Home Cloud & Networking VMware vRealize Orchestrator Cookbook - Second Edition

VMware vRealize Orchestrator Cookbook - Second Edition

By Daniel Langenhan
books-svg-icon Book
eBook $51.99 $35.99
Print $65.99
Subscription $15.99 $10 p/m for three months
$10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
eBook $51.99 $35.99
Print $65.99
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Installing and Configuring Orchestrator
About this book
VMware vRealize Orchestrator is a powerful automation tool designed for system administrators and IT operations staff who are planning to streamline their tasks and are waiting to integrate the functions with third-party operations software. This book is an update to VMware vRealize Orchestrator Cookbook and is blend of numerous recipes on vRealize Orchestrator 7. This book starts with installing and configuring vRealize Orchestrator. We will demonstrate how to upgrade from previous versions to vRealize Orchestrator 7. You will be taught all about orchestrator plugins and how to use and develop various plugins that have been enhanced in Orchestrator 7. Throughout this book, you will explore the new features of Orchestrator 7, such as the introduction of the control center, along with its uses. You will also come to understand visual programming, how to integrate base plugins into workflows, and how to automate VMware. You will also get to know how to troubleshoot vRealize Orchestrator. By the end of this book, you will be able to get the most out of your Orchestrator installation, and will be able to develop complex workflows and create your own highly integrated automations of vRealize environments.
Publication date:
November 2016
Publisher
Packt
Pages
556
ISBN
9781786462787

 

Chapter 1. Installing and Configuring Orchestrator

In this chapter, we explore how to install and configure Orchestrator. We will be looking at the following recipes:

  • Deploying the Orchestrator appliance

  • Important Orchestrator settings

  • Configuring an external database

  • Configuring external authentication

  • Connecting to vCenter

  • Installing plugins

  • Updating Orchestrator

  • Moving from Windows to appliance

  • Orchestrator Client and 4K display scaling

 

Introduction


This chapter is dedicated to the configuration of Orchestrator and discusses how to set the tone for your Orchestrator deployment.

Until vRO 7, there were three different Orchestrator versions that one could use. The Windows-based installation (that was also automatically installed along with vCenter), the appliance, and the vRealize Automation integrated one. In vRO7, only the appliance and the vRealize Automation (vRA) integrated Orchestrator versions are left. All other versions have been discontinued.

If you still have a Windows version, you need to think about moving it to the appliance. Check out the recipe Moving from Windows to appliance in this chapter. You can currently still download and use the vRO 6.0.4 appliance or Windows version, however, you should consider updating.

Before the vRO appliance came along, the configuration of Orchestrator wasn't easy; therefore, not many people really used it. Now, the initial configuration is already done out of the box and people can start using Orchestrator directly without too much fuss. However, if one plans to use Orchestrator in a production environment, it is important to know how to configure it properly.

Licensing

One of the questions that I constantly hear from customers is about licensing of Orchestrator.

Orchestrator is licensed with vCenter or with vRealize Automation, if you own one of them, you own Orchestrator.

With vSphere, you need at least a vSphere Standard license to use Orchestrator. For vRO7, this means you either need vSphere 6 or vRA 7 license numbers. Although Orchestrator is available with the Essentials or Essentials Plus licensing, it operates in Player mode only. This limits your usage to executing existing workflows and prevents you from editing or creating them.

If you want to test Orchestrator you just need to get a vSphere trial license, which you can acquire over the VMware webpage.

vRealize Orchestrator 7 changes

There are huge differences between vRO versions 5.x, 6.x, and 7.x. The first and foremost is that in vRO7 the Configurator has been fully replaced by the new Control Center. The Control Center is an easy tool to use that does all the work of the Configurator and more. Trust me you are going to love it.

The other important thing is that LDAP as an authentication source for Orchestrator is now scheduled to be removed. It's still working with vRO7, but if you are currently using LDAP you need to start thinking about a change.

Speaking of authentication, vRO7 fully supports the vSphere Platform Services Controller architecture and the new vIDM that has been introduced with vSphere 6 and vRealize Automation 7.

The other important changes are in the network section:

  • HTTP 8280 now forwards to HTTPS 8281

  • HTTPS 8283 is now used for the Orchestrator Control Center

Orchestrator appliance basics

The vRO 7.1 appliance requires the following virtual resources:

CPU

2 vCPU with at least 2.0 GHz

Memory

6 GB

Disk Space

17 GB (1.5 GB thin)

Network

1 x NIC

1 x IP (DHCP possible)

vHardware

Version 7

The only change from the previous Orchestrator versions is that the memory has increased from 3 GB to 4 GB. Please note that this is the base appliance configuration, we will see how to change and improve the performance in the recipe Tuning the appliance that is in Chapter 2, Optimizing Orchestrator Configuration.

The same is true for the following table of Orchestrator limits. These limits are not hard limits and can be changed, we will discuss this in the recipe Control Center titbits in Chapter 2, Optimizing Orchestrator Configuration.

Maximal concurrent connected vCenters

20

Maximal concurrent connected ESXi hosts

1280

Maximal concurrent connected VM

35,000

Maximal concurrent running workflows

300

Last but not least, we have to discuss network security in detail and all the ports that need to be opened for Orchestrator to function. We will expand the list of ports when we start working with plugins, but these are the ones most commonly used:

Orchestrator and vRealize Automation (vRA)

The vRealize Automation (formerly vCloud Automation Center or vCAC) appliance is shipped with a preinstalled and preconfigured vRO. Orchestrator installed on vRA is already configured and works the way the normal Orchestrator appliance does.

