on the local intranet. In such cases, the plug-in is not installed correctly because Protected Mode is enabled for the Internet.
For information about supported browsers and operating systems, see the vSphere Installation and Setup documentation.
Watch the video "Installing the Client Integration Plug-In" for information about the Client Integration Plug­In:
Installing the Client Integration Plug-In (http://link.brightcove.com/services/player/bcpid2296383276001?bctid=ref:video_client_plug_in)
Prerequisites
If you use Microsoft Internet Explorer, disable Protected Mode.
21
Page 22
Procedure
1 In the vSphere Web Client, navigate to a link to download the Client Integration Plug-in.
Option Description
vSphere Web Client login page
OVF deployment wizard
a Open a Web browser and type the URL for the vSphere Web Client.
b At the bottom of the vSphere Web Client login page, click Download
Client Integration Plug-in.
NOTE If the Client Integration Plug-In is already installed on your
system, you will not see the link to download the plug-in. If you uninstall the Client Integration Plug-In, the link to download it will display on the vSphere Web Client login page.
a Select a host in the inventory and select Actions > All vCenter Actions
> Deploy OVF Template.
b Click Download Client Integration Plug-in.
2 If the browser blocks the installation either by issuing certificate errors or by running a pop-up blocker,
follow the Help instructions for your browser to resolve the problem.

Download and Deploy the Orchestrator Appliance

Download and deploy the Orchestrator Appliance.
Prerequisites
Verify that your computing environment meets the following conditions:
vCenter Server is installed and running.
n
The host on which you are deploying the appliance has enough free disk space.
n
The Client Integration plug-in is installed before you deploy an OVF template. This plug-in enables
n
OVF deployment on your local file system.
If your system is isolated and without Internet access, you must download either the .vmdk and .ovf files, or the .ova file for the appliance from the VMware Web site, and save the files in the same folder.
Procedure
1 Log in to the vSphere Web Client as an administrator.
2 In the vSphere Web Client, select an inventory object that is a valid parent object of a virtual machine,
such as a datacenter, folder, cluster, resource pool, or host.
3 Select Actions > Deploy OVF Template.
4 Type the path or the URL to the .ovf or .ova file and click Next.
5 Review the OVF details and click Next.
6 Accept the terms in the license agreement and click Next.
7 Type a name and location for the deployed appliance, and click Next.
8 Select a host, cluster, resource pool, or vApp as a destination on which you want the appliance to run,
and click Next.
22 VMware, Inc.
Page 23
Chapter 4 Installing and Upgrading Orchestrator
9 Select a format in which you want to save the appliance's virtual disk and the storage.
Format Description
Thick provisioned Lazy Zeroed
Thick Provisioned Eager Zeroed
Thin provisioned format
Creates a virtual disk in a default thick format. The space required for the virtual disk is allocated when the virtual disk is created. If any data remains on the physical device, it is not erased during creation, but is zeroed out on demand later on first write from the virtual machine.
Supports clustering features such as Fault Tolerance. The space required for the virtual disk is allocated when the virtual disk is created. If any data remains on the physical device, it is zeroed out when the virtual disk is created. It might take much longer to create disks in this format than to create disks in other formats.
Saves storage space. For the thin disk, you provision as much datastore space as the disk requires based on the value that you select for the disk size. The thin disk starts small and at first, uses only as much datastore space as the disk needs for its initial operations.
10 (Optional) Configure the network settings, and click Next.
By default the Orchestrator Appliance uses DHCP. You can also change this setting manually and assign a fixed IP address from the appliance Web console.
11 Review the properties of the appliance and set initial passwords for the root user account.
Your initial passwords must be at least eight characters long, and must contain at least one digit, special character, and uppercase letter.
IMPORTANT The password for the root account of the Orchestrator Appliance expires after 365 days. You can increase the expiry time for an account by logging in to the Orchestrator Appliance as root, and running passwd -x number_of_days name_of_account. If you want to increase the Orchestrator Appliance root password to infinity, run passwd -x 99999 root.
12 Review the Ready to Complete page and click Finish.
The Orchestrator Appliance is successfully deployed.

Power On the Orchestrator Appliance and Open the Home Page

To use the Orchestrator Appliance, you must first power it on and get an IP address for the virtual appliance.
Procedure
1 Log in to the vSphere Web Client as an administrator.
2 Right-click the Orchestrator Appliance and select Power > Power On.
3 On the Summary tab, view the Orchestrator Appliance IP address.
4 In a Web browser, go to the IP address of your Orchestrator Appliance virtual machine.
http://orchestrator_appliance_ip

Change the Root Password

For security reasons, you can change the root password of the Orchestrator Appliance.
IMPORTANT The password for the root account of the Orchestrator Appliance expires after 365 days. You can increase the expiry time for an account by logging in to the Orchestrator Appliance as root, and running
passwd -x number_of_days name_of_account. If you want to increase the Orchestrator Appliance root
password to infinity, run the passwd -x 99999 root command.
VMware, Inc. 23
Page 24
Prerequisites
Download and deploy the Orchestrator Appliance.
n
Verify that the appliance is up and running.
n
Procedure
1 In a Web browser, go to https://orchestrator_appliance_ip:5480.
2 Type the appliance user name and password.
3 Click the Admin tab.
4 In the Current administrator password text box, type the current root password.
5 Type the new password in the New administrator password and Retype new administrator password
text boxes.
6 Click Change password.
You successfully changed the password of the root Linux user of the Orchestrator Appliance.

Enable or Disable SSH Administrator Login on the vRealize Orchestrator Appliance

You can enable or disable the ability to log in as root to the Orchestrator Appliance using SSH.
Prerequisites
Download and deploy the Orchestrator Appliance.
n
Verify that the appliance is up and running.
n
Procedure
1 In a Web browser, go to https://orchestrator_appliance_ip:5480.
2 Log in as root.
3 On the Admin tab, select SSH service enabled to enable the Orchestrator SSH service.
4 (Optional) Click Administrator SSH login enabled to allow log in as root to the Orchestrator Appliance
using SSH.
5 Click Save Settings.
SSH Status appears as Running.

Configure Network Settings for the Orchestrator Appliance

Configure network settings for the Orchestrator Appliance to assign a static IP address and define the proxy settings.
Prerequisites
Download and deploy the Orchestrator Appliance.
n
Verify that the appliance is up and running.
n
Procedure
1 In a Web browser, go to https://orchestrator_appliance_ip:5480.
2 Log in as root.
3 On the Network tab, click Address.
24 VMware, Inc.
Page 25
Chapter 4 Installing and Upgrading Orchestrator
4 Select the method by which the appliance obtains IP address settings.
Option Description
DHCP
Static
Obtains IP settings from a DHCP server. This is the default setting.
Uses static IP settings. Type the IP address, netmask, and gateway.
Depending on your network settings, you might have to select IPv4 and IPv6 address types.
5 (Optional) Type the necessary network configuration information.
6 Click Save Settings.
7 (Optional) Set the proxy settings and click Save Settings.

Upgrade Orchestrator Appliance 5.5.x and Later to 7.0

You can upgrade Orchestrator Appliance 5.5.x and later to 7.0 with packages that VMware publishes. You must perform the upgrade through the Orchestrator Appliance configuration portal.
You can upgrade your existing Orchestrator Appliance 5.5.x and later to 7.0 by using the Orchestrator Appliance configuration portal on port 5480. After you upgrade the Orchestrator Appliance, your plug-in settings are preserved.
Prerequisites
Unmount all network file systems.
Procedure
1 Access the VMware vRealize Orchestrator Appliance configuration portal at https://orchestrator_server:
5480/ and log in as an administrator.
2 On the Update tab, click Check Updates.
The system checks for available updates.
3 If any updates are available, click Install Updates.
To proceed with the upgrade, you must accept the VMware End User License Agreement.
4 To complete the update, restart the Orchestrator Appliance.
5 (Optional) On the Update tab, verify that the latest version of the Orchestrator Appliance is successfully
installed.
6 Restart the Orchestrator Appliance.
You have successfully upgraded the Orchestrator Appliance to 7.0.
What to do next
Verify that Orchestrator is configured properly at the Validate Configuration page in Control Center.
Verify that the Orchestrator Appliance vco user account has sufficient permissions for all custom files and folders.
Import the SSL certificates for each vCenter Server instance that you defined. See “Import a Self-Signed
Certificate to the Orchestrator Trust Store,” on page 41.
VMware, Inc. 25
Page 26

Upgrade an Orchestrator Cluster

In the cluster, multiple Orchestrator server instances work together. If you have already set up a cluster of Orchestrator server instances, you can upgrade the cluster to the latest Orchestrator version by upgrading its nodes.
Procedure
1 Power off all Orchestrator servers in the cluster.
2 Upgrade one of the Orchestrator server instances in the cluster.
3 Start the configuration service of the Orchestrator server you upgraded and log in to Control Center as
root.
4 Click Orchestrator Node Settings.
5 Enter values for the settings and click Save.
Option Description
Number of active nodes
Heartbeat interval (in seconds)
Number of failover heartbeats
6 Upgrade all other Orchestrator server instances in the cluster.
The maximum number of active Orchestrator server instances in the cluster.
Active nodes are the Orchestrator server instances that run workflows and respond to client requests. If an active Orchestrator node stops responding, it is replaced by one of the inactive Orchestrator server instances.
The default number of active Orchestrator nodes in a cluster is one.
The time interval, in seconds, between two network heartbeats that an Orchestrator node sends to show that it is running.
The default value is 30 seconds.
The number of heartbeats that can be missed before an Orchestrator node is considered failed.
The default value is 5 heartbeats.
7 Start all the Orchestrator nodes in the cluster.
26 VMware, Inc.
Page 27
Configuring vRealize Orchestrator in
the Orchestrator Appliance 5
Although the Orchestrator Appliance is a preconfigured Linux-based virtual machine, you must configure the default vCenter Server plug-in as well as the other default Orchestrator plug-ins. In addition, you might also want to change the Orchestrator settings.
If you want to use the Orchestrator Appliance in a medium or large-scale environment, change the authentication provider to ensure optimal performance.
NOTE LDAP authentication is deprecated.
The Orchestrator Appliance contains a preconfigured PostgreSQL database and an in-process ApacheDS LDAP server. The PostgreSQL database and ApacheDS LDAP server are accessible only locally from the virtual appliance Linux console.
Preconfigured Software Default User Group, if any, and User Password
Embedded PostgreSQL User: vmware vmware
In-Process ApacheDS LDAP User group: admins
User: vcoadmin
By default the admin user is set up as an Orchestrator administrator.
In-Process ApacheDS LDAP User group: users
User: vcouser
vcoadmin
vcouser
VMware, Inc.
Embedded PostgreSQL is suitable for small-scale and medium-scale production environments. In-Process ApacheDS LDAP is suitable for testing purposes only. To use the Orchestrator appliance in a large-scale production environment, replace the embedded PostgreSQL with an external database instance and in­process ApacheDS LDAP with a directory service with external support or with vRealize Automation authentication. For more information about setting up an external database, see “Configuring the
Orchestrator Database Connection,” on page 37. For information about setting up an external directory
service or vRealize Automation authentication, see “Selecting the Authentication Type,” on page 29.
Additionally, you can configure the Orchestrator server to work with vCenter Single Sign-On that is integrated in the vCenter Server Appliance.
This chapter includes the following topics:
“Log In to Control Center,” on page 28
n
“Orchestrator Network Ports,” on page 28
n
“Selecting the Authentication Type,” on page 29
n
“Configuring the Orchestrator Database Connection,” on page 37
n
“Manage Certificates,” on page 40
n
27
Page 28
“Configure the Orchestrator Plug-Ins,” on page 43
n
“Start the Orchestrator Server,” on page 44
n
“Orchestrator Availability and Scalability,” on page 45
n
“Configuring the Customer Experience Improvement Program,” on page 50
n

Log In to Control Center

To start the configuration process, you must access the Control Center.
Procedure
1 Access Control Center by going to https://your_orchestrator_server_IP_or_DNS_name:8281 in a Web
browser and clicking Orchestrator Control Center or navigating directly to https://your_orchestrator_server_IP_or_DNS_name:8283/vco-controlcenter.
2 Log in with the default user name and the password that you initially set up.
User name: root
n
You cannot change the default user name.
Password: your_password
n
IMPORTANT The password for the root account of the Orchestrator Appliance expires after 365 days. You can increase the expiry time for an account by logging in to the Orchestrator Appliance as root, and running passwd -x number_of_days name_of_account. If you want to increase the Orchestrator Appliance root password to infinity, run passwd -x 99999 root.
You successfully logged in to Control Center.

Orchestrator Network Ports

Orchestrator uses specific ports that allow communication with the other systems. The ports are set with a default value that cannot be changed.
Default Configuration Ports
To provide the Orchestrator service, you must set default ports and configure your firewall to allow incoming TCP connections.
NOTE Other ports might be required if you are using custom plug-ins.
Table 51. VMware vRealize Orchestrator Default Configuration Ports
Port Number Protocol Source Target Description
HTTP server port
HTTPS server port
Web configuration HTTPS access port
8280 TCP End-user
8281 TCP End-user
8283 TCP End-user
Web browser
Web browser
Web browser
Orchestrator server
Orchestrator server
Orchestrator configuratio n
The requests sent to Orchestrator default HTTP Web port 8280 are redirected to the default HTTPS Web port 8281.
The access port for the Web Orchestrator home page.
The SSL access port for the Web UI of Orchestrator configuration.
28 VMware, Inc.
Page 29
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
External Communication Ports
You must configure your firewall to allow outgoing connections so that Orchestrator can communicate with external services.
Table 52. VMware vRealize Orchestrator External Communication Ports
Port Number Protocol Source Target Description
LDAP 389 TCP Orchestrator
server
LDAP using SSL
LDAP using Global Catalog
vCenter Single Sign-On server
SQL Server 1433 TCP Orchestrator
PostgreSQL 5432 TCP Orchestrator
Oracle 1521 TCP Orchestrator
SMTP Server port
vCenter Server API port
636 TCP Orchestrator
server
3268 TCP Orchestrator
server
7444 TCP Orchestrator
server
server
server
server
25 TCP Orchestrator
server
443 TCP Orchestrator
server
LDAP server The lookup port of your LDAP Authentication
server.
NOTE LDAP authentication is deprecated.
LDAP server The lookup port of your secure LDAP
Authentication server.
Global Catalog server
vCenter Single Sign-On server
Microsoft SQL Server
PostgreSQL Server
Oracle DB Server
SMTP Server The port used for email notifications.
vCenter Server The vCenter Server API communication port used
The port to which Microsoft Global Catalog server queries are directed.
The port used to communicate with the vCenter Single Sign-On server.
The port used to communicate with the Microsoft SQL Server instances that are configured as the Orchestrator database.
The port used to communicate with the PostgreSQL Server that is configured as the Orchestrator database.
The port used to communicate with the Oracle Database Server that is configured as the Orchestrator database.
by Orchestrator to obtain virtual infrastructure and virtual machine information from the orchestrated vCenter Server instances.

Selecting the Authentication Type

To work properly and manage user permissions, Orchestrator requires a method of authentication.
Orchestrator supports the following types of authentication.
LDAP authentication
vRealize Automation authentication
vSphere authentication
vCenter Single Sign-On authentication (legacy)
VMware, Inc. 29
Orchestrator connects to a working LDAP server.
NOTE LDAP authentication is deprecated.
Orchestrator is authenticated through the vRealize Automation component registry.
Orchestrator is authenticated through Platform Services Controller.
Orchestrator is authenticated through vCenter Single Sign-On.
Page 30
When you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the in-process ApacheDS LDAP directory service that is embedded in the appliance.
IMPORTANT If you want to use Orchestrator through the vSphere Web Client for managing vSphere inventory objects, you must configure Orchestrator to work with the same vCenter Single Sign-On instance to which both vCenter Server and vSphere Web Client are pointing.

Configuring LDAP Settings

You can configure Orchestrator to connect to a working LDAP server on your infrastructure to manage user permissions.
NOTE LDAP authentication is deprecated.
If you are using secure LDAP over SSL, Windows Server 2008 or 2012, and AD, verify that the LDAP Server
Signing Requirements group policy is disabled on the LDAP server.
IMPORTANT Multiple domains that are not in the same tree, but have a two-way trust, are not supported and
do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain tree. Forest and external trusts are not supported.
1 Import the LDAP Server SSL Certificate on page 30
If your LDAP server uses SSL, you can import the SSL certificate file to Control Center and enable secure connection between Orchestrator and LDAP.
2 Generate the LDAP Connection URL on page 31
The LDAP service provider uses a URL to configure the connection to the directory server. To generate the LDAP connection URL, you must specify the LDAP host, port, and root.
3 Specify the Browsing Credentials on page 32
Orchestrator must read your LDAP structure to inherit its properties. You can specify the credentials that Orchestrator uses to connect to an LDAP server.
4 Define the LDAP User and Group Lookup Paths on page 33
You can define the users and groups lookup information.
5 Define the LDAP Search Options on page 34
You can customize the LDAP search queries and make searching in LDAP more effective.
6 Common Active Directory LDAP Errors on page 34
When you encounter the LDAP:error code 49 error message and experience problems connecting to your LDAP authentication server, you can check which LDAP function is causing the problem.
Import the LDAP Server SSL Certificate
If your LDAP server uses SSL, you can import the SSL certificate file to Control Center and enable secure connection between Orchestrator and LDAP.
You can import the LDAP SSL certificate from the Certificates page in Control Center.
Prerequisites
If you are using LDAP servers, Windows Server 2008, Windows Server 2012, and Active Directory,
n
verify that the LDAP Server Signing Requirements group policy is disabled on the LDAP server.
Obtain a self-signed server certificate or a certificate that is signed by a Certificate Authority.
n
Configure your LDAP server for SSL access. See the documentation of your LDAP server for
n
instructions.
30 VMware, Inc.
Page 31
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
Explicitly specify the trusted certificate to perform the SSL authorization correctly.
n
Procedure
1 Log in to Control Center as root.
2 Click Certificates.
3 On the Trusted Certificates tab, click Import.
4 Load the LDAP SSL certificate from a URL or a file.
Option Action
Import from URL or proxy URL
Import from file
Type the URL of the LDAP server:
https://your_LDAP_server_IP_address or your_LDAP_server_IP_address:port
Obtain the LDAP SSL certificate file and browse to import it.
5 Click Import.
A message confirming that the import is successful appears.
The imported certificate appears in the Trusted SSL certificates list. The secure connection between Orchestrator and your LDAP server is activated.
What to do next
When you generate the LDAP connection URL, you should enable SSL on the Configure Authentication Provider page in Control Center.
Generate the LDAP Connection URL
The LDAP service provider uses a URL to configure the connection to the directory server. To generate the LDAP connection URL, you must specify the LDAP host, port, and root.
The supported directory service types are Active Directory, OpenLDAP, eDirectory, and Sun Java System Directory Server.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select LDAP Authentication from the Authentication mode drop-down menu.
4 From the LDAP client drop-down menu, select the type of directory server that you are using as the
LDAP server.
NOTE If you change the LDAP server or type after you assign permissions to Orchestrator objects, such as access rights on workflows or actions, you must reset these permissions.
If you change the LDAP settings after you configure custom applications that capture and store user information, the LDAP authentication records in the database become invalid when used on the new LDAP database.
5 In the Primary LDAP host text box, enter the IP address or the DNS name of the host on which your
primary LDAP service runs.
This is the first host on which the Control Center verifies user credentials.
VMware, Inc. 31
Page 32
6 (Optional) In the Secondary LDAP host text box, type the IP address or the DNS name of the host on
which your secondary LDAP service runs.
If the primary LDAP host becomes unavailable, Orchestrator verifies user credentials on the secondary host.
7 In the Port text box, enter the value of the lookup port of your LDAP server.
NOTE Orchestrator supports the Active Directory hierarchical domain structure. If your domain controller is configured to use Global Catalog, you must use port 3268. You cannot use the default port 389 to connect to the Global Catalog server .
8 In the Root text box, enter the root element of your LDAP service.
If your domain name is company.org, your root LDAP is dc=company,dc=org.
This is the node used for browsing your service directory after typing the appropriate credentials. For large service directories, specifying a node in the tree narrows the search and improves performance. For example, rather than searching in the entire directory, you can specify
ou=employees,dc=company,dc=org. This displays all the users in the Employees group.
9 (Optional) Select Use SSL to activate encrypted certification for the connection between Orchestrator
and LDAP.
If your LDAP uses SSL, you must first import the SSL certificate and restart the Orchestrator Configuration service. See “Import the LDAP Server SSL Certificate,” on page 30.
Example: Values and Resulting LDAP Connection URL Addresses
Examples of the values that you enter in the required fields and the resulting LDAP connection URL.
LDAP host: DomainController
n
Port: 389
n
Root: ou=employees,dc=company,dc=org
n
Connection URL: ldap://DomainController:389/ou=employees,dc=company,dc=org
What to do next
Assign credentials to Orchestrator to ensure its access to the LDAP server. See “Specify the Browsing
Credentials,” on page 32.
Specify the Browsing Credentials
Orchestrator must read your LDAP structure to inherit its properties. You can specify the credentials that Orchestrator uses to connect to an LDAP server.
Prerequisites
Ensure that you have a working LDAP service in your infrastructure and that you have generated the LDAP connection URL.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select LDAP Authentication from the Authentication mode drop-down menu.
4 Specify the primary and secondary LDAP hosts, the lookup port of the LDAP server, and the root
element.
32 VMware, Inc.
Page 33
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
5 Enter a valid user name (LDAP string) with browsing permissions on your LDAP server in the User
name text box.
The possible formats in which you can specify the user name in Active Directory are the following:
Bare user name format, for example user.
n
Distinguished name format: cn=user,ou=employees,dc=company,dc=org.
n
Use this format with Sun and eDirectory. Do not use spaces between the comma and the next identifier.
Principal name format: user@company.org.
n
6 In the Password text box, type the password for the user name you entered in Step 5.
Orchestrator successfully connects to the LDAP server using valid credentials.
What to do next
Define the LDAP containers for Orchestrator to look up users and groups.
Define the LDAP User and Group Lookup Paths
You can define the users and groups lookup information.
Two global roles are identified in Orchestrator: Developers and Administrators. The users in the Developers role have editing privileges on all elements. The users in the Administrators role have unrestricted privileges. Administrators can manage permissions, or discharge administration duties on a selected set of elements to any other group or user. These two groups must be contained in the Group lookup base.
Prerequisites
You must have a working LDAP service on your infrastructure.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select LDAP Authentication from the Authentication mode drop-down menu.
4 Specify the primary and secondary LDAP hosts, the lookup port of the LDAP server, the root element,
and the browsing credentials.
5 Define the User lookup base.
This is the LDAP container (the top-level domain name or organizational unit) where Orchestrator searches for potential users.
6 Define the Group lookup base.
This is the LDAP container where Orchestrator looks up groups.
7 Define the Admin group.
This must be an LDAP group (like Domain Users) to which you grant administrative privileges for Orchestrator.
IMPORTANT In eDirectory installations, only the eDirectory administrator can see users or user groups that have administration rights. If you are using an eDirectory LDAP server, and you log in to Orchestrator as a member of the vRO Admin group but you are not the eDirectory administrator, you can create users or user groups with administration rights, but you cannot see those users. This problem does not apply to other LDAP servers.
VMware, Inc. 33
Page 34
8 Click the Test Login tab and type credentials for a user to test whether they can access the Orchestrator
smart client.
After a successful login, the system checks if the user is part of the Orchestrator Administrator group.
What to do next
Define the LDAP search options and apply your changes.
Define the LDAP Search Options
You can customize the LDAP search queries and make searching in LDAP more effective.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select LDAP Authentication from the Authentication mode drop-down menu.
4 In the Request timeout text box, type a value in milliseconds.
This value determines the period during which the Orchestrator server sends a query to the service directory, the directory searches, and sends a reply. If the timeout period elapses, modify this value to check whether the timeout occurs in the Orchestrator server.
5 (Optional) For all links to be followed before the search operation is performed, select the Dereference
links check box.
Sun Java System Directory Server does not support reference links. If you are using it, you must select the Dereference links check box.
6 (Optional) To filter the attributes that the search returns, select the Filter attributes check box.
Selecting this check box makes searching in LDAP faster. However, you might need to use some extra LDAP attributes for automation later.
7 In the Host reachable timeout text box, type a value in milliseconds.
This value determines the timeout period for the test checking the status of the destination host.
8 Click Save Changes.
What to do next
Configure the database. For more information, see “Configuring the Orchestrator Database Connection,” on page 37.
Common Active Directory LDAP Errors
When you encounter the LDAP:error code 49 error message and experience problems connecting to your LDAP authentication server, you can check which LDAP function is causing the problem.
Table 53. Common Active Directory Authentication Errors
Error Description
525 The user is not found.
52e The user credentials are not valid.
530 The user is not allowed to log in at this time.
531 The user is not allowed to log in to this workstation.
532 The password has expired.
533 This user account has been disabled.
34 VMware, Inc.
Page 35
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
Table 53. Common Active Directory Authentication Errors (Continued)
Error Description
701 This user account has expired.
773 The user must reset their password.
775 The user account has been locked.

Configuring vRealize Automation Authentication

You can configure Orchestrator to authenticate through the vRealize Automation component registry.
Prerequisites
Install and configure vRealize Automation and verify that your vRealize Automation server is running.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select vRealize Automation from the Authentication mode drop-down menu.
4 In the Host address text box, enter your vRealize Automation host address and click Connect.
5 Click Accept Certificate.
6 In the User name and Password text boxes, type the credentials of the vRealize automation
administrator account.
The account is temporarily used only for registering or removing Orchestrator as a solution.
7 (Optional) Select the Configure licenses check box.
8 Click Register.
9 Click Save Changes.
A message indicates that you saved successfully.
What to do next
Restart the Orchestrator server for the changes to take effect from the Startup Options page in Control Center.

Configuring vCenter Single Sign-On Settings

VMware vCenter Single Sign-On is an authentication service that implements the brokered authentication architectural pattern. You can configure Orchestrator to connect to a vCenter Single Sign-On server.
The vCenter Single Sign-On server provides an authentication interface called Security Token Service (STS). Clients send authentication messages to the STS, which checks the user's credentials against one of the identity sources. Upon successful authentication, STS generates a token.
The vCenter Single Sign-On administrative interface is part of the vSphere Web Client. To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, you log in to the vSphere Web Client as a user with vCenter Single Sign-On administrator privileges. This might not be the same user as the vCenter Server administrator. You must provide the credentials on the vSphere Web Client login page, and upon authentication, you can access the vCenter Single Sign-On administration tool to create users and assign administrative permissions to other users.
VMware, Inc. 35
Page 36
Using the vSphere Web Client, you authenticate to vCenter Single Sign-On by providing your credentials on the vSphere Web Client login page. You can then view all of the vCenter Server instances for which you have permissions. After you connect to vCenter Server, no further authentication is required. The actions that you can perform on objects depend on the user's vCenter Server permissions on those objects.
For more information about vCenter Single Sign-On, see vSphere Security.
After you configure Orchestrator to authenticate through vCenter Single Sign-On, make sure that you configure it to work with the vCenter Server instances registered with the vSphere Web Client using the same vCenter Single Sign-On instance.
When you log in to the vSphere Web Client, the Orchestrator Web plug-in communicates with the Orchestrator server on behalf of the user profile you used to log in.
Configure Authentication Through vSphere Platform Services Controller
You register the Orchestrator server with a vCenter Single Sign-On server by using the vSphere authentication mode in Control Center. Use vCenter Single Sign-On authentication with vCenter Server 6.0 and later.
Prerequisites
Install and configure VMware vCenter Single Sign-On and verify that your vCenter Single Sign-On server is running.
IMPORTANT Ensure that the clocks of the Orchestrator server and the vCenter Server Appliance are synchronized. Otherwise you might receive cryptic vCenter Single Sign-On errors.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select vSphere from the Authentication mode drop-down menu.
4 In the Host address text box, enter your Platform Services Controller host address and click Connect.
5 Click Accept Certificate.
6 In the User name and Password text boxes, type the credentials of the vCenter Single Sign-On
administrator account.
The account is temporarily used only for registering or removing Orchestrator as a solution.
7 (Optional) Select the Configure licenses check box.
8 Click Register.
9 Click Save Changes.
A message indicates that you saved successfully.
You successfully registered Orchestrator with vCenter Single Sign-On.
36 VMware, Inc.
Page 37
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
Register Orchestrator as a vCenter Single Sign-On (Legacy) Solution
You register the Orchestrator server with a vCenter Single Sign-On server by using the Single Sign-On legacy authentication mode in Control Center. Use Single Sign-On legacy authentication only with versions of vCenter Server between 5.5 U2 and 6.0.
Prerequisites
Install and configure VMware vCenter Single Sign-On and verify that your vCenter Single Sign-On server is running.
IMPORTANT Ensure that the clocks of the Orchestrator server and the vCenter Server Appliance are synchronized. Otherwise you might receive cryptic vCenter Single Sign-On errors.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Select SSO (legacy) from the Authentication mode drop-down menu.
4 In the Admin URL text box, type the URL for the vCenter Single Sign-On administration service
interface.
https://your_vcenter_single_sign_on_server:443/sso-adminserver/sdk/vsphere.local
5 In the STS URL text box, type the URL for the vCenter Single Sign-On token service interface.
https://your_vcenter_single_sign_on_server:443/ims/STSService/vsphere.local
6 Click Connect.
7 Click Accept Certificate.
8 In the User name and Password text boxes, type the credentials of the vCenter Single Sign-On admin.
The account is temporarily used only for registering or removing Orchestrator as a solution.
9 (Optional) Select the Configure licenses check box.
10 Click Register.
You successfully registered Orchestrator with vCenter Single Sign-On.