The vRA integrated vRO is normally only used for small environments or test environments. If you are deploying vRA for a production, large, or even worldwide role, you should consider using a vRO cluster and/or a distributed Orchestrator design. We will discuss distributed design in more detail in Chapter 3, Distributed Design. We also discuss the vRA integrated appliance in more detail in Working with the vRA integrated Orchestrator in Chapter 13, Working with vRealize Automation.

 

Deploying the Orchestrator appliance


We will now deploy the Orchestrator appliance based on Linux. If you are using the vRA integrated Orchestrator, see the introduction to Chapter 13, Working with vRealize Automation.

Getting ready

We can deploy the Orchestrator appliance on either a vSphere environment or on a VMware workstation (or Fusion if you are a MAC user).

Have a quick look at the requirements in the introduction of this chapter.

How to do it...

In this recipe, we will learn how to download and deploy Orchestrator. We will configure it in a later recipe.

Download

  1. Navigate to http://vmware.com and select Downloads.

  2. Click on Download Product next to VMware vSphere or vRealize Automation.

  3. Look for VMware vRealize Orchestrator Appliance 7.1 and click on Go to Downloads.

  4. Look for the OVA file and click on Download Now.

Deploy

  1. Log into vCenter using the vSphere Web Client.

  2. Right-click on the cluster or ESXi server and select Deploy OVF Template....

  3. The Deploy OVF Template wizard starts. Select the OVA file you have downloaded and click Next.

  4. Accept the EULA and click Next.

  5. Select a name (or accept the default) as well as the vCenter folder for the Orchestrator appliance and click Next.

  6. Select the cluster or ESXi server or a resource pool for the Orchestrator appliance and click Next.

  7. Select the datastore you would like to deploy the Orchestrator appliance on and click Next.

  8. Select a network for the Orchestrator appliance and click Next.

  9. In the Customize template section, set a password for the root user.

  10. Enable SSH if you wish. This can be done later too. See the recipe Tuning the appliance in the next chapter.

  11. If you like, tick to join the Customer Experience Improvement program.

  12. Set a Hostname for the Orchestrator appliance.

  13. If you want to use a fixed IP, expand the Network Properties section, enter all IP related entries, and then click Next. If you want to use DHCP, just click on Next.

  14. Select to power on the VM after deployment and click on Finish.

  15. Wait until the VM has finished deploying and is powered on.

  16. Open the console of the Orchestrator appliance and wait until the install process has completed and the VM console shows the following screenshot:

Log in to the Orchestrator Client

  1. Open a browser and browse to the IP of the Orchestrator appliance (for example, http://192.168.220.12).

  2. Depending on your environment, you might need to accept the SSL certificate. You are now on the Orchestrator home page with several useful links to all important Orchestrator topics:

  3. To open up the Orchestrator Client, click on Start Orchestrator Client.

  4. Enter vcoadmin as user and vcoadmin as the password.

You are now logged into the Orchestrator Client.

Log into Control Center

Some of the next recipes need us to log into Control Center, here is how to do that:

  1. On the Orchestrator Home page click on Orchestrator Control Center.

  2. Enter the user root and the password you assigned during deployment.

How it works...

The Orchestrator appliance is a preconfigured Orchestrator installation that uses the following software:

  • SUSE Linux Enterprise Server (SLES) 11 Patch level 3

  • VMware-Postgres 9.4.5.0

  • ApacheDS LDAP 2.4.42

Everything is ready to run; however, no integration with vCenter or any external service is configured. The Orchestrator appliance comes with a 90-day evaluation license installed.

There's more...

If you want to deploy the Orchestrator appliance on VMware Workstation, the process of deploying the Orchestrator appliance differs from the one described in this recipe. Follow these steps instead:

  1. Use Windows Explorer to navigate to the downloaded .ova file.

  2. Double-click on the OVA file. VMware workstation opens up.

  3. Select a name and a path for the new VM and click on Import.

  4. Accept the EULA and wait until the VM is deployed.

  5. You might need to select a different network (for example, Host-Only) depending on your lab environment.

  6. Power on the VM and wait until the install pauses at the line indicated in this screenshot:

  7. Enter and confirm a new password for the root account.

  8. The installation will now continue. Wait until it has finished.

The appliance will start with a DHCP address from the workstation. To set a static IP, you will have to access the admin interface of the appliance.

See also

See the recipe Tuning the appliance in Chapter 2, Optimizing Orchestrator Configuration.

 

Important Orchestrator settings


The following is a small collection of things that one should do or at least know how to do. It includes licensing, certificates, and virtual hardware.

Getting ready

We just need a working Orchestrator as well as access to the Control Center.

How to do it...

There are several things you should do or at least know how to do.

Starting, stopping, and restarting the Orchestrator service

These are operations that have to be done quite often, so it's best to know how to do them:

  1. Open Control Center and click on Startup Options.

  2. You can see the current status of the Orchestrator service.

  3. Click on one of the action buttons.

  4. After choosing an action, wait until the status has changed.

Licensing

You can either enter a license key manually or connect to the vCenter Server or vRealize Automation to acquire the license.

Tip

If you are planning to use vSphere or vRealize Automation as an external authentication, you can skip this step as the licensing will be configured automatically.

If you change the database, you will need to redo the licensing:

  1. Open Control Center and click on Licensing.

  2. If you have an authentication provider configured (vSphere or VRA) then you can select vSphere License.

  3. If you used SSO or LDAP, you need to use Manual License. With vRO7 you will need to enter a vSphere 6 vCenter or vRealize Automation 7 License number.

  4. Click on Save.

Package Signing Certificate

The Packaging Signing Certificate signs all packages or exports. One is automatically generated with the Orchestrator's VMs Hostname. We will now show how to create a custom one:

  1. Open Control Center and click on Certificates.

  2. Click on Packaging Signing Certificate and then on Generate.

  3. Enter either personal information or information of the VM.

  4. Click on Generate.

  5. Restart the Orchestrator service.

Trusted SSL certificates

If your database or LDAP is secured with SSL, which by the way isn't such a bad idea, you will need to import the certificate into Orchestrator first. To do this, follow these steps:

  1. Open Control Center and click on Certificates.

  2. In the Trusted Certificates section click on Import.

  3. In Import from URL, enter https://Central.mylab.local.

  4. Click on Import.

For almost all VMware infrastructure the import of their certificate is integrated into the workflows and doesn't need to be done by hand anymore.

Force plugins reinstall

If you have changed the database, you will need to do this step in order for you to use all the workflows that come with the plugins.

  1. Open Control Center and stop the Orchestrator service.

  2. Return to the main Control Center page and click on Troubleshooting.

  3. At the end of the screen click on Force plug-ins reinstall.

  4. Wait until you see the green Operation started successfully.

  5. Start the Orchestrator service again.

When Orchestrator restarts, it installs all new plugins that exist, but as the plugins haven't changed in the versions before this, updating the database leads to this little problem.

How it works...

The settings we have just applied are important and need to be done in order to make Orchestrator production-ready.

The package signing, as well as the licensing, needs to be done only once, except if you intend to change the database.

Importing an SSL certificate is an action that we will encounter more often. Every time we want to establish a secure connection (SSL) between Orchestrator and another server, we first have to import this server's SSL certificate. However, most workflows in the current version of Orchestrator include an automatic import (most of the time).

See also

Have a look at the recipe Backup and recovery in Chapter 2, Optimizing Orchestrator Configuration, to learn how to export and import the configuration.

 

Configuring an external database


In this recipe, we will attach Orchestrator to an external database. The internal Orchestrator PostgreSQL is production-ready, however for certain designs, such as Orchestrator Cluster and large deployments we still require one.

Getting ready

We will need a database; the following databases are supported with vRO7:

  • Oracle 11g all editions - 64 bit

  • Oracle 12g/c all editions - 64 bit

  • SQL Server 2008 R1/R2 all editions - 64 bit

  • SQL Server 2012 R1/R2 all editions - 64 bit

  • PostgreSQL

You will need to create an empty database for Orchestrator, and you should also create a dedicated user account for Orchestrator to access the database.

If your database requires SSL, you will need to import the SSL certificate first; for this, see the How it works... section of this recipe.

Tip

When you replace the database, you will have to reconfigure the following items: Licensing and Packaging Signing Certificate.

How to do it...

In this example, we have added an MS-SQL database to Orchestrator. The other databases are not that much different.

The following information is needed for each type of database:

Database type

Oracle

SQL Server

PostgreSQL

Login

required

required

required

SSL

optional

optional

optional

Hostname

required

required

required

Port

1521 or custom

1433 or custom

5432 or custom

Database name

-

required

required

Instance

required

optional

-

Domain

-

optional

-

Use NTLMv2

-

optional

-

To configure a database, follow these steps:

My MS-SQL database is stored on the VM called Central.mylab.local.

  1. Open Control Center.

  2. Click on Configure Database.

  3. Select SQL Server for Microsoft SQL server.

  4. Fill in the required information. You only need to fill in the domain if you are using Windows authentication.

  5. Click on Save Changes.

  6. You are now asked to Update database.

  7. After updating, the screen returns to the following one. You have configured the external database. You may need to configure the licensing and Package Signing Certificate as they were stored in an internal PostgreSQL database. Additionally, you may need to force the re-installation of plugins:

How it works...

The Orchestrator database contains the entire configuration, workflows, workflow runs, events, runtime information, actions, and a lot more.

If you want to use your existing co-operation, backup, and restore procedures of your database or a database cluster for more security, an external database is a good idea.

Orchestrator comes with an embedded PostgreSQL database, which is rated for production for small and medium deployments by VMware and can be easily backed up using the Control Center or a cron script on the Linux console of the appliance. However, we still require a shared database for clustering; see the recipe Building an Orchestrator cluster in Chapter 3, Distributed Design.

Using the vCenter Server database for Orchestrator is not really a pretty solution. IT best practices dictate the usage of dedicated resources for production environments.

Sizing

Sizing is hard to predict. Each Workflow run consumes around 4 KB, and most objects (for example, vCenter Server object) require around 50 KB each. VMware recommends 1 GB for a production database. The good thing is that Orchestrator regularly runs clean-up jobs to reduce the database content. Also have a look at the recipe User preferences in Chapter 7, Interacting with Orchestrator, where we discuss certain properties that influence how much information is kept in the database.

Database roles

For the initial setup (and for updates), you should give the dedicated Orchestrator user the db_owner rights of the Orchestrator database.

For normal usage scenarios the Orchestrator user only requires db_dataread and db_datawrite rights.

Exporting and importing a database

If you are using the internal PostgreSQL or an external PostgreSQL database, you can use the Control Center to export as well as import the database content.

The export can include information on the last workflow runs as well as the logs.

See also the recipe Backup and recovery in Chapter 2, Optimizing Orchestrator Configuration.

Purging the Database

This sounds much harsher than it is. Purging means getting rid of stuff you may not need anymore and making the database a bit smaller.

Purging the database from time to time isn't such a bad idea, however, you can't be sure whether or not you will throw away stuff you might need. For example, workflow runs and logs can take up a lot of space after some time, but they may also be important. (for example, SOX compliance).

There's more...

Here are some things you might find useful.