Configuring the Orchestrator Database Connection

The Orchestrator server requires a database for storing data.
When you download and deploy the Orchestrator Appliance, the Orchestrator server is preconfigured to work with the PostgreSQL database embedded in the appliance.
The embedded in Orchestrator PostgreSQL database is suitable only for small-scale, medium-scale, and testing environments.
For better performance in a production environment, install a relational database management system (RDBMS) and create a new database for Orchestrator. For more information about creating a new database for Orchestrator, see “Setting Up the Orchestrator Database,” on page 18. If you decide to use a separate database, configure the database for remote connection.
VMware, Inc. 37
Page 38

Import the Database SSL Certificate

If your database uses SSL, you must import the SSL certificate to Control Center and establish a secure connection between Orchestrator and the database.
Prerequisites
Configure your database for SSL access. See your database documentation for instructions.
n
Obtain a self-signed server certificate or a certificate that is signed by a Certificate Authority.
n
Explicitly specify the trusted certificate to perform the SSL authorization correctly.
n
Procedure
1 Log in to Control Center as root.
2 Click Certificates.
3 On the Trusted Certificates tab, click Import.
4 Load the database SSL certificate from a URL or a file.
Option Action
Import from URL or proxy URL
Import from file
Enter the URL of the database server:
https://your_database_server_IP_address or your_database_server_IP_address:port
Obtain the database SSL certificate file and browse to import it.
The imported certificate appears in the Trusted SSL certificates list. The secure connection between Orchestrator and your database is activated.
What to do next
When you configure the database connection, you must enable SSL on the Configure Database page in Control Center.

Configure the Database Connection

To establish a connection to the Orchestrator database, you must set the database connection parameters.
Prerequisites
Set up a new database to use with the Orchestrator server. See “Setting Up the Orchestrator Database,”
n
on page 18.
If you are using an SQL Server database configured to use dynamic ports, verify that the SQL Server
n
Browser service is running.
To prevent transactional deadlocks when using Microsoft SQL Server database, you must enable the
n
ALLOW_SNAPSHOT_ISOLATION and READ_COMMITTED_SNAPSHOT database options.
To avoid an ORA-01450 error when using the Oracle database, verify that you have configured the size of
n
the database block properly. The minimum allowed size depends on the size of the block your Oracle database index is using.
To store characters in the correct format in an Oracle database, set the NLS_CHARACTER_SET parameter to
n
AL32UTF8 before configuring the database connection and building the table structure for Orchestrator.
This setting is crucial for an internationalized environment.
38 VMware, Inc.
Page 39
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
To configure Orchestrator to communicate with the database over a secure connection, make sure that
n
you import the database SSL certificate. For more information, see “Import the Database SSL
Certificate,” on page 38.
Procedure
1 Log in to Control Center as root.
2 Click Configure Database.
3 From the Database type drop-down menu, select the type of database that you want Orchestrator
server to use.
Option Description
Oracle
SQL Server
PostgreSQL
In-Process DerbyDB
Configures Orchestrator to work with an Oracle database instance.
Configures Orchestrator to work with a Microsoft SQL Server database instance.
Configures Orchestrator to work with a PostgreSQL database instance.
Configures Orchestrator to work with the in-process DerbyDB database.
4 Enter the database connection parameters and click Save changes.
Option Description
Server address
Port
Use SSL
Database name
User name
Password
Instance name (if any)
Domain
Use Windows authentication mode (NTLMv2)
The database server IP address or DNS name.
This option is applicable for all databases.
The database server port is used for communication with your database.
This option is applicable for all databases.
Select Use SSL to use an SSL connection to the database. To use this option, you must make sure that you import the database SSL certificate into Orchestrator.
This option is applicable for all databases.
The full unique name of your database. The database name is specified in the SERVICE_NAMES parameter in the initialization parameter file.
This option is valid only for SQL Server, and PostgreSQL databases.
The user name that Orchestrator uses to connect to and operate the selected database. The name you select must be a valid user on the target database with db_owner rights.
This option is applicable for all databases.
The password for the user name.
This option is applicable for all databases.
The name of the database instance that can be identified by the INSTANCE_NAME parameter in the database initialization parameter file.
This option is valid only for SQL Server and Oracle databases.
To use Windows authentication, enter the domain name of the SQL Server machine, for example company.org.
To use SQL authentication, leave this text box blank.
This option is valid only for SQL Server and specifies whether you want to use Windows or SQL Server authentication.
Select to send NTLMv2 responses when using Windows authentication.
This option is valid only for SQL Server.
If the specified parameters are correct, a message states that the connection to the database is successful.
NOTE Although Orchestrator has established a connection to the database, the database configuration is not complete. You must build or update the database table structure.
VMware, Inc. 39
Page 40
5 (Optional) Build or update the table structure for Orchestrator.
Option Description
Create the database tables
Update the database
After the database is populated, you can reset the database access rights to db_dataread and db_datawrite.
6 Click Save changes.
The database connection is successfully configured.

Export the Orchestrator Database

Create an archive with a full backup of the server database. The database can only be exported if it is PostgreSQL and running on Linux.
Procedure
1 Log in to Control Center as root.
2 Click Export Database.
Builds a new table structure for the Orchestrator database.
Uses the database from your previous Orchestrator installation and updates the table structure.
3 Select whether to export workflow tokens and log events with the database.
4 Click Export Database
Control Center creates a vco-db-dump-databaseName@hostname.gz file on the machine that you installed the Orchestrator server on. You can use this file to clone and to restore the system.

Import an Orchestrator Database

You can import a previously exported database after you reinstall Orchestrator or if a system failure occurs.
Procedure
1 Log in to Control Center as root.
2 Click Import Database.
3 Browse to and select the .gz file you exported from your previous installation.
4 Click Import Database
A message states that the database is successfully imported. The new system acquires the database of the old system.

Manage Certificates

Certificates are a form of digital identification that is used to guarantee encrypted communication and a signature for your Orchestrator packages.
Issued for a particular server and containing information about the server’s public key, the certificate allows you to sign all elements created in Orchestrator and guarantee authenticity. When the client receives an element from your server, typically a package, the client verifies your identity and decides whether to trust your signature.
IMPORTANT You cannot change the server certificate if Orchestrator uses the in-process Apache Derby database.
40 VMware, Inc.
Page 41
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
Import a Self-Signed Certificate to the Orchestrator Trust Store on page 41
n
Control Center uses a secure connection to communicate with vCenter Server, relational database management system (RDBMS), LDAP, Single Sign-On, and other servers. You can import the required SSL certificate from a URL or a file.
Generate a Self-Signed Server Certificate on page 42
n
Deploying the Orchestrator Appliance requires that you create a certificate. You can create a self­signed certificate to guarantee encrypted communication and a signature for your packages. However, the recipient cannot be sure that the self-signed package that you are sending is in fact a package issued by your server and not a third party claiming to be you.
Import an Orchestrator Server SSL Certificate on page 42
n
You can import a certificate from a Certificate Authority.
Package Signing Certificate on page 43
n
Packages exported from an Orchestrator server are digitally signed. Import, export, or generate a new certificate to be used for signing packages.

Import a Self-Signed Certificate to the Orchestrator Trust Store

Control Center uses a secure connection to communicate with vCenter Server, relational database management system (RDBMS), LDAP, Single Sign-On, and other servers. You can import the required SSL certificate from a URL or a file.
NOTE LDAP authentication is deprecated.
You can import SSL certificates to the trust store from the Certificates page in Control Center.
Procedure
1 Log in to Control Center as root.
2 Click Certificates.
3 On the Trusted Certificates tab, click Import....
4 Load the SSL certificate in Orchestrator from a URL address or a file.
Option Action
Import from URL or proxy URL
Import from file
Specify the URL of the server: https://your_server_IP_address or your_server_IP_address:port
Browse to import the certificate file. The file is usually available at /etc/vmware/ssl/rui.crt
5 Click Import.
A message confirming that the import is successful appears.
6 Repeat the steps for each server SSL certificate that you want to add to the Orchestrator server.
The imported certificate appears in the Trusted SSL certificates list.
What to do next
Each time you want to use an SSL connection to a server instance, you must import the corresponding certificate from the Trusted Certificates tab on the Certificates page and import the corresponding SSL certificate.
VMware, Inc. 41
Page 42

Generate a Self-Signed Server Certificate

Deploying the Orchestrator Appliance requires that you create a certificate. You can create a self-signed certificate to guarantee encrypted communication and a signature for your packages. However, the recipient cannot be sure that the self-signed package that you are sending is in fact a package issued by your server and not a third party claiming to be you.
Procedure
1 Log in to Control Center as root.
2 Click Certificates.
3 On the Orchestrator Server SSL Certificate tab, click Generate....
4 Type the relevant information.
5 Click Generate.
6 Restart the Orchestrator Appliance for the changes to take effect.
Orchestrator generates a server certificate that is unique to your environment. The details about the certificate's public key appear in the Orchestrator Server SSL Certificate tab. The certificate's private key is stored in the vmo_keystore table of the Orchestrator database.
What to do next
For disaster recovery purposes, you can save the certificate private key to a local file.
n
Verify that the Orchestrator server certificate is configured properly at the Validate Configuration page
n
in Control Center.

Import an Orchestrator Server SSL Certificate

You can import a certificate from a Certificate Authority.
Procedure
1 Log in to Control Center as root.
2 Click Certificates.
3 On the Orchestrator Server SSL Certificate tab, click Import.
4 Choose an import method:
Option Description
Import from a Java KeyStore
Import from a PEM-encoded file
5 Click Import.
a Select Import from a Java KeyStore.
b Browse to and select a KeyStore.
c Enter the SSL certificate alias.
d (Optional) Enter your KeyStore and key passwords.
a Select Import from a PEM-encoded file.
b Browse to and select a file to import.
c (Optional) Enter your key password.
6 Restart the Orchestrator Appliance for the changes to take effect.
42 VMware, Inc.
Page 43
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
What to do next
Verify that the Orchestrator server certificate is configured properly at the Validate Configuration page in Control Center.

Package Signing Certificate

Packages exported from an Orchestrator server are digitally signed. Import, export, or generate a new certificate to be used for signing packages.
Procedure
1 Log in to Control Center as root.
2 Click Certificates and access the Package Signing Certificate tab.
3 Generate, import, or export a package signing certificate:
Option Action
Generate
Import
Export
a Click Generate.
b Enter the certificate name.
c (Optional) Enter the organization, organizational unit, and country
code.
d Click Generate.
Import a certificate from a Java KeyStore.
a Click Import....
b Browse to and select a KeyStore.
c Select a password for the KeyStore.
d Click Import.
Export a certificate KeyStore.
a Click Export....
b Enter a password for the exported KeyStore.
c Click Export.
What to do next
Verify that the package signing certificate is configured properly at the Validate Configuration page in Control Center.
NOTE To sign your packages with a server certificate different from the one you used for the initial Orchestrator configuration, change the package signing certificate, after which all future exported packages are signed with the new certificate.

Configure the Orchestrator Plug-Ins

The default Orchestrator plug-ins are configured only through workflows.
If you want to configure any of the default Orchestrator plug-ins, you need to use the specific workflow from the Orchestrator client.

Enable Debug Logging for the Orchestrator Plug-Ins

View a list of all plug-ins installed in Orchestrator and perform basic management actions.
Instead of enabling debug logging for Orchestrator, you can enable it only for specific plug-ins.
Procedure
1 Log in to Control Center as root.
VMware, Inc. 43
Page 44
2 Click Manage Plug-Ins.
3 (Optional) To disable a plug-in, deselect the Enable check box.
This action does not remove the plug-in file.
4 Select the Enable Debug Logging check box of the specific plug-in.

Installing a New Plug-In

After you configure the default Orchestrator plug-ins, you might want to install a new plug-in.
All Orchestrator plug-ins are installed from Control Center. The allowed file extensions are .vmoapp and .dar. A .vmoapp file can contain a collection of several .dar files and can be installed as an application, while a .dar file contains all the resources associated with one plug-in.
You install the plug-in files from the Manage Plug-Ins page of the Control Center.

Reinstall Plug-Ins

You can force the reinstallation of all Orchestrator plug-ins.
Prerequisites
Stop the Orchestrator server from the Startup Options page in Control Center.
Procedure
1 Log in to Control Center as root.
2 Click Troubleshooting.
3 Click Force Plug-ins Reinstall.
The installed plug-ins are forced to reinstall on the next server start.

Start the Orchestrator Server

To work with Orchestrator, ensure that the Orchestrator server service has started.
Prerequisites
Verify that Orchestrator is configured properly by opening the Validate Configuration page in Control
n
Center.
Procedure
1 Log in to Control Center as root.
2 Click Startup Options.
3 If the Orchestrator server has stopped, click Start.
The Orchestrator server status appears as RUNNING. The first boot can take 5-10 minutes because the server is installing the Orchestrator plug-ins content in the database tables. The Orchestrator server status can be Running, Undefined, and Stopped.
A message states that the service has started successfully.
What to do next
Log in to the Orchestrator client and run or schedule workflows on the vCenter Server inventory objects or other objects that Orchestrator accesses through its plug-ins.
44 VMware, Inc.
Page 45
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance

Orchestrator Availability and Scalability

To increase the availability of the Orchestrator services, start multiple Orchestrator server instances in a cluster with a shared database. Unlike previous versions of Orchestrator where standalone mode and cluster mode are present as options, in vRealize Orchestrator 7.0 there is no difference between the two options and they do not exist. Orchestrator works as a single instance until it is configured to work as a part of a cluster.
Orchestrator Cluster
Multiple Orchestrator server instances with identical server and plug-ins configurations work together in a cluster and share one database. Only the active Orchestrator server instances respond to client requests and run workflows.
All Orchestrator server instances communicate with each other by exchanging heartbeats. Each heartbeat is a timestamp that the node writes to the shared database of the cluster at a certain time interval. Network problems, an unresponsive database server, or overloading might cause an Orchestrator cluster node to stop responding. If an active Orchestrator server instance fails to send heartbeats within the failover timeout period, it is considered non-responsive. The failover timeout is equal to the value of the heartbeat interval multiplied by the number of the failover heartbeats. It serves as a definition for an unreliable node and must be customized according to the available resources and the production load.
The non-responsive node is automatically shut down and one of the inactive Orchestrator instances takes control and resumes all interrupted workflows from their last uncompleted items, such as scriptable tasks, workflow invocations, and so on. You can restart the node that was shut down by using an external script based on the Control Center REST API or manually.
Orchestrator does not provide a built-in tool for monitoring the cluster status and sending notifications in case of a failover. You can monitor the cluster state by using an external component such as a load balancer. To check whether a node is running, you can use the health status REST API service located at https://your_orchestrator_server_IP_or_DNS_name:8281/vco/api/healthstatus and check the status of the node.
IMPORTANT When more than one Orchestrator server is active in a cluster, use of the Orchestrator client is not supported. If you have more than one active Orchestrator node in a cluster, when different users use the different Orchestrator nodes to modify one and the same resource, concurrency problems occur. To have more than one active Orchestrator server node in a cluster, you must first develop the workflows that you need, and then set up Orchestrator to work in a cluster.

Configure an Orchestrator Cluster

To increase the availability of Orchestrator services, you can create a cluster of Orchestrator server instances.
An Orchestrator cluster consists of at least two Orchestrator server instances that share one database.
IMPORTANT After you set up the Orchestrator cluster, do not change the configurations of the nodes.
Prerequisites
Configure the database that you plan to use as a shared database, so that it can accept connections from
n
the different Orchestrator instances.
To prevent transactional deadlocks when using Microsoft SQL Server database, you must enable the ALLOW_SNAPSHOT_ISOLATION and READ_COMMITTED_SNAPSHOT database options.
Install and configure at least two Orchestrator server instances.
n
For the cluster to work properly, the Orchestrator server instances must be identical. When an Orchestrator server joins a cluster, it copies the configuration of the clustered Orchestrator.
Verify that the Orchestrator instances use the same database.
n
VMware, Inc. 45
Page 46
Synchronize the clocks of the machines that the Orchestrator server instances are installed on.
n
Procedure
1 Log in to Control Center of the first Orchestrator server as root.
2 Click Orchestrator Node Settings.
If you have configured the Orchestrator server nodes properly, Orchestrator detects the other nodes.
3 (Optional) Provide values for the Orchestrator node settings and click Save.
Option Description
Number of active nodes
Heartbeat interval (in milliseconds)
Number of failover heartbeats
The default failover timeout is 1 minute and is equal to the value of the default heartbeat interval multiplied by the number of the default failover heartbeats.
The maximum number of active Orchestrator server instances in the cluster.
Active nodes are the Orchestrator server instances that run workflows and respond to client requests. If an active Orchestrator node stops responding, it is replaced by one of the inactive Orchestrator server instances.
The default number of active Orchestrator nodes in a cluster is one.
The time interval, in milliseconds, between two network heartbeats that an Orchestrator node sends to show that it is running.
The default value is 30 seconds.
The number of absent heartbeats before an Orchestrator node is considered failed .
The default value is 5 heartbeats.
4 Log in to Control Center of the second Orchestrator server as root.
5 Click Join Cluster in the Control Center home page.
6 In the Host name text box, enter the host name or IP address of the first Orchestrator server instance.
7 In the User name and Password text boxes, enter your credentials.
8 (Optional) Select Trust SSL certificate to activate encrypted certification for the connection between the
Orchestrator servers.
9 Click Join.
You have successfully configured a cluster of Orchestrator instances.
What to do next
You can add more Orchestrator server active nodes to the cluster by changing the value of the Number of active nodes field in the Configure Cluster page.
IMPORTANT When you configure Orchestrator to work in a cluster, you must first start one of the
Orchestrator servers and wait until it starts and initializes the database. If you start more than one Orchestrator server at the same time, concurrency issues occur as all of the started Orchestrator servers try to initialize the database.

Configuring a Load Balancer

Load balancers distribute work among servers in high-availability deployments.
After you configure the Orchestrator cluster, you can set up a load balancer to distribute traffic among multiple instances of vRealize Orchestrator. For specific information on configuring the F5 and NSX load balancers, see “Configure the F5 Load Balancer to Work With an Orchestrator Cluster,” on page 48 and
“Configure the NSX Load Balancer to Work With an Orchestrator Cluster,” on page 47
46 VMware, Inc.
Page 47
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
Configure the NSX Load Balancer to Work With an Orchestrator Cluster
To increase the availability of the VMware vRealize Orchestrator services, you can put the Orchestrator behind a load balancer.
Prerequisites
Configure at least two Orchestrator nodes.
Procedure
1 Create and configure the NSX-Edge.
a Log in to the vCenter Server where NSX has been configured.
b Navigate to Home > Networking & Security > NSX Edges and create your own NSX edge.
c Navigate to Manage > Settings > Interfaces.
d Select the first vNIC and click the Edit button.
This is your load balancer virtual appliance.
e Click the Add button to assign a static IP address to the virtual interface.
2 Configure Application Profiles.
a Log in to the vCenter Server where NSX has been configured.
b Navigate to Home > Networking & Security > NSX Edges and create your own NSX edge.
c On the Load Balancer tab select the Application Profiles menu.
d Click the Add button to create a new profile and complete the form according to the table below:
Name Type Enabled SSL Pass-through Persistence Client Authentication
vROProfile HTTPS yes None Ignore
e Click OK.
3 Configure Service Monitoring.
a Log in to the vCenter Server where NSX has been configured.
b Navigate to Home > Networking & Security > NSX Edges and create your own NSX edge.
c On the Load Balancer tab select the Service Monitoring menu.
d Click the Add button to create a new monitor and complete the form according to the table below:
Max
Monitor Interval Timeout
vro­https-8281
3 9 3 HTTPS GET /vco/api/docs/index.html
Retries Type Method URL Receive
HTTP/1.1\r\nHost:\r\n\nConnection: close\r\n\r\n
200 OK
4 Configure Pools.
a Log in to vCenter Server where NSX has been set up.
b Navigate to Home > Networking & Security > NSX Edges and create your own NSX edge.
c On the Load Balancer tab select Pools.
VMware, Inc. 47
Page 48
d Click on the Add button to create a new pool and complete the form according to the table below:
Name Algorithm Monitors
vro-pool Round Robin vro-https-8281
e Click on the Add button to add members:
Enabled Member Name IP Address / VC Container Monitor Port Port
yes HA-cluster-vro1 vro-Node1-IP 8281 8281
yes HA-cluster-vro2 vro-Node2-IP 8281 8281
The green status indicates that the node is active.
f Click on Show Pool Statistics and verify that the pool is in UP state.
5 Configure Virtual Servers.
a Log in to vCenter Server where NSX has been set up.
b Navigate to Home > Networking & Security > NSX Edges and create your own NSX edge.
c On the Load Balancer tab select Virtual Servers.
d Click on the Add button to create a new virtual server and complete the form according to the table
below:
Enable VS Application Profile Name IP Address Protocol Port Default Pool
yes vROProfile vro-lb-8281 vro-lb-IP HTTPS 8281 vro-pool
NOTE The port number of the virtual server must correspond to the port number of the pool.
You have successfully configured the NSX load balancer to work with a vRealize Orchestrator cluster.
Configure the F5 Load Balancer to Work With an Orchestrator Cluster
To increase the availability of the VMware vRealize Orchestrator services, you can put the Orchestrator behind a load balancer.
Prerequisites
Configure at least two Orchestrator nodes.
Procedure
1 Configure monitors.
a Log in to the F5 load balancer and select Local Traffic > Monitors from the main menu.
b Create a monitor named vco-https-8281 and configure the settings as follows:
Recieve
Monitor Interval Timeout Retries Type Send String
vco­https-8281
3 9 3 HTTPS
(443)
GET /vco/api/docs/index.html HTTP/1.1\r\nHost:\r\n\nConnection: close\r\n\r\n
String
200 OK 8281
Alias Service Port
Leave all other fields with their default values.
c Click Finished.
48 VMware, Inc.
Page 49
Chapter 5 Configuring vRealize Orchestrator in the Orchestrator Appliance
2 Configure server pools.
a Navigate to Local Traffic > Pools from the main menu.
b Create a pool named vro-pool-8281 and configure the settings as follows:
Pool Name LB Method Health Monitors
vro-pool-8281 Round Robin vro-https-8281
Leave all other fields with their default values.
c Add two new nodes in the New Members section:
Name Address Service Port
vro-node1-hostname.domain.com vro-node1-IP 8281
vro-node2-hostname.domain.com vro-node2-IP 8281
d Click Finished.
Health
Pool Name LB Method
vro-pool-8281 Round Robin vro-https-8281 vro-node1-
vro-pool-8281 Round Robin vro-https-8281 vro-node2-
Monitors Node Name Address
vro-node1-IP 8281
hostname.domain.com
vro-node2-IP 8281
hostname.domain.com
The green status indicates that the node is active.
3 Configure virtual servers.
a Navigate to Local Traffic > Virtual Servers from the main menu.
b Create a virtual server named vro-lb-8281 and configure the settings as follows:
Name Type
vco-lb-8281 Performance
(Layer 4)
Destination Address
vro-lb-IP 8281 Automap vro-pool-8281
Service Port
Source Address Translation
Default Pool Name
Leave all other fields with their default values.
4 Verify that the high-availability environment is correctly configured.
a Navigate to Local Traffic > Network Map from the main menu.
b Verify that all entries on the network map are listed as green.
You have successfully configured the F5 load balancer to work with a vRealize Orchestrator cluster.
Service Port
VMware, Inc. 49
Page 50

Configuring the Customer Experience Improvement Program

If you choose to participate in the Customer Experience Improvement Program (CEIP), VMware receives anonymous information that helps to improve the quality, reliability, and functionality of VMware products and services.

Categories of Information That VMware Receives

The Customer Experience Improvement Program (CEIP) provides VMware with information that enables VMware to improve the VMware products and services and to fix problems. If you choose to participate in CEIP, VMware collects technical information about your use of the VMware products and services in CEIP reports on a regular basis. This information does not personally identify you.
Information that VMware receives through the CEIP contains the following categories:
Configuration Data
Feature Usage Data
Performance Data
VMware collects the CEIP reporting information in connection with a unique CEIP instance identifier that is stored on your device and which does not personally identify you. This identifier enables VMware to distinguish one report from another.
Data about how you have configured VMware products and services and related environment information. Examples of Configuration Data include version information for VMware products, product environment information, and product configuration settings. Configuration Data can include obfuscated versions of your device IDs and MAC and Internet Protocol addresses.
Data about how you use VMware products and services. Examples of Feature Usage Data include details about which product features you use and metrics of user interface activity.
Data about the performance of VMware products and services. Examples of Performance Data include metrics of the performance and scale of VMware products and services, response times for user interfaces, and details about your API calls.

Join the Customer Experience Improvement Program

Join the Customer Experience Improvement Program from Control Center.
Procedure
1 Log in to Control Center as root and open the Customer Experience Improvement Program page.
2 Select the Join the Customer Experience Improvement Program check box to enable CEIP or deselect
the check box to disable the Program and then click Save.
3 (Optional) Deselect the Automatic proxy discovery check box if you want to add a proxy host
manually.
50 VMware, Inc.
Page 51

Using the API services 6

In addition to configuring Orchestrator by using Control Center, you can modify the Orchestrator server configuration settings by using the Orchestrator REST API, the Control Center REST API, or the command line utility, stored in the appliance.
The Configuration plug-in is included by default in the Orchestrator package. You can access the Configuration plug-in workflows from either the Orchestrator workflow library or the Orchestrator REST API. With these workflows you can change the trusted certificate and keystore settings of the Orchestrator server. For information on all available Orchestrator REST API services calls, see the Orchestrator REST API Reference documentation, located at https://orchestrator_server_IP_or_DNS_name:8281/vco/api/docs.
Managing SSL Certificates and Keystores by Using the REST API on page 51
n
In addition to managing SSL certificates by using Control Center, you can also manage trusted certificates and keystores when you run workflows from the Configuration plug-in or by using the REST API.
Automating the Orchestrator Configuration by Using the Control Center REST API on page 54
n
Use the Control Center REST API to automate the Orchestrator configuration.
Managing SSL Certificates and Keystores by Using the REST API
In addition to managing SSL certificates by using Control Center, you can also manage trusted certificates and keystores when you run workflows from the Configuration plug-in or by using the REST API.
The Configuration plug-in contains workflows for importing and deleting SSL certificates and keystores. You can access these workflows by navigating to Library > Configuration > SSL Trust Manager and Library > Configuration > Keystores in the Workflows view of the Orchestrator client. You can also run these workflows by using the Orchestrator REST API.