Microsoft SQL

Giving the database the settings, ALLOW_SNAPSHOT_ISOLATION and READ_COMMITTED_SNAPSHOT, will reduce the possibility of deadlocks and is also a prerequisite for Orchestrator clusters. This can be done by running the following script on the SQL cluster:

ALTER DATABASE [vRO DB Name] SET ALLOW_SNAPSHOT_ISOLATION ON; GO; ALTER DATABASE [vRO DB Name] SET READ_COMMITTED_SNAPSHOT ON; GO; 

Oracle

The database should have NLS_CHARACTER_SET = AL32UTF8 set before you start allowing Orchestrator to build its tables.

To avoid an ORA-01450 error, it is important that you have the database block size configured in correspondence with your database index.

Internal PostgreSQL

To access the local DB (for example, for backups), you need the following information:

Database name

vmware

User

vmware

Password

vmware

The PostgreSQL install is protected to only allow local access to it. You'll find the installation in /var/lib/pgsql.

See also

The recipe Backup and recovery in Chapter 2, Optimizing Orchestrator Configuration.

 

Configuring external authentication


To use Orchestrator to its fullest possibilities we should configure it with an external authentication.

Getting ready

We need an up and running Orchestrator and access to the Control Center (root account). Also see, the recipe Deploying the Orchestrator appliance in this chapter.

You should have an AD/LDAP group for your Orchestrator Administrators with at least one user in it. I will use the AD group vroAdmins with its member vroAdmin and my domain is called mylab.local. My PSC/SSO is on vcenter.mylab.local.

If you are using AD/LDAP, then you need only to know the LDAP path to your vroAdmin user and group.

If you are using SSO or vSphere(PSC), you should either have configured SSO to use AD or created a local SSO group and user.

How to do it...

We are splitting the recipe into multiple parts, one for each authentication method.

vSphere (PSC) and vRealize Automation (vRA)

For both vSphere 6 and vRA7, the entry forms look alike and follow the same pattern. However, there are some really important considerations to take into account for both. Please see the How it works... section of this recipe.

To set either vSphere (PSC) or vRealize Automation (vIDM), follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.

  2. Choose vSphere or vRealize Automation.

  3. Enter the host name of your vSphere PSC or vRA.

  4. After clicking on Connect, you may need to accept the SSL certificate.

  5. You are now asked to enter the User name and Password of an SSO administrator.

  6. Clicking on Configure licenses will automatically configure Orchestrator licensing with the vCenter license.

  7. Enter the default tenant of your SSO and click on Register:

  8. After the registration, you are asked for the admin group. Enter the name of your admin group (or the first letters, such as vro) and click on Search.

  9. Select your admin group from the drop-down menu, such as mylab.local\vroAdmins. In vRA, there is a preconfigured group called vsphere.local\vcoAdminis.

  10. Click on Save Changes and restart the Orchestrator service.

SSO (legacy)

If you are using vRO7 with vSphere 5.5 (minimum update 2) you need to use the SSO configuration:

  1. Open the Control Center and click on Configure Authentication Provider.

  2. Choose SSO (legacy).

  3. Enter the following for Admin URL: https://vcenter.mylab.local:7444/sso-adminserver/sdk/vsphere.local.

  4. Enter the following for STS URL: https://vcenter.mylab.local:7444/sts/STSService/vsphere.local.

  5. Click on Save Changes.

  6. You will now need to accept the SSL certificate of your SSO server (not shown in the following picture).

  7. After you have accepted the certificate you will be asked to enter an SSO admin account and its password, followed by the Default tenant, which is vsphere.local for all 5.5 systems.

  8. Click on Register.

  9. If everything is fine you will now be asked to restart the Orchestrator service. However, we can ignore that for the moment:

  10. Now you need to choose admin group. Enter the name of your admin group (or the first letters, such as vro) and click on Search.

  11. Select your admin group from the drop-down menu, such as mylab.local\vroAdmins. SSO 5.5 has a preconfigured Orchestrator group called vcoAdministrators@vsphere.local.

  12. Click on Save Changes and restart the Orchestrator service again.

LDAP

Please note LDAP will be discontinued in further Orchestrator releases and should not be used anymore. Furthermore, using LDAP won't allow Orchestrator to use all its awesome features.

If you are using LDAP, you can choose from the In-process LDAP (ApacheDS), the built-in LDAP, Active Directory, or OpenLDAP.

Please note that LDAP entries are case sensitive. To configure Orchestrator with Active Directory, follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.

  2. Choose LDAP and then Active Directory.

  3. Enter the domain name of your AD and set the port to 389.

  4. As root, enter your domain in LDAP dc=mylab,dc=local.

  5. Enter the username in LDAP and then the password. Be mindful that in AD, the folder Users is not an OU but a CN, cn=vroAdmin,cn=Users,dc=mylab,dc=local.

  6. It is easiest to set the user and group lookup base to the root of your domain, for example, dc=mylab,dc=local. However, if your AD or LDAP is large, it might be better performance-wise to choose a different root.

  7. Enter the Orchestrator admin group in LDAP, cn=vroAdmins,cn=Users,dc=mylab,dc=local.

  8. Click on Save Changes.

  9. If everything is fine you will be asked to restart the Orchestrator service.

How it works...

Configuring Orchestrator to work with an external authentication enables AD users to log in to the Orchestrator Client. The alternative would be to either have only one user using it or adding users to the embedded LDAP. However, for a production Orchestrator, the embedded LDAP solution is not viable.

PSC/vIDM/SSO is a highly integrated part of vSphere, it can proxy multiple AD and/or LDAP domains and lets you integrate Orchestrator directly into vCenter as well as other corner pieces of VMware software offerings.