Delete an SSL Certificate by Using the REST API

You can delete an SSL certificate by running the Delete trusted certificate workflow of the Configuration plug-in or by using the REST API.
Procedure
1 Make a GET request at the URL of the Workflow service of the Delete trusted certificate workflow.
GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Delete trusted certificate
2 Retrieve the definition of the Delete trusted certificate workflow by making a GET request at the URL of
the definition.
GET https://{orchestrator_host}:{port}/vco/api/workflows/8a70a326-ffd7-4fef-97e0-2002ac49f5bd
VMware, Inc.
51
Page 52
3 Make a POST request at the URL that holds the execution objects of the Delete trusted certificate
workflow.
POST https://{orchestrator_host}:{port}/vco/api/workflows/8a70a326­ffd7-4fef-97e0-2002ac49f5bd/executions/
4 Provide the name of the certificate you want to delete as an input parameter of the Delete trusted
certificate workflow in an execution-context element in the request body.

Import SSL Certificates by Using the REST API

You can import SSL certificates by running a workflow from the Configuration plug-in or by using the REST API.
You can import a trusted certificate from a file or a URL. For information about importing the vCenter Server SSL certificate by using Control Center, see “Import a Self-Signed Certificate to the
Orchestrator Trust Store,” on page 41.
Procedure
1 Make a GET request at the URL of the Workflow service.
Option Description
Import trusted certificate from a file
Import trusted certificate from URL
Import trusted certificate from URL using proxy server
Import trusted certificate from URL with certificate alias
To import a trusted certificate from a file, make the following GET request:
Imports a trusted certificate from a file.
Imports a trusted certificate from a URL address.
Imports a trusted certificate from a URL address by using a proxy server.
Imports a trusted certificate with a certificate alias, from a URL address.
GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Import trusted certificate from a file
2 Retrieve the definition of the workflow by making a GET request at the URL of the definition.
To retrieve the definition of the Import trusted certificate from a file workflow, make the following GET request:
GET https://{orchestrator_host}:{port}/vco/api/workflows/93a7bb21-0255-4750-9293-2437abe9d2e5
3 Make a POST request at the URL that holds the execution objects of the workflow.
For the Import trusted certificate from a file workflow, make the following POST request:
POST https://{orchestrator_host}: {port}/vco/api/workflows/93a7bb21-0255-4750-9293-2437abe9d2e5/executions
4 Provide values for the input parameters of the workflow in an execution-context element of the request
body.
Parameter Description
cer
url
The CER file from which you want to import the SSL certificate.
This parameter is applicable for the Import trusted certificate from a file workflow.
The URL from which you want to import the SSL certificate. For non-HTPS services, the supported format is IP_address_or_DNS_name:port.
This parameter is applicable for the Import trusted certificate from URL workflow.
52 VMware, Inc.
Page 53
Chapter 6 Using the API services

Create a Keystore by Using the REST API

You can create a keystore by running the Create a keystore workflow of the Configuration plug-in or by using the REST API.
Procedure
1 Make a GET request at the URL of the Workflow service of the Create a keystore workflow.
GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Create a keystore
2 Retrieve the definition of the Create a keystore workflow by making a GET request at the URL of the
definition.
GET https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0­ad08-5318178594b3/
3 Make a POST request at the URL that holds the execution objects of the Create a keystore workflow.
POST https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0­ad08-5318178594b3/executions/
4 Provide the name of the keystore you want to create as an input parameter of the Create a keystore
workflow in an execution-context element in the request body.

Delete a Keystore by Using the REST API

You can delete a keystore by running the Delete a keystore workflow of the Configuration plug-in or by using the REST API.
Procedure
1 Make a GET request at the URL of the Workflow service of the Delete a keystore workflow.
GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Delete a keystore
2 Retrieve the definition of the Delete a keystore workflow by making a GET request at the URL of the
definition.
GET https://{orchestrator_host}: {port}/vco/api/workflows/7a3389eb-1fab-4d77-860b-81b66bb45b86/
3 Make a POST request at the URL that holds the execution objects of the Delete a keystore workflow.
POST https://{orchestrator_host}: {port}/vco/api/workflows/7a3389eb-1fab-4d77-860b-81b66bb45b86/executions/
4 Provide the keystore you want to delete as an input parameter of the Delete a keystore workflow in an
execution-context element in the request body.

Add a Key by Using the REST API

You can add a key by running the Add key workflow of the Configuration plug-in or by using the REST API.
Procedure
1 Make a GET request at the URL of the Workflow service of the Add key workflow.
GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Add key
VMware, Inc. 53
Page 54
2 Retrieve the definition of the Add key workflow by making a GET request at the URL of the definition.
GET https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0­ad08-5318178594b3/
3 Make a POST request at the URL that holds the execution objects of the Add key workflow.
POST https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0­ad08-5318178594b3/executions/
4 Provide the keystore, key alias, PEM-encoded key, certificate chain and key password as input
parameters of the Add key workflow in an execution-context element in the request body.

Automating the Orchestrator Configuration by Using the Control Center REST API

Use the Control Center REST API to automate the Orchestrator configuration.
The Control Center REST API provides access to the configuration services of the Control Center. You can use the Control Center REST API with third party systems to automate the Orchestrator configuration.
Access the Control Center REST API by opening https://orchestrator_server_IP_or_DNS_name:8283/vco­controlcenter/api. For information on all available Control Center REST API services calls that you can use to configure vRealize Orchestrator, see the Control Center REST API Reference documentation, located at https://orchestrator_server_IP_or_DNS_name:8283/vco-controlcenter/docs.
In addition to the Control Center REST API, you can use the Orchestrator command line utility to automate the Orchestrator configuration. The command line utility is located in /var/lib/vco/tools/configuration-
cli/bin. To see all of the available configuration options run ./vro-configure.sh --help
54 VMware, Inc.
Page 55

Additional Configuration Options 7

You can use Control Center to change the default Orchestrator behavior.
This chapter includes the following topics:
“Create New Users in Control Center,” on page 55
n
“Uninstall a Plug-In,” on page 55
n
“Export the Orchestrator Configuration,” on page 56
n
“Import the Orchestrator Configuration,” on page 57
n
“Migrating the Orchestrator Configuration,” on page 58
n
“Configure the Workflow Run Properties,” on page 59
n
“Orchestrator Log Files,” on page 60
n

Create New Users in Control Center

Instead of changing the root password, you can create new users and assign them passwords at anytime to avoid potential security issues.
Procedure
1 Log in to Control Center as root.
2 On the Settings page, click Change Credentials.
3 In the Old password text box, enter your current password.
4 In the New user name text box, enter the new user name.
5 In the New password text box, enter the new password.
6 Reenter the new password to confirm it.
7 Click Change Credentials.

Uninstall a Plug-In

You can use Control Center to disable a plug-in, but this does not remove the plug-in file from the file system. To remove the plug-in file, you must log in to the machine that the Orchestrator server is installed on and remove the plug-in file manually.
Procedure
1 Log in as an administrator to the machine on which the Orchestrator server is installed.
VMware, Inc.
55
Page 56
2 Navigate to install_directory/etc/vco/app-server/plugins.
3 Delete the .dar and .war archives that contain the plug-in you want to remove.
4 Restart the vRealize Orchestrator services.
The plug-in is removed from Control Center.
5 Delete the plug-in configuration files from install_directory/etc/vco/app-server/plugins .
6 Log in to the Orchestrator client.
7 Select Administer from the drop-down menu in the upper left corner.
8 Click the Packages view.
9 Right-click the package you want to delete, and select Delete element with content.
NOTE Orchestrator elements that are locked in the read-only state, for example workflows in the standard library, are not deleted.
10 Click Delete all.
11 Restart the vRealize Orchestrator services.
You removed all custom workflows, actions, policies, configurations, settings, and resources related to the plug-in.

Export the Orchestrator Configuration

Control Center provides a mechanism to export the Orchestrator configuration settings to a local file. You can use the mechanism to take a snapshot of your system configuration at any moment and import this configuration into a new Orchestrator instance.
You should export and save your configuration settings on a regular basis, especially when making modifications, performing maintenance tasks, or upgrading the system.
For a list of exported configuration settings, see “Orchestrator Server Configuration Files,” on page 57.
IMPORTANT Keep the file with the exported configuration safe and secure, because it contains sensitive administrative information.
Procedure
1 Log in to Control Center as root.
2 Click Export/Import Configuration.
3 Select the type of files you want to export.
NOTE If you select Export plug-in configurations and the plug-in configurations contain encrypted properties, you must also select Export server configuration to successfully decrypt the data when importing.
4 (Optional) Enter a password to protect the configuration file.
Use the same password when you import the configuration later.
5 Click Export.
Orchestrator creates an orchestrator-config-export-hostname-and-dateReference.zip file on the machine on which the Orchestrator server is installed. You can use this file to clone or to restore the system.
56 VMware, Inc.
Page 57
Chapter 7 Additional Configuration Options

Orchestrator Server Configuration Files

When you export the system configuration, an orchestrator-config-hostname-and-dateReference.zip file is created locally on the machine on which the Orchestrator server is installed. It contains all the Orchestrator configuration data.
NOTE Some of the configuration files that are created during the export are empty. For example, the server configuration data is not exported because the startup options for the Orchestrator server are unique for each machine where the Orchestrator server is installed. These empty files must be reconfigured, even when a working configuration was previously imported.
Table 71. Settings Saved During Configuration Export
Setting Description
passwordencryptor.key The key used to encrypt the sensitive data. If the file is not valid, the sensitive
data hashes stored in the database become unusable.
General Configuration properties settings.
License The details about the host on which Orchestrator verifies the license key.
Database The database configuration.
Certificate The certificates added as trusted authorities and the Orchestrator server SSL
certificate.
Authentication The Single Sign-On or LDAP server configuration.
Log The log settings information.
Plug-ins All the plug-ins and plug-in configurations.

Import the Orchestrator Configuration

You can restore a previously exported system configuration after you reinstall Orchestrator or if a system failure occurs .
If you use the import procedure to clone the Orchestrator configuration, the vCenter Server plug-in configuration becomes invalid and non-working, because a new vCenter Server plug-in ID is generated.
Prerequisites
Stop the Orchestrator server from the Startup Options page in Control Center.
Procedure
1 Log in to Control Center as root.
2 Click Export/Import Configuration and navigate to the Import Configuration tab.
3 Browse to and select the .zip file that you exported from your previous installation.
4 Enter the password that you used when exporting the configuration.
This step is not necessary if you have not exported the configuration with a password.
5 Click Import.
VMware, Inc. 57
Page 58
6 Select the type of files you want to import:
Section Option
Server Configuration
License
Plug-Ins
Plug-In Configurations
IMPORTANT Do not use Force import plug-ins, unless you want all of the plug-ins with new versions to be substituted with previous versions that the exported file might contain. Version incompatibility might cause the plug-ins to stop working.
7 Click Finish Import.
A message states that the configuration is successfully imported. The new system replicates the old configuration completely.
Import server configuration properties files.
n
Change the localhost in the database connection string.
n
Import custom properties (vmo-managed.properties).
n
Import trusted certificates.
n
Import server certificate.
n
Import License.
Import plug-ins.
n
Force import plug-ins.
n
Import the plug-in configurations, exported from the database.
n
Import the plug-in configurations, exported from the file system.
n
What to do next
After you import the Orchestrator configuration, you must provide a valid password for each
n
registered vCenter Server instance.
Verify that vRealize Orchestrator is configured properly by opening the Validate Configuration page
n
in Control Center.

Migrating the Orchestrator Configuration

The Orchestrator migration tool is used to migrate VMware vCenter Orchestrator 5.5.x and VMware vRealize Orchestrator 6.0.x Windows standalone configurations to VMware vRealize Orchestrator 7.0.x. The Orchestrator Migration Tool is bundling the configuration settings, plug-ins, plug-in configurations, certificates, and license information into an archive which can be imported into vRealize Orchestrator 7.0.x.
The following command line options can be used with the vro-migrate export command:
Option Description
password
vroRootPath

Migrate the Orchestrator Configuration

Migrate your 5.5.x and 6.0.x Orchestrator Windows standalone configuration to the Orchestrator Appliance
7.0.
Set a password to protect the exported archive. If no password is provided the archive will not be protected.
Specify the root path of the vRealize Orchestrator server.
Prerequisites
Stop the source and destination Orchestrator servers.
n
You must set the PATH environment variable with a proper path to a Java bin folder.
n
58 VMware, Inc.
Page 59
Chapter 7 Additional Configuration Options
Procedure
1 Log in to Control Center as root.
2 Open the Export/Import Configuration and click on the Migrate Configuration tab.
3 Download the migration tool as specified in the description, or download it directly from
https://orchestrator_server_IP_or_DNS_name:8283/vco-controlcenter/api/server/migration-tool
4 Unzip the downloaded archive and place the folder in install_directory\VMware\Orchestrator.
5 Use the Windows command prompt to navigate to
install_directory\VMware\Orchestrator\migration-cli\bin.
6 Run the following command from the command line:
install_directory\VMware\Orchestrator\migration-cli\bin\vro-migrate.bat export.
This command combines the VMware vRealize Orchestrator configuration files and plug-ins into an export archive.
The archive is created in the same folder as the migration-cli folder.
7 Open the Export/Import Configuration in Control Center and click on the Migrate Configuration tab.
8 Click Import.
9 Select the type of files you want to import.
10 Click Finish Migration.
A message indicates that the migration completed successfully.
What to do next
Restart the Orchestrator server from the Startup Options page in Control Center for the changes to take effect.
Configure the Workflow Run Properties
By default, Orchestrator permits 300 workflows to run at the same time. When the Orchestrator server has to run more than 300 concurrent workflows, the pending workflow runs are queued. When an active workflow run completes, the next workflow in the queue starts to run. If the maximum number of queued workflows is reached, the next workflow runs fail until one of the pending workflows starts to run.
Procedure
1 Log in to Control Center as root.
2 Click Advanced Options.
3 Choose the options you want to configure:
Option Description
Enable safe mode
Number of concurrent running workflows
Maximum amount of running workflows in the queue
If safe mode is enabled, all running workflows are canceled and are not resumed on the next Orchestrator server start.
The maximum number of concurrent Orchestrator server workflows that run simultaneously.
The number of workflow run requests the Orchestrator server accepts before becoming unavailable.
VMware, Inc. 59
Page 60
Option Description
Maximum number of preserved runs per workflow
Log events expiration days
The maximum number of finished workflow runs kept as history per workflow. If the number is exceeded, the oldest workflow runs are deleted.
The number of days log events are kept in the database before being purged.
4 Click Save.
A message indicates that you saved successfully.
You can run up to 300 workflows and 10000 workflows can be queued if the number of actively running workflows is reached.