If you are using vSphere or vRealize Automation authentication, you have the additional benefit of having Orchestrator automatically licensed. If you are using LDAP or SSO you have to assign a license to Orchestrator.

When using SSO or vSphere, Orchestrator will register in SSO as a Solution User with the prefix vCO.

vRealize Automation and vSphere Authentication

The entry masks look the same, however, they are not. vSphere uses SSO and vRA 7 uses vIDM and those are very different beasts indeed.

When you register Orchestrator with vRealize Automation or you use the vRA embedded Orchestrator you will not be able to use a per-user session with vCenter as the SSO token and the vIDM token are incompatible at this time. I have been informed that the ability to configure the vRA embedded Orchestrator version will not be able to use PSC configuration anymore. The best way to solve this is to use a secondary Orchestrator.

Test login

With the test login, you can test if you can log on to Orchestrator using the Control Center:

If you get a reply in yellow saying Warning: The user does not have administrative rights in vRealize Orchestrator. Login to the Orchestrator client depends on the user view permissions, it means that the user has been found by Orchestrator but he is not a member of the Orchestrator admin group. See also, the recipe User management in Chapter 7, Interacting with Orchestrator.

Internal LDAP

The internal LDAP has the following preconfigured entries:

Username

Password

Group membership

vcoadmin

vcoadmin

vcoadmins

vcouser

vcouser

vcousers

The LDAP installation is protected to only allow local access to it. Using the internal LDAP is not recommended at all.

There's more...

Changing the Authentication Provider is quite easy. If you choose LDAP and now want to change it to something else, just select the new provider.

If you chose vSphere SSO or vRealize Automation you need to first unregister the existing Authentication Provider. To do this, follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.

  2. Click on Unregister and then enter the SSO admin's password and click Unregister.

  3. Now you can select another Authentication mode.

See also

Recipes in Chapter 11, Additional Plugins, depict which authentication is the most preferable for the plugins discussed there.

 

Connecting to vCenter


In this recipe, we connect Orchestrator to vCenter. This will allow Orchestrator to access vCenter objects as well as vSphere Web Client users to access Orchestrator workflows. For an Orchestrator used with vRA, you need to use the endpoint configuration, see the How it works... section.

Getting ready

We need a running Orchestrator that needs to be registered with vSphere (SSO or vRA works as well).

Tip

If you are planning to use a customer SSL certificate for your Orchestrator, then exchange the certificate before you continue here. See the recipe Configuring the Orchestrator service SSL certificate in Chapter 2, Optimizing Orchestrator Configuration.

You should consider having a technical user that is able to log into vCenter as a vCenter administrator as well as being a member of the Orchestrator admin group. Using a dedicated user will go in the right direction for automation, see the How it works... section. I will use my dedicated user,srv_vro@mylab.local.

Tip

Check out the VMware Product Interoperability Matrixes for the interaction with your vRO version and the vSphere Web Client. For example, vRO 7 will only work with vSphere Web Client 6, it will not work with 5.5.

How to do it...

To configure the vCenter connection we need to follow these steps:

  1. Open the Orchestrator Client with an Orchestrator Administrator.

  2. Start the workflow Library | vCenter | Configuration | Add a vCenter Server instance.

  3. Enter your vCenter FQDN.

  4. Select that you would like to orchestrate this instance as well and that you would like to accept SSL certificates even if they are self-signed.

    Tip

    Orchestrating a vCenter means that the content of the vCenter will show up in the Orchestrator Inventory and you can select and use it.

  5. Click on Next.

  6. Select No, meaning that you will use a technical user for the connection between Orchestrator and vCenter. This is also the recommended setting if you are using the vRA integrated Orchestrator.

  7. Enter a vCenter server administrative user or a technical user you specified, such as srv_vro@mylab.local and the password of that user.

  8. Click on Submit.

  9. Wait until the workflow is successfully finished.

  10. Start the workflow Library | vCenter | Configuration | Register vCenter Orchestrator as a vCenter Server Extension.

  11. Select your vCenter from the Orchestrator Library.

  12. If you have a load balancer or NAT between Orchestrator and vCenter, enter the external Orchestrator address here.

  13. Click on Submit.

  14. Now log in to the vSphere Web Client as a technical user.

  15. Navigate to vRealize Orchestrator | vRO Home | Summary. Your Orchestrator should be registered there.

For more information and usage, see the recipe Using Orchestrator through the vSphere Web Client in Chapter 7, Interacting with Orchestrator.

Well, there is that...

Sometimes the vSphere Web Client - Orchestrator integration doesn't work out-of-the-box after you have set it up. Here are some things to do in that case:

  • Check the VMware Product Interoperability Matrixes for interaction with your vRO version and the vSphere Web Client.

  • Use the same versions of vRO and vCenter. For example, vRO7.0.1 (or newer) doesn't integrate into vCenter 6.0U2 (or earlier) due to an SSL problem, it works fine with vCenter 6.0U3 (and newer). This is due to a change in encryption.

  • Have some patience. It may take some 15 minutes until the Web Client gets it (in a slow lab). The Web Client will continue to show the following error message: Error occurred while processing request. Check vSphere Web Client logs for details.

  • Restart the vSphere Web Client.

  • Check your vCenter logs. When you register an extension, a plugin is downloaded. In Orchestrator's case, the URL is:https://[Orchestrator IP]:8281/vco/vsphere-web-client/vco-plugin.zip.

  • Make sure that the vCenter user has access rights on Orchestrator (see the recipes User management and Using Orchestrator through the vSphere Web Client in Chapter 7, Interacting with Orchestrator).

  • Unregister all Orchestrator extensions using the MOB and then try again. See kb.vmware.com/kb/1025360 .

  • If you use a cluster, you need to use the external address. The register workflow registers the Orchestrator extension with its IP: https://[Loadbalancer_Address]:8281. Also see the recipe Load-balancing Orchestrator in Chapter 3, Distributed Design.

How it works...

Since vCenter Server 5.1, vSphere Web Client is (or better, should be) the main method to access vCenter. Orchestrator completely integrates with vSphere Web Client, making it possible for Orchestrator workflows to be executed directly from vSphere Web Client.

Access, rights, and logging

The access from Orchestrator to vCenter works with the technical user we used to make the connection.

When a workflow is started from Orchestrator, vCenter will log the user who started the workflow but the execution of the workflow will be logged with the technical user.

For a vSphere Web Client user to be able to start a workflow they need to have access to Orchestrator. Either they need to be a member of the Orchestrator admin group or they need non-administrative access.

Technical user

The idea of a technical user is to use a dedicated user that connects between Orchestrator and vCenter. This technical user would be a full vCenter admin. The alternative is to use a per-user base, which means that each user uses his/her vCenter rights to run workflows. The difference is that we either need to set rights and roles throughout vCenter for different users/groups or we create good workflows and security in Orchestrator.

vRA, Orchestrator, and vCenter

As we already discussed in the recipe Configuring external authentication in this chapter, the difference between vSphere and vRealize Automation authentication, namely SSO or vIDM. When you configure an Orchestrator, especially for vRA, you should not configure the vCenter plugin but use the endpoints, as we show in the recipe Adding Orchestrator, as an infrastructure endpoint in the final chapter.

See also

To learn more about the Orchestrator user management, see the recipe User management in Chapter 7, Interacting with Orchestrator.

To configure the Orchestrator workflows in vSphere Web Client, see the recipe Using Orchestrator through the vSphere Web Client in Chapter 7, Interacting with Orchestrator.

 

Installing plugins


In this recipe, we will learn how to install plugins for Orchestrator. Configuration and programming-related topics are discussed in Chapter 9, Essential Plugins, Chapter 10, Built-in Plugins, and Chapter 11, Additional Plugins.

Getting ready

We need an Orchestrator server installed and running, as well as access to the Orchestrator Control Center.

Please see the introduction to Chapter 11, Additional Plugins, for information on where to obtain plugins.

Please note that when you download a plugin, your download should contain a .vmoapp or .dar file. A ZIP file needs to be unpacked/unzipped first.

How to do it...

We will now install a new plugin. I will use the Autodeploy plugin:

  1. Open the Orchestrator Control Center.

  2. Click on Manage Plug-Ins.

  3. Click on Browse and select the .vmoapp file you downloaded, then click Install:

  4. Accept EULA and click on Install.

  5. Restart the Orchestrator service.

How it works...

Orchestrator becomes more exciting with additional plugins, such as plugins from VMware and other vendors. The current version of vRO (7.1) comes with quite a few plugins already installed, such as the following:

AD 3.0.2 4209033

AMQP 1.0.4.3217705

Configurator 7.0.1.3533702

DynamicTypes 1.2.0.426821

Enums 7.0.1. .3767915

Library 7.0.1.3767915

Mail 7.0.1. 3767915

Net 7.0.1. 3767915

PowerShell 1.0.9.3895915

REST 2.0.1.4157277

SNMP 1.0.3.3767921

SOAP 2.0.0.4147531

SQL 1.1.4.4009493

SSH 7.0.1.3430925

VAPI 7.1.04262825

VC 6.5.0.4132889

VCO 7.1.0.4262825

Workflow documentation 7.1.3767915

XML 7.0.1.3767915

vCAC 7.1.0.4147052

vCACCafe 7.1.0.4176993

We will discuss how to use most of these plugins in Chapter 9, Essential Plugins and Chapter 10, Built-in Plugins.

Plugins make Orchestrator the great product that it is and create a variety of possibilities. If there isn't a plugin for a system, think outside the box. For instance, you can connect Orchestrator to Microsoft System Center Virtual Machine Manager (SCVMM) via SOAP, to Red Hat Satellite using REST, or to your Docker using SSH.

Last but not least, you can create your own plugins. There is an Orchestrator plugin SDK guide that is dedicated to the creation of plugins. See the developer documentation for Orchestrator.

Plugin log level

With vRO7.1, you are now able to define a log level for each plugin. The log level ranges from DEFAULT to OFF:

Updating plugins

To update a plugin, just download the new version and deploy it as shown in this recipe. The plugin will be updated.

Disabling and uninstalling plugins

You can switch off plugins by de-selecting the Enable plug-in check box. Uninstalling plugins isn't that straightforward and should only be done if you have no other choice, there is a KB that shows how:

kb.vmware.com/kb/2064575 .

See also

The introduction of Chapter 11, Additional Plugins gives information where you can find plugins and show how to use some of these.

 

Updating Orchestrator


Here we will describe the update process for the Orchestrator appliance as well as the best way to get from 5.x or 6.x to 7. As a Windows install isn't supported in 7 anymore, please see the recipe Moving from Windows to appliance in this chapter. If you are updating a cluster, please see the recipe Upgrading a cluster in Chapter 3, Distributed Design first.

Getting ready

We need an older version of Orchestrator as well as access to a VMWare webpage.

How to do it...

There are two methods for updating the appliance. First there is updating via an ISO file and second, directly accessing the update repository.

Tip

Before you start updating

Make sure you have a backup or at least a snapshot of the Orchestrator VM. If you are using an external database, make a backup of the DB as well.

Using an ISO file

Follow these steps if you wish to use the ISO file.