Orchestrator Log Files

VMware Technical Support routinely requests diagnostic information when you submit a support request. This diagnostic information contains product-specific logs and configuration files from the host on which the product runs. The information is gathered by using a specific script tool for each product.
Table 72. Orchestrator Log Files list
File Name Location Description
scripting.log /var/log/vco/app-server
server.log /var/log/vco/app-server
catalina.out /var/log/vco/configuration/
metrics.log /var/log/vco/app-server
localhost_access_log.txt /storage/log/vmware/vco/app
-server
controlcenter.log /storage/log/vmware/vco/con
figuration
vco_database.log /storage/log/vmware/vco/con
figuration
Provides a list of the completed workflows and actions. Use the scripts-logs.log file to isolate workflow runs and action runs from normal Orchestrator operations. This information is also included in the server.log file.
Provides information about all activities on the Orchestrator server. Analyze the server.log file when you debug Orchestrator or any application that runs on Orchestrator.
Provides information about the configuration and validation of each component of Orchestrator in the Orchestrator Appliance.
Contains runtime information about the server. The information is added to this log file once every 5 minutes.
This is the HTTP request log of the server.
The log file of the Control Center service.
The vco_database.log contains logs about the database upgrade actions.
60 VMware, Inc.
Page 61
Chapter 7 Additional Configuration Options

Logging Persistence

You can log information in any kind of Orchestrator script, for example workflow, policy, or action. This information has types and levels. The type can be either persistent or non-persistent. The level can be DEBUG,
INFO, WARN, ERROR, TRACE, and FATAL.
Table 73. Creating Persistent and Non-Persistent Logs
Log Level Persistent Type Non-Persistent Type
DEBUG
INFO
WARN
ERROR
Server.debug("short text", "long text");
Server.log("short text", "long text"); System.log("text");
Server.warn("short text", "long text"); System.warn("text");
Server.error("short text", "long text"); System.error("text");
Persistent Logs
Persistent logs (server logs) track past workflow run logs and are stored in the Orchestrator database. To view server logs, you must select a workflow, a completed workflow run, or a policy and click the Events tab in the Orchestrator client.
System.debug("text")
Non-Persistent Logs
When you use a non-persistent log (system log) to create scripts, the Orchestrator server notifies all running Orchestrator applications about this log, but this information is not stored in the database. When the application is restarted, the log information is lost. Non-persistent logs are used for debugging purposes and for live information. To view system logs, you must select a completed workflow run in the Orchestrator client and click Logs on the Schema tab.

Configure Logs

In Control Center, you can set the level of server log that you require. If a server log is generated multiple times a day, it becomes difficult to determine what causes problems. To prevent this, you can also set the maximum file size and count of the server log.
The default server log level is INFO. Changing the log level affects all new messages that the server enters in the server log and the number of active connections to the database.
CAUTION Only set the log level to DEBUG or ALL to debug a problem. Do not use these settings in a production environment because it can seriously impair performance.
Procedure
1 Log in to Control Center as root.
2 Click Configure Logs.
3 Select an option from the Log level drop-down menu.
Option Description
FATAL
ERROR
WARN
INFO
VMware, Inc. 61
Only fatal errors are written to the log file.
Errors and fatal errors are written to the log file.
Warnings, errors, and fatal errors are written to the log file.
Information, warnings, errors, and fatal errors are written to the log file.
Page 62
Option Description
DEBUG
TRACE
ALL
OFF
NOTE The log contains messages of the selected level and all higher levels. If you select the INFO level, all INFO messages and higher-level messages (INFO, WARN, ERROR, and FATAL) are written to the log file.
4 Set the maximum log files count and the maximum single file size.
5 Click Save.
A message indicates that you saved successfully.
The new log level is applied to all new messages that the server generates, without restarting the server. In the Orchestrator Appliance the logs are stored in var/log/vco/app-server.

Export Orchestrator Log Files

Debug information, information messages, warnings, errors, and fatal errors are written to the log file.
More detailed debug information, information messages, warnings, errors, and fatal errors are written to the log file.
Events are not filtered. All events are written to the log file.
No entries are written to the log file and no log updates are made.
You can use Control Center to generate a ZIP archive of troubleshooting information containing configuration, server, wrapper, and installation log files.
Procedure
1 Log in to Control Center as root.
2 Click Export Logs.
3 Click Export logs.
4 Browse to and select a location where you want to save the archive.
The log information is stored in a ZIP archive named vco-logs-dateReference_xxxxxx.zip.

Inspect the Workflow Logs

You can quickly inspect and export the system logs and server logs of finished workflows by accessing the
Inspect Workflows page in Control Center.
NOTE When you are using Orchestrator as part of a cluster, the system logs are saved on only the server
node, from which the workflow is started.
IMPORTANT Log information is stored temporarily.
System logs are stored in files up to 10 MB in size. The maximum number of log files is 5 per node.
n
Server logs are stored for 15 days in the database.
n
Procedure
1 Log in to Control Center as root.
2 Click Inspect Workflows.
3 Click the Finished Workflows tab.
4 (Optional) Select the type of workflow tokens that you want to inspect, select the date range and click
Apply.
62 VMware, Inc.
Page 63
Chapter 7 Additional Configuration Options
5 (Optional) Search a workflow by name, ID, or token ID.
6 Click on the token ID you want to inspect.
The workflow execution log view appears in full screen.
7 Inspect the system logs and server logs.
8 (Optional) Click Export Token Logs to export the workflow token logs in a .zip file.

Filter the Orchestrator Logs

You can filter the Orchestrator server logs for a specific workflow run and collect diagnostic data about the workflow run.
The Orchestrator logs contain a lot of useful information which you can monitor in real time. When multiple instances of the same workflow are running at the same time, you can track the different workflow runs by filtering the diagnostic data about each run in the Orchestrator live log stream.
Procedure
1 Log in to Control Center as root.
2 Click Live Log Stream.
3 In the search bar, enter your search parameters.
For example, you can filter the logs by a user name, workflow name, workflow ID, or a token ID.
4 (Optional) Select Case sensitive and Filter (grep) to filter the search results further.
By selecting Filter (grep) the live stream only shows the lines that match your search parameters.
The Orchestrator live log stream is filtered according to your search parameters.
What to do next
You can use third-party log analyzing tools, if you want to filter old logs, that are not accessible through the Live Log Stream page in Control Center.
VMware, Inc. 63
Page 64
64 VMware, Inc.
Page 65
Configuration Use Cases and
Troubleshooting 8
You can configure the Orchestrator server to work with the vCenter Server appliance, you can also uninstall plug-ins from Orchestrator, or change the self-signed certificates.
The configuration use cases provide task flows that you can perform to meet specific configuration requirements of your Orchestrator server, as well as troubleshooting topics to understand and solve a problem, if a workaround exists.
This chapter includes the following topics:
“Register Orchestrator as a vCenter Server Extension,” on page 65
n
“Unregister Orchestrator Authentication,” on page 66
n
“Changing SSL Certificates,” on page 66
n
“Cancel Running Workflows,” on page 67
n
“Enable Orchestrator Server Debugging,” on page 68
n
“Back Up the Orchestrator Configuration and Elements,” on page 68
n
“Backing Up and Restoring vRealize Orchestrator,” on page 70
n
“Disaster Recovery of Orchestrator by Using Site Recovery Manager,” on page 73
n

Register Orchestrator as a vCenter Server Extension

After you register Orchestrator server with vCenter Single Sign-On and configure it to work with vCenter Server, you must register Orchestrator as an extension with vCenter Server.
Procedure
1 Log in to the Orchestrator client as an administrator.
2 Click the Workflows view.
3 In the workflows hierarchical list, select Library > vCenter > Configuration.
4 Right-click the Register vCenter Orchestrator as a vCenter Server extension workflow and select Start
workflow.
5 Select the vCenter Server instance to register Orchestrator with.
6 Enter the service URL of the Orchestrator server.
7 Click Submit.
VMware, Inc.
65
Page 66

Unregister Orchestrator Authentication

Unregister Orchestrator as a Single Sign-On solution from the Configure Authentication Provider page in Control Center.
If you want to reconfigure the Orchestrator vCenter Single Sign-On or vRealize Automation authentication you must first unregister the Orchestrator authentication.
Procedure
1 Log in to Control Center as root.
2 Click Configure Authentication Provider.
3 Click Unregister.
4 Enter your identity server credentials.
Enter your credentials if you want to delete registration data from the identity server.
5 Click Unregister from the Identity service section
You have successfully unregistered your Orchestrator server instance.

Changing SSL Certificates

By default, the Orchestrator server uses a self-signed SSL certificate to communicate remotely with the Orchestrator client. You can change the SSL certificates if, for example, your company security policy requires you to use its SSL certificates.
When you attempt to use Orchestrator over a trusted SSL Internet connection, and you open Control Center in a Web browser, you receive a warning that the connection is untrusted, if you use Mozilla Firefox, or that problems have been detected with the Web site’s security certificate, if you use Internet Explorer.
After you click Continue to this website (not recommended), even if you have imported the SSL certificate in the trusted store, you continue to see the Certificate Error red notification in the address bar of the Web browser. You can work with Orchestrator in the Web browser, but a third-party system might not work properly when attempting to access the API over HTTPS.
You might also receive a certificate warning when you start the Orchestrator client and attempt to connect to the Orchestrator server over an SSL connection.
You can resolve the problem by installing a certificate signed by a commercial certificate authority (CA). To stop receiving a certificate warning from the Orchestrator client, add your root CA certificate to the Orchestrator keystore on the machine on which the Orchestrator client is installed.

Adding a Certificate to the Local Store

After you receive a certificate from a CA, you must add the certificate to your local storage to work with Control Center without receiving certificate warnings or error messages.
This workflow describes the process of adding the certificate to your local storage by using Internet Explorer.
1 Open Internet Explorer and go to https://orchestrator_server_IP_or_DNS_name:8283/.
2 When prompted, click Continue to this website (not recommended).
The certificate error appears on the right side of the address bar in Internet Explorer.
3 Click the Certificate Error and select View Certificates.
4 Click Install Certificate.
66 VMware, Inc.
Page 67
Chapter 8 Configuration Use Cases and Troubleshooting
5 On the Welcome page of the Certificate Import Wizard, click Next.
6 In the Certificate Store window, select Place all certificates in the following store.
7 Browse and select Trusted Root Certification Authorities.
8 Complete the wizard and restart Internet Explorer.
9 Navigate to the Orchestrator server over your SSL connection.
You no longer receive warnings, and you do not receive a Certificate Error in the address bar.
Other applications and systems, such as VMware Service Manager, must have access to the Orchestrator REST APIs though an SSL connection.

Change the Certificate of the Orchestrator Appliance Management Site

The Orchestrator Appliance uses Light HTTPd to run its own management site. You can change the SSL certificate of the Orchestrator Appliance management site if, for example, your company security policy requires you to use its SSL certificates.
Prerequisites
By default the Orchestrator Appliance SSL certificate and private key are stored in a PEM file, which is located at: /opt/vmware/etc/lighttpd/server.pem. To install a new certificate, ensure that you export your new SSL certificate and private key from the Java keystore to a PEM file.
Procedure
1 Log in to the Orchestrator Appliance Linux console as root.
2 Locate the /opt/vmware/etc/lighttpd/lighttpd.conf file and open it in an editor.
3 Find the following line:
#### SSL engine ssl.engine = "enable" ssl.pemfile = "/opt/vmware/etc/lighttpd/server.pem"
4 Change the ssl.pemfile attribute to point to the PEM file containing your new SSL certificate and
private key.
5 Save the lighttpd.conf file.
6 Run the following command to restart the light-httpd server.
service vami-lighttp restart
You successfully changed the certificate of the Orchestrator Appliance management site.

Cancel Running Workflows

Cancel workflows when the Orchestrator server is stopped, otherwise the operation might not be successful.
Prerequisites
Stop the Orchestrator server from the Startup Options page in Control Center.
Procedure
1 Log in to Control Center as root.
2 Click Troubleshooting.
VMware, Inc. 67
Page 68
3 Cancel running workflows.
Option Description
Cancel all workflow runs
Cancel workflow runs by ID
Cancel all tokens
Enter a workflow ID, to cancel all tokens for that workflow. If the server is not stopped, the workflow tokens might not be cancelled.
Enter all token IDs you want to cancel. Separate them with a comma. If the server is not stopped, the workflow tokens might not be cancelled.
Cancel all running workflows on the server. You must stop the server to use this option.
On the next server start, the workflows are set in a cancelled state.
What to do next
Verify that the workflows are cancelled from the Inspect Workflows page in Control Center.

Enable Orchestrator Server Debugging

You can start the Orchestrator server in debug mode to debug issues when developing a plug-in.
Procedure
1 Log in to Control Center as root.
2 Click Orchestrator Debugging.
3 Click Enable debugging.
4 (Optional) Enter a port, different from the default one.
5 (Optional) Click Suspend.
By selecting this option, you must attach a debugger before starting the Orchestrator server.
6 Click Save.
7 Open the Startup Options page in Control Center and click Restart.
The Orchestrator server is suspended upon start until you attach a remote Java debugger to the defined port.