  1. Open vmware.com in your web browser and then click on Download and vSphere.

  2. Look for VMware vRealize Orchestrator Appliance and click on Go to Downloads.

  3. At the very end of the download, you should find the .iso Update Repository Archive. Click on Download now.

  4. After the download has finished, go to your vCenter and mount the image to the Orchestrator appliance.

  5. Browse to the Orchestrator backend: https://[Orchestrator]:5480

  6. Navigate to Update | Settings.

  7. Continue with Apply the Update.

Using the VMware repository

Follow these steps if you wish to use the VMware repository. Your Orchestrator needs a HTTPS connection to the VMware website ( vmware.com )

  1. Open a web browser and browse to the Orchestrator backend: https://[Orchestrator]:5480.

  2. Navigate to Update | Settings.

  3. Continue with Apply the Update.

Applying the update

After we have the update source in place, we can finally update the appliance.

  1. From where we left off, click on Check Updates.

  2. You should now see the version you'd like to upgrade to if that's not the case check the source of the update (for example, ISO file or iNET connection).

  3. Click on Install Updates:

  4. Accept the EULA and acknowledge you would like to update with OK.

  5. The update process will take some time. Wait until Orchestrator tells you: System reboot is required to complete the update.

  6. Reboot the Orchestrator appliance.

  7. After the reboot, access the Control Center and check that everything is fine.

How it works...

The update process of Orchestrator is pretty simple and straightforward. All versions have the default repository configured and with Internet access, you can use it directly.

Before you update, you should always read the release notes of the newest Orchestrator release to see if there are any problems you might encounter. The update from 5.5 or 6.x to 7 is pretty easy and just requires the newest 7 ISO.

Tip

If you are upgrading from 5.5 or 6 to 7 you might want to change the authentication to vsphere to make use of the vSphere 6 features.

In the Update | settings, there is also the ability to automatically check for updates as well as to automatically check and install updates. I personally wouldn't use the feature in any production setting; an update should always be a controlled process.

Tip

After an upgrade, you need to check your workflows. I have had several cases where a method, a standard library workflow, or a plugin wasn't working the same anymore. If you find something like that please report it to VMware so they can fix it in the next release.

There's more...

If your Orchestrator has no Internet connection but you would still like to use the repository feature and you have a web server (for example IIS), you can do the following:

  1. Download the .zip Update Repository Archive from vmware.com .

  2. Unpack the ZIP file. After unpacking, copy the contents of the following directory into the web server so that it can be accessed using http(s)\build\mts\release\bora-3571217\publish\exports\Update_Repo.

  3. The web server should now contain two folders; manifest and package-pool. Make sure that the folders are browseable and that they are accessible. In IIS you might need to add the .sig and .sha265 file type as a text/scriptlet MIME type.

  4. Open a web browser and browse to the Orchestrator backend: https://[Orchestrator]:5480.

  5. Navigate to Update | Settings.

  6. Select Use Specified Repository and enter your web server URL into Repository URL and, if needed, the subdirectory where the patch files are located.

  7. Now just follow the recipe to update from the repository.

See also

The recipe Upgrading a Cluster in Chapter 3, Distributed Design.

 

Moving from Windows to appliance


With vRO 7, the Windows install of Orchestrator doesn't exist anymore. This recipe discusses how to move an existing Windows Orchestrator installation to the appliance.

Getting ready

We need an Orchestrator installed on Windows.

Download the same version of the Orchestrator appliance as you have installed in the Windows version. If needed, upgrade the Windows version to the latest possible one.

How to do it...

There are three ways; using the migration tool, repointing to an external database, or exporting/importing the packages.

Migration tool

There is a migration tool that comes with vRO7 that allows you to pack up your vRO5.5 or 6.x install and deploy it into a vRO7. The migration tool works on Windows and Linux. It collects the configuration, the plugins, as well as their configuration certificates, and licensing into a file. Follow these steps to use the migration tool:

  1. Deploy a new vRO7 appliance.

  2. Log in to your Windows Orchestrator OS.

  3. Stop the VMware vCenter Orchestrator Service (Windows services).

  4. Open a web browser and log into your new vRO7 - Control Center and then go to Export/Import Configuration.

  5. Select Migrate Configuration and click on the here link. The link points to: https://[vRO7]:8283/vco-controlcenter/api/server/migration-tool .

  6. Stop the vRO7 Orchestrator service.

  7. Unzip the migration-tool.zip and copy the subfolder called migration-cli into the Orchestrator director, for example, C:\Program Files\VMware\Infrastructure\Orchestrator\migration-cli\bin\.

  8. Open a command prompt.

  9. If you have Java installed, make sure your path points to it. Try java -version. If that works, continue, if not, do the following:

  10. Set the PATH environment variable to the Java install that comes with Orchestrator, set PATH=%PATH%;C:\Program Files\VMware\Infrastructure\Orchestrator\Uninstall_vCenter Orchestrator\uninstall-jre\bin

  11. CD to the directory ..\Orchestrator\migration-cli\bin.

  12. Execute the command; vro-migrate.bat export. There may be errors showing about SLF4J; you can ignore those.

  13. In the main directory (..\Orchestrator) you should now find an orchestrator-config-export-VC55-[date].zip file.

  14. Go back to the web browser and upload the ZIP file into Migration Configuration by clicking on Browse and selecting the file.

  15. Click on Import. You can now see what can be imported. You can unselect the items you don't wish to migrate. Click Finish Migration.

  16. Restart the Orchestrator service.

  17. Check the settings.

External database

If you have an external database, things are pretty easy. For using the initial internal database, please see the additional steps in the There's more... section of this recipe.