Back Up the Orchestrator Configuration and Elements

You can take a snapshot of your Orchestrator configuration and import this configuration into a new Orchestrator instance to back up your Orchestrator configuration. You can also back up the Orchestrator elements that you modified.
If you edit any standard workflows, actions, policies, or configuration elements, and then import a package containing the same elements with a higher Orchestrator version number, your changes to the elements are lost. To make modified and custom elements available after the upgrade, you must export them in a package before you start the procedure.
Each Orchestrator server instance has unique certificates, and each vCenter Server plug-in instance has a unique ID. The certificates and the unique ID define the identity of the Orchestrator server and the vCenter Server plug-in. If you do not back up the Orchestrator elements or export the Orchestrator configuration for backup purposes, make sure that you change these identifiers.
Procedure
1 Log in to Control Center as root.
2 Click Export/Import Configuration.
68 VMware, Inc.
Page 69
Chapter 8 Configuration Use Cases and Troubleshooting
3 Select the type of files you want to export.
4 (Optional) Enter a password to protect the configuration file.
Use the same password when you import the configuration.
5 Click Export.
6 Log in to the Orchestrator client application.
7 Create a package that contains all the Orchestrator elements that you created or edited.
a Click the Packages view.
b Click the menu button in the title bar of the Packages list and select Add package.
c Enter a name for the new package and click OK.
The syntax for package names is domain.your_company.folder.package_name..
For example, com.vmware.myfolder.mypackage.
d Right-click the package and select Edit.
e On the General tab, add a description for the package.
f On the Workflows tab, add workflows to the package.
g (Optional) Add policy templates, actions, configuration elements, resource elements, and plug-ins
to the package.
8 Export the package.
a Right-click the package you want to export, and select Export package.
b Browse to and select a location where you want to save the package and click Open.
c (Optional) Use the corresponding certificate to sign the package.
d (Optional) Impose restrictions on the exported package.
e (Optional) To apply restrictions for the contents of the exported package, deselect the options as
required.
Option Description
Export version history
Export the values of the configuration settings
Export global tags
The version history of the package is not exported.
The attribute values of the configuration elements in the package are not exported.
The global tags in the package are not exported.
f Click Save.
9 Import the Orchestrator configuration to the new Orchestrator server instance.
a Log in to Control Center of the new Orchestrator instance as root.
b Click Export/Import Configuration and navigate to the Import Configuration tab.
c Browse to select the .zip file you exported from your previous installation.
d Type the password you used while exporting the configuration.
This step is not necessary if you have not specified a password.
e Click Import.
VMware, Inc. 69
Page 70
10 Import the package that you exported to the new Orchestrator instance.
a Log in to the Orchestrator client application of the new Orchestrator instance.
b From the drop-down menu in the Orchestrator client, select Administer.
c Click the Packages view.
d Right-click in the left pane and select Import package.
e Browse to and select the package that you want to import and click Open.
Certificate information about the exporter appears.
f Review the package import details and select Import or Import and trust provider.
The Import package view appears. If the version of the imported package element is later than the version on the server, the system selects the element for import.
g Deselect the elements that you do not want to import.
For example, deselect custom elements for which later versions exist.
h (Optional) Deselect the Import the values of the configuration settings check box if you do not
want to import the attribute values of the configuration elements from the package.
i From the drop-down menu, choose whether you want to import tags from the package.
Option Description
Import tags but preserve existing values
Import tags and overwrite existing values
Do not import tags
Import tags from the package without overwriting existing tag values.
Import tags from the package and overwrite their values.
Do not import tags from the package.
j Click Import selected elements.

Backing Up and Restoring vRealize Orchestrator

You can use vSphere Data Protection to back up and restore a virtual machine (VM) that contains a vRealize Orchestrator instance.
vSphere Data Protection is a VMware disk-based backup and recovery solution designed for vSphere environments. vSphere Data Protection is fully integrated with vCenter Server. With vSphere Data Protection, you can manage backup jobs and store backups in deduplicated destination storage locations. After you deploy and configure vSphere Data Protection, you can access vSphere Data Protection by using the vSphere Web Client interface to select, schedule, configure, and manage backups and recoveries of virtual machines. During a backup, vSphere Data Protection creates a quiesced snapshot of the virtual machine. Deduplication is automatically performed with every backup operation.
For information about how to deploy and configure vSphere Data Protection, see the vSphere Data Protection Administration documentation.
70 VMware, Inc.
Page 71
Chapter 8 Configuration Use Cases and Troubleshooting

Back Up vRealize Orchestrator

You can back up your vRealize Orchestrator instance as a virtual machine.
You can export your database prior to the full VM backup. For information on how to export your database, see “Export the Orchestrator Database,” on page 40. If vRealize Orchestrator and the external database are on different machines, you must back up the database separately.
NOTE To ensure that all components of a VM in a single product are backed up together, store the VMs of your vRealize Orchestrator environment in a single vCenter Server folder and create a backup policy job for that folder.
Prerequisites
Verify that the vSphere Data Protection appliance is deployed and configured. For information about
n
how to deploy and configure vSphere Data Protection, see the vSphere Data Protection Administration documentation.
Use the vSphere Web Client to log in to the vCenter Server instance that manages your environment.
n
Log in as the user with administrator privileges that was used during the vSphere Data Protection configuration.
Procedure
1 On the vSphere Web Client Home page, click vSphere Data Protection.
2 Select your vSphere Data Protection appliance from the VDP appliance drop-down menu and click
Connect.
3 On the Getting Started tab, click Create Backup Job.
4 Click Guest Images to back up your vRealize Orchestrator instance and click Next.
5 Select Full Image to back up the entire virtual machine and click Next.
6 Expand the Virtual Machines tree and select the check box of your vRealize Orchestrator VM.
7 Follow the prompts to set the backup schedule, retention policy, and name of the backup job.
For more information about how to back up and restore virtual machines, see the vSphere Data Protection Administration documentation.
Your backup job appears in the list of backup jobs on the Backup tab.
8 (Optional) Open the Backup tab, select your backup job and click Backup now to back up your
vRealize Orchestrator.
NOTE Alternatively, you can wait for the backup to start automatically according to the schedule that you set.
The backup process appears on the Recent Tasks page.
The image of your VM appears in the list of backups on the Restore tab.
What to do next
Open the Restore tab and verify that the image of your VM is in the list of backups.
VMware, Inc. 71
Page 72

Restore a vRealize Orchestrator Instance

You can restore your vRealize Orchestrator instance on its original location or on a different location on the same vCenter Server.
If your vRealize Orchestrator and external database run on different machines, you must first restore the database and then the vRealize Orchestrator VM.
Prerequisites
Verify that the vSphere Data Protection appliance is deployed and configured. For information about
n
how to deploy and configure vSphere Data Protection, see the vSphere Data Protection Administration documentation.
Back up your vRealize Orchestrator instance. See “Back Up vRealize Orchestrator,” on page 71.
n
Use the vSphere Web Client to log in to the vCenter Server instance that manages your environment.
n
Log in as the user with administrator privileges that you used during the vSphere Data Protection configuration.
Procedure
1 On the vSphere Web Client Home page, click vSphere Data Protection.
2 Select your vSphere Data Protection appliance from the VDP appliance drop-down menu and click
Connect.
3 Open the Restore tab.
4 From the list of backup jobs, select the vRealize Orchestrator backup that you want to restore.
NOTE If you have multiple VMs, you must restore them simultaneously so that they are synchronized.
5 To restore your vRealize Orchestrator instance on the same vCenter Server, click the Restore icon and
follow the prompts to set the location on your vCenter Server where to restore your vRealize Orchestrator.
Do not select Power On, as the appliance must be the last component to be powered on. For information about how to back up and restore a virtual machine, see the vSphere Data Protection Administration documentation.
A message that states that the restore is successfully initiated appears.
6 (Optional) Power on your database hosts if they are external and restore your load balancer
configuration.
7 Power on the vRealize Orchestrator Appliance.
The restored vRealize Orchestrator VM appears in the vCenter Server inventory.
What to do next
Verify that vRealize Orchestrator is configured properly by opening the Validate Configuration page in Control Center.
72 VMware, Inc.
Page 73
Chapter 8 Configuration Use Cases and Troubleshooting

Disaster Recovery of Orchestrator by Using Site Recovery Manager

You must configure Site Recovery Manager to protect your vRealize Orchestrator. Secure this protection by completing the common configuration tasks for Site Recovery Manager.
Prepare the Environment
You must ensure that you meet the following prerequisites before you start configuring Site Recovery Manager.
Verify that vSphere 5.5 is installed on the protected and recovery sites.
n
Verify that you are using Site Recovery Manager 5.8.
n
Verify that vRealize Orchestrator is configured.
n

Configure Virtual Machines for vSphere Replication

To use Site Recovery Manager, you must configure the virtual machines for replication.
Procedure
1 In the vSphere Web Client, select Actions > All vSphere Replication Actions > Configure Replication.
2 In the Replication type window, select Replicate to a vCenter Server and click Next.
3 In the Target site window, select the vCenter for the recovery site and click Next.
4 In the Replication server window, select a vSphere Replication server and click Next.
5 In the Target location window, select the target location on the recovery site and click Next.
6 In the Replication options window, keep the default setting and click Next.
7 In the Recovery settings window, enter time for Recovery Point Objective (RPO) and Point in time
instances, and click Next.
8 In the Ready to complete window, verify the settings and click Finish.
9 Repeat these steps for all virtual machines on which vSphere Replication must be enabled.

Create Protection Groups

You create protection groups to enable Site Recovery Manager to protect virtual machines.
When you create protection groups, wait to ensure that the operations finish as expected. Make sure that Site Recovery Manager creates the protection group and that the protection of the virtual machines in the group is successful.
Prerequisites
Verify that you performed one of the following tasks:
Included virtual machines in datastores for which you configured array-based replication
n
Configured vSphere Replication on virtual machines
n
Performed a combination of some or all of the above
n
Procedure
1 In the vSphere Web Client, click Site Recovery > Protection Groups.
2 On the Objects tab, click the icon to create a protection group.
VMware, Inc. 73
Page 74
3 On the Protection group type page, select the protected site, select the replication type, and click Next.
Option Action
Array-based replication groups
vSphere Replication protection group
4 Select datastore groups or virtual machines to add to the protection group.
Option Action
Array-based replication protection groups
vSphere Replication protection groups
When you create vSphere Replication protection groups, only virtual machines that you configured for vSphere Replication and that are not already in a protection group appear in the list.
5 Review your settings and click Finish.
You can monitor the progress of the creation of the protection group on the Objects tab under Protection Groups.
Select Array Based Replication (ABR) and select an array pair.
Select vSphere Replication.
Select datastore groups and click Next.
Select virtual machines from the list, and click Next.
If Site Recovery Manager successfully applied inventory mappings to the protected virtual
n
machines, the protection status of the protection group is OK.
If Site Recovery Manager successfully protected all of the virtual machines associated with the
n
storage policy, the protection status of the protection group is OK.

Create a Recovery Plan

You create a recovery plan to establish how Site Recovery Manager recovers virtual machines.
Procedure
1 In the vSphere Web Client, select Site Recovery > Recovery Plans.
2 On the Objects tab, click the icon to create a recovery plan.
3 Enter a name and description for the plan, select a folder, then click Next.
4 Select the recovery site and click Next.
5 Select the group type from the menu.
Option Description
VM protection groups
Storage policy protection groups
The default is VM protection groups.
Select this option to create a recovery plan that contains array-based replication and vSphere Replication protection groups.
Select this option to create a recovery plan that contains storage policy protection groups.
NOTE If using stretched storage, select Storage policy protection groups for the group type.
6 Select one or more protection groups for the plan to recover, and click Next.
7 Click the Test Network value, select a network to use during test recovery, and click Next.
The default option is to create an isolated network automatically.
74 VMware, Inc.
Page 75
Chapter 8 Configuration Use Cases and Troubleshooting
8 Review the summary information and click Finish to create the recovery plan.

Organize Recovery Plans in Folders

You can create folders in which to organize recovery plans.
Organizing recovery plans into folders is useful if you have many recovery plans. You can limit the access to recovery plans by placing them in folders and assigning different permissions to the folders for different users or groups.
Procedure
1 In the Home view of the vSphere Web Client, click Site Recovery.
2 Expand Inventory Trees and click Recovery Plans.
3 Select the Related Objects tab and click Folders.
4 Click the Create Folder icon, enter a name for the folder to create, and click OK.
5 Add new or existing recovery plans to the folder.
Option Description
Create a new recovery plan
Add an existing recovery plan
6 (Optional) To rename or delete a folder, right-click the folder and select Rename Folder or Delete
Folder.
Right-click the folder and select Create Recovery Plan.
Drag and drop recovery plans from the inventory tree into the folder.
You can only delete a folder if it is empty.

Edit a Recovery Plan

You can edit a recovery plan to change the properties that you specified when you created it. You can edit recovery plans from the protected site or from the recovery site.
Procedure
1 In the vSphere Web Client, select Site Recovery > Recovery Plans.
2 Right-click a recovery plan, and select Edit Plan.
You can also edit a recovery plan by clicking the Edit recovery plan icon in the Recovery Steps view in the Monitor tab.
3 (Optional) Change the name or description of the plan in the Recovery Plan Name text box, and click
Next.
4 On the Recovery site page, click Next.
You cannot change the recovery site.
5 (Optional) Select or deselect one or more protection groups to add them to or remove them from the
plan, and click Next.
6 (Optional) Click the test network to select a different test network on the recovery site, and click Next.
7 Review the summary information and click Finish to make the specified changes to the recovery plan.
You can monitor the update of the plan in the Recent Tasks view.
VMware, Inc. 75
Page 76
76 VMware, Inc.
Page 77

Setting System Properties 9

You can set system properties to change the default Orchestrator behavior.
This chapter includes the following topics:
“Disable Access to the Orchestrator Client By Nonadministrators,” on page 77
n
“Setting Server File System Access for Workflows and JavaScript,” on page 78
n
“Set JavaScript Access to Operating System Commands,” on page 79
n
“Set JavaScript Access to Java Classes,” on page 80
n
“Set Custom Timeout Property,” on page 80
n

Disable Access to the Orchestrator Client By Nonadministrators

You can configure the Orchestrator server to deny access to the Orchestrator client to all users who are not members of the Orchestrator administrator group.
By default, all users who are granted execute permissions can connect to the Orchestrator client. However, you can limit access to the Orchestrator client to Orchestrator administrators by setting an Orchestrator configuration system property.
VMware, Inc.
IMPORTANT If the property is not configured, or if the property is set to false, Orchestrator permits access to the Orchestrator client by all users.
Procedure
1 Log in to Control Center as root.
2 Click System Properties.
3
Click the Add icon ( ).
4 In the Key text box enter com.vmware.o11n.smart-client-disabled.
5 In the Value text box enter true.
6 (Optional) In the Description text box enter Disable Orchestrator client connection.
7 Click Add.
8 Click Save changes from the pop-up menu.
A message indicates that you have saved successfully.
9 Restart the Orchestrator server.
77
Page 78
You disabled access to the Orchestrator client to all users other than members of the Orchestrator administrator group.

Setting Server File System Access for Workflows and JavaScript

Orchestrator limits access to the server file system from workflows and JavaScript to specific directories. You can extend access to other parts of the server file system by modifying the js-io-rights.conf Orchestrator configuration file.

Rules in the js-io-rights.conf File Permitting Write Access to the Orchestrator System

The js-io-rights.conf file contains rules that permit write access to defined directories in the server file system.
Mandatory Content of the js-io-rights.conf File
Each line of the js-io-rights.conf file must contain the following information.
A plus (+) or minus (-) sign to indicate whether rights are permitted or denied
n
The read (r), write (w), and execute (x) levels of rights
n
The path on which to apply the rights
n
Default Content of the js-io-rights.conf File
The default content of the js-io-rights.conf configuration file in the Orchestrator Appliance is as follows:
-rwx / +rwx /var/run/vco
-rwx /etc/vco/app-server/security/ +rx /etc/vco +rx /var/log/vco/
The first two lines in the default js-io-rights.conf configuration file allow the following access rights:
-rwx /
+rwx /var/run/vco
All access to the file system is denied.
Read, write, and execute access is permitted in the /var/run/vco directory.
Rules in the js-io-rights.conf File
Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override the previous lines.
IMPORTANT You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf file. However, doing so represents a high security risk.

Set Server File System Access for Workflows and JavaScript

To change which parts of the server file system that workflows and the Orchestrator API can access, modify the js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow attempts to access the Orchestrator server file system.
Procedure
1 Log in to the Orchestrator Appliance Linux console as root.
2 Navigate to /etc/vco/app-server.
78 VMware, Inc.
Page 79
Chapter 9 Setting System Properties
3 Open the js-io-rights.conf configuration file in a text editor.
4 Add the necessary lines to the js-io-rights.conf file to allow or deny access to areas of the file system.
For example, the following line denies the execution rights in the /path_to_folder/noexec directory:
-x /path_to_folder/noexec
/path_to_folder/noexec retains execution rights, but /path_to_folder/noexec/bar does not. Both
directories remain readable and writable.
You modified the access rights to the file system for workflows and for the Orchestrator API.

Set JavaScript Access to Operating System Commands

The Orchestrator API provides a scripting class, Command, that runs commands in the Orchestrator server host operating system. To prevent unauthorized access to the Orchestrator server host, by default, Orchestrator applications do not have permission to run the Command class. If Orchestrator applications require permission to run commands on the host operating system, you can activate the Command scripting class.
You grant permission to use the Command class by setting an Orchestrator configuration system property.
Procedure
1 Log in to Control Center as root.
2 Click System Properties.
3
Click the Add icon ( ).
4 In the Key text box enter com.vmware.js.allow-local-process.
5 In the Value text box enter true.
6 In the Description text box enter a description for the system property.
7 Click Add.
8 Click Save changes from the pop-up menu.
A message indicates that you have saved successfully.
9 Restart the Orchestrator server.
You granted permissions to Orchestrator applications to run local commands in the Orchestrator server host operating system.
NOTE By setting the com.vmware.js.allow-local-process system property to true, you allow the Command scripting class to write anywhere in the file system. This property overrides any file system access permissions that you set in the js-io-rights.conf file for the Command scripting class only. The file system access permissions that you set in the js-io-rights.conf file still apply to all scripting classes other than
Command.
VMware, Inc. 79
Page 80

Set JavaScript Access to Java Classes

By default, Orchestrator restricts JavaScript access to a limited set of Java classes. If you require JavaScript access to a wider range of Java classes, you must set an Orchestrator system property to allow this access.
Allowing the JavaScript engine full access to the Java virtual machine (JVM) presents potential security issues. Malformed or malicious scripts might have access to all of the system components to which the user who runs the Orchestrator server has access. Consequently, by default the Orchestrator JavaScript engine can access only the classes in the java.util.* package.
If you require JavaScript access to classes outside of the java.util.* package, you can list in a configuration file the Java packages to which to allow JavaScript access. You then set the com.vmware.scripting.rhino-
class-shutter-file system property to point to this file.
Procedure
1 Create a text configuration file to store the list of Java packages to which to allow JavaScript access.
For example, to allow JavaScript access to all the classes in the java.net package and to the
java.lang.Object class, you add the following content to the file.
java.net.* java.lang.Object
2 Save the configuration file with an appropriate name and in an appropriate place.
3 Log in to Control Center as root.
4 Click System Properties.
5
Click the Add icon ( ).
6 In the Key text box enter com.vmware.scripting.rhino-class-shutter-file.
7 In the Value text box enter the path to your configuration file.
8 In the Description text box enter a description for the system property.
9 Click Add.
10 Click Save changes from the pop-up menu.
A message indicates that you have saved successfully.
11 Restart the Orchestrator server.
The JavaScript engine has access to the Java classes that you specified.

Set Custom Timeout Property

When vCenter Server is overloaded, it takes more time to return the response to the Orchestrator server than the 20000 milliseconds set by default. To prevent this situation, you must modify the Orchestrator configuration file to increase the default timeout period.
If the default timeout period expires before the completion of certain operations, the Orchestrator server log contains errors.
Operation 'getPropertyContent' total time : '5742228' for 1823 calls, mean time : '3149.0', min time : '0', max time : '32313' Timeout, unable to get property 'info' com.vmware.vmo.plugin.vi4.model.TimeoutException
80 VMware, Inc.
Page 81
Chapter 9 Setting System Properties
Procedure
1 Log in to Control Center as root.
2 Click System Properties.
3
Click the Add icon ( ).
4 In the Key text box enter com.vmware.vmo.plugin.vi4.waitUpdatesTimeout.
5 In the Value text box enter the new timeout period in milliseconds.
6 (Optional) In the Description text box enter a description for the system property.
7 Click Add.
8 Click Save changes from the pop-up menu.
A message indicates that you have saved successfully.
9 Restart the Orchestrator server.
The value you set overrides the default timeout setting of 20000 milliseconds.
VMware, Inc. 81
Page 82
82 VMware, Inc.
Page 83

Where to Go From Here 10

When you have installed and configured vRealize Orchestrator, you can use Orchestrator to automate frequently repeated processes related to the management of the virtual environment.
Log in to the Orchestrator client, run, and schedule workflows on the vCenter Server inventory objects
n
or other objects that Orchestrator accesses through its plug-ins. See Using the VMware vRealize Orchestrator Client.
Duplicate and modify the standard Orchestrator workflows and write your own actions and workflows
n
to automate operations in vCenter Server.
Develop plug-ins and Web services to extend the Orchestrator platform.
n
Run workflows on your vSphere inventory objects by using the vSphere Web Client.
n

Log In to the Orchestrator Client from the Orchestrator Appliance Web Console

To perform general administration tasks or to edit and create workflows, you must log in to the Orchestrator client interface.
The Orchestrator client interface is designed for developers with administrative rights who want to develop workflows, actions, and other custom elements.
VMware, Inc.
IMPORTANT Ensure that the clocks of the Orchestrator Appliance and the Orchestrator client machine are synchronized.
Prerequisites
Download and deploy the Orchestrator Appliance.
n
Verify that the appliance is up and running.
n
Procedure
1 In a Web browser, go to the IP address of your Orchestrator Appliance virtual machine.
http://orchestrator_appliance_ip
2 Click Start Orchestrator Client.
3 Type the IP or the domain name of the Orchestrator Appliance in the Host name text box.
The IP address of the Orchestrator Appliance is displayed by default.
4 Log in by using the Orchestrator client user name and password.
If you are using vRealize Automation authentication, vCenter Single Sign-On, or another directory service as an authentication method, type the respective credentials to log in to the Orchestrator client.
83
Page 84
5 In the Security Warning window select an option to handle the certificate warning.
The Orchestrator client communicates with the Orchestrator server by using an SSL certificate. A trusted CA does not sign the certificate during installation. You receive a certificate warning each time you connect to the Orchestrator server.
Option Description
Ignore
Cancel
Install this certificate and do not display any security warnings for it anymore.
You can change the default SSL certificate with a certificate signed by a CA. For more information about changing SSL certificates, see Installing and Configuring VMware vRealize Orchestrator.
What to do next
You can import a package, start a workflow, or set root access rights on the system.
Continue using the current SSL certificate.
The warning message appears again when you reconnect to the same Orchestrator server, or when you try to synchronize a workflow with a remote Orchestrator server.
Close the window and stop the login process.
Select this check box and click Ignore to install the certificate and stop receiving security warnings.
84 VMware, Inc.
Page 85

Index

A
add, certificate 66 additional configuration options 55 array based recovery plan, create 74 assign static IP 24 audience 7 authentication type 29 availability 17
B
back up, configuration 68 backing up Orchestrator 70
C
cancel running workflows, cancel workflow
IDs 67 cancel workflows 67 Certificate Authority 42 change Orchestrator appliance password 23 change the management site SSL certificate 67 check-pointing 9 Client Integration Plug-in, installing 21 cluster mode 45 collected information 50 Command scripting class 79 Commandline Tool 51 configuration
config files 57 database connection 37, 38 export configuration settings 56 import configuration settings 57 LDAP settings 33
configure virtual machines for vSphere
Replication 73 configuring
network settings 24 Orchestrator server 27
proxy settings 24 Configuring vCenter Single Sign-On 36 content, js-io-rights.conf file 78 Control Center 28 Control Center REST API 54 customer experience improvement 50 customer experience improvement program 50
D
database
connection parameters 38 import SSL certificate 38 installation 18 Oracle 18 server size 18 setup 18 SQL Server 18
SQL Server Express 18 database requirements 14 debug mode 68 debug logging 43 debugging 68 default ports
command port 28
data port 28
HTTP port 28
HTTPS port 28
LDAP port 28
LDAP with Global Catalog 28
LDAP with SSL 28
lookup port 28
messaging port 28
Oracle port 28
SMTP port 28
SQL Server port 28
vCenter API port 28
Web configuration HTTP access port 28
Web configuration HTTPS access port 28 deploy the Orchestrator appliance 22 dereference links 34 disable access to Orchestrator client 77 disable SSH login 24 disabling 50 download the Orchestrator appliance 22
E
enable SSH login 24 enable vSphere Replication 73 enabling 50 export database 40 Export Package Signing Certificate 43
VMware, Inc.
85
Page 86
F
F5 48 file system
access from workflows 78
set workflow access 78 filter attributes 34 filtering, Orchestrator log files 63 Finished Workflows, Workflow Logs 62
G
Generate Package Signing Certificate 43
H
hardware requirements, Orchestrator
Appliance 13
I
i18n support 15 ignore referrals 34 import database 40 Import Certificate to Trust Store 41 Import Package Signing Certificate 43 Inspect Workflows 62 installing
Client Integration Plug-in 21
plug-in 44 installing Orchestrator 21 internationalization 15
J
JavaScript 80 js-io-rights.conf file
content 78
rules 78
L
LDAP
browsing credentials 32
connection URL 31
LDAP Server Signing Requirements 30
lookup paths 33
SSL certificate 30 LDAP errors
525 34
52e 34
530 34
531 34
532 34
533 34
701 34
773 34
775 34 levels or rights, js-io-rights.conf file 78
live stream 63 Load balancer 46–48 local store, certificate 66 log files 63 log in to
Linux console 23
Orchestrator client 83 login 28 logs
non-persistent logs 61
persistent logs 61
M
maximum concurrent workflows 59 maximum pending workflows 59 Migrate configuration 58 Migrating Orchestrator Configuration 58 Migration 58 Migration tool 58
N
non-ASCII characters 15, 38 NSX 47
O
operating system commands, accessing 79 Orchestrator, register as an extension 65 Orchestrator appliance
change password 23
deploy 22
download 22
upgrade 25 Orchestrator Certificate 42 Orchestrator cluster, upgrade 26 Orchestrator plug-ins 12 Orchestrator version 14 Orchestrator API
file system access 78
js-io-rights.conf file 78 Orchestrator Appliance
hard disk 13
memory 13
system requirements 13 Orchestrator architecture 11 Orchestrator client, disable access 77
Orchestrator elements, back up 68 Orchestrator overview 9 Orchestrator server debugging 68 Orchestrator server restoring 71 Orchestrator server backing up 71 OS 14 overview of, vCenter Single Sign-On 35
86 VMware, Inc.
Page 87
Index
P
password 55 persistence 9 plug-ins, removing a plug-in 55 policy engine 9 power on 23 prepare the environment 73 protection groups
array-based replication 73 create 73 storage policy 73 vSphere Replication 73
R
recovery plan, to change properties of 75 recovery plans
add recovery plan to folder 75 create folders 75
rename folder 75 reinstall plug-ins 44 REST API
add a key 53
create a keystore 53
delete a keystore 53
delete SSL certificate 51
manage SSL certificate 51
SSL certificate import 52 restore Orchestrator 72 restore Orchestrator Server 72 restore Orchestrator VM 72 restoring Orchestrator 70 right denial, js-io-rights.conf file 78
right permission, js-io-rights.conf file 78 rules, js-io-rights.conf file 78
S
scalability 17 scenario 65 scripting
access to Java classes 80
accessing operating system commands 79
shutter system property 80 scripting engine 9 security 9 server certificate
CA-signed 40
exporting 42
self-signed 40, 42 server log
exporting 61
log level 61 server mode 45
services
starting 44 VMware vRealize Orchestrator Server 44
setup guidelines
directory services 17 LDAP server 17 vCenter Server 17
vCenter Single Sign-On 17 SSH login 24 SSL certificate 41 SSL Certificate 42 SSL certificates 66 SSL trust manager 51 system properties 59, 77, 80 system requirements
directory services 14
operating systems 13
Orchestrator Appliance 13
supported browsers 14
supported databases 14
T
timeout 80 timeouts 34 Trust store 41
U
Unregister Orchestrator Authentication 66 upgrading Orchestrator 21 use case 65 user permissions 29 user roles 11
V
vCenter Server 65 vCenter Single Sign-On, registration 37 versioning 9 virtual machine console, installing 21
VMware vRealize Orchestrator Server, installing
as Windows service 44 vRealize Automation authentication 35 vSphere authentication 36
W
what to do next 83 workflow engine 9
VMware, Inc. 87
Page 88
88 VMware, Inc.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use