  1. Backup the external database.

  2. Connect to the Windows Orchestrator Configurator.

  3. Write down all the plugins you have installed as well as their version.

  4. Shut down the Windows version and deploy the appliance, this way you can use the same IP and Hostname if you want.

  5. Log into the appliance version's Configurator.

  6. Stop the Orchestrator service

  7. Install all plugins you had in the Windows version.

  8. Attach the external database.

  9. Make sure that all trusted SSL certificates are still there, such as vCenter and SSO.

  10. Check if the authentication is still working. Use the test login.

  11. Check your licensing.

  12. Force a plugin reinstall (Troubleshooting | Reinstall the plug-ins when the server starts).

  13. Start the Orchestrator service and try to log in.

  14. Make a complete sanity check.

Package transfer

This is the method that will only pull your packages across. This the only easy method to use when you are transitioning between different databases, such as between MS SQL and PostgreSQL:

  1. Connect to your Windows version

  2. Create a package of all the workflows, actions, and other items you need.

  3. Shut down Windows and deploy the appliance.

  4. Configure the appliance with DB, authentication, and all the plugins you previously had.

  5. Import the package.

How it works...

Moving from the Windows version of Orchestrator to the appliance version isn't such a big thing. The worst-case scenario is using the packaging transfer. The only really important thing is to use the same version of the Windows Orchestrator as the appliance version. You can download a lot of old versions, including 5.5, from www.vmware.com . If you can't find the same version, upgrade your existing vCenter Orchestrator to one you can download.

After you have transferred the data to the appliance, you need to make sure that everything works correctly, and then you can upgrade to vRO7.

There's more...

When you just run Orchestrator from your Windows vCenter installation and don't configure an external database, then Orchestrator uses the vCenter database and mixes the Orchestrator tables with the vCenter tables. In order to only export the Orchestrator ones, we will use the MS SQL Server Management Studio (free download from www.microsoft.com called Microsoft SQL Server RTM).

To transfer only the Orchestrator database tables from the vCenter MS-SQL to an external SQL, do the following:

  1. Stop the VMware vCenter Orchestrator Service (Windows Services) on your Windows Orchestrator.

  2. Start the SQL Server Management Studio on your external SQL server.

  3. Connect to the vCenter DB. For SQL Express, use [vcenter]\VIM_SQLEXP with Windows Authentication.

  4. Right-click on your vCenter Database (SQL Express: VIM_VCDB) and select Tasks | Export Data.

  5. In the wizard, select your source, which should be the correct one already, and click Next.

  6. Choose SQL Server Native Client 10.0 and enter the name of your new SQL server. Click on New to create a new database on that SQL server (or use an empty one you created already). Click Next.

  7. Select Copy data from one or more tables or views and click Next.

  8. Now select every database which starts with VMO_ and then click Next.

  9. Select Run immediately and click Finish.

Now you have the Orchestrator database extracted as an external database. You still need to configure a user and rights. Then proceed with the External database section in this recipe.

 

Orchestrator Client and 4K display scaling


This recipe shows a hack to make the Orchestrator Client scale on 4K displays.

Getting ready

We need to download the program Resource Tuner ( http://www.restuner.com/ ). The trial version will work, however, consider buying it if it works for you.

You need to know the path to your Java installation, it should be something like this:

C:\Program Files (x86)\Java\jre1.x.xx\bin\.

How to do it...

Before you start....

Tip

Please be careful as this impacts your whole Java environment. This worked very well for me with Java 1.8.0_91-b14.

  1. Download and install Resource Tuner.

  2. Run Resource Tuner as administrator.

  3. Open the file javaws.exe in your Java directory.

  4. Expand manifest and then click on the first entry (the name can change due to localization).

  5. Look for the line <dpiAware>true</dpiAware>.

  6. Exchange the true for a false

  7. Save and exit.

  8. Repeat the same for all the other java*.exe in the same directory as well as j2launcher.exe.

  9. Start the Client.jnlp (the file that downloads when you start the web application).

How it works...

In Windows 10 you can set the scaling of applications when you are using high definition monitors (4K displays).

What you are doing is telling Java that it is not DPI aware, meaning that it will use the Windows 10 default scaler, instead of an internal scaler.

There's more...

For any other application, such as Snagit or Photoshop, I found that this solution works quite well:

http://www.danantonielli.com/adobe-app-scaling-on-high-dp .

About the Author
  • Daniel Langenhan

    Daniel Langenhan is a Virtualisation expert with formidable skills in Architecture, Design and Implementation for large multi-tier systems. His experience and knowledge of process management, enterprise-level storage, Linux and Windows operation systems has made him and his business a highly sought after international consultancy in the Asia-Pacific and European regions for multinational clientele in the areas of Finance, Communication, Education and Government. Daniel has been working with VMware products since 2002 and is directly associated with VMWare since 2008. His proven track record of successful integrations of Virtualisation into different business areas while minimizing cost and maximizing reliability and effectiveness of the solution for his clients. Currently, Daniel is operating in the Europe and Asia-Pacific region with his company vLeet GmbH and Melbourne Business Boosters Pty Ltd. Daniel's expertise and practical approach to VMWare has resulted in the publication of the following books: Instant VMware vCloud Starter, Packt Publishing VMware View Security Essentials, Packt Publishing VMware vCloud Director Cookbook, Packt Publishing VMware vRealize Orchestrator Cookbook, Packt Publishing VMware vRealize Orchestrator Essentials, Packt Publishing He has also lent his expertise to many other publishing projects as a Technical Editor.

    Browse publications by this author
Latest Reviews (2 reviews total)
great book easy to read and very informative
An excellent book with detailed contents about vRealize Orchestrator.
VMware vRealize Orchestrator Cookbook - Second Edition
Unlock this book and the full library FREE for 7 days
Start now