vCloud Director 8: Configure logging to vRealize Log insight

With the recent release of the vCloud Director content pack (v8.4) for vRealize log insight I thought I would put the steps here for how to get this configured.

There are 2 methods to get the logs forwarded to your vRLI server.

  1. log4j. Setting an additional logger in VCD file.
  2. Loginsight Agent installed on

Steps to configure Log4j:

  • Logging is normally handled by log4j with configuration file /$VCLOUD_HOME/etc/
  • Login to Cell with SSH.
  • Change to directory /$VCLOUD_HOME/etc/
  • Make backup copy of
    • cp
  • Open the file in a text editor and add the following lines, where syslog-host-fqdn is the FQDN of your syslog host and port is an optional port number. If no port number specified then will default to 514.
    • log4j.appender.vcloud.system.syslog.syslogHost=syslog-host-fqdn:port
  • Modify this line to add the vCloud Director syslog appenders:

    • log4j.appender.vcloud.system.syslog.facility=LOCAL1, log4j.rootLogger=ERROR, vcloud.system.debug,, vcloud.system.syslog
  • Specify the logger pattern
    • #log4j.appender.vcloud.system.syslog.layout=com.vmware.vcloud.logging.layout.CustomPatternLayout
    • log4j.appender.vcloud.system.syslog.layout.ConversionPattern=%d{ISO8601} | %-8.8p | %-25.50t | %-30.50c{1} | %m | %x%n
    • log4j.appender.vcloud.system.syslog.threshold=INFO
  • Save file
  • Restart Cell  (yes not ideal, so therefore my reason to recommended log inisght agent)
    • service vmware-vcd restart
  • Repeat on each cell

Steps to configured Log Insight agent: (recommended)

  • Install the content pack which is pretty straight forward through the marketplace.
  • Verify the agent group for vCloud Director is available after installation.
  • Select the agent group and select copy template.
  • Provide new name.
  • Create filter that limits your specific vCD Cells by either selecting the hostname or IP address to filter by.
  • Save
  • Install the LI agent on each vCD cell
    • Download the agent
      • Administration -> Management -> Agents
      • At bottom on page you can download the agent
    • Copy the Linux RPM file to tmp folder on vCD cell. Good tool to use is WinSCP.
    • Install agent
      • rpm – U VMware-Log-Insight-Agent-3.3.1-3636434.noarch_10.10.30.74.rpm
    • Since we downloaded the agent directly from our log insight server the liagent.ini should already be populated with your server IP Address.  This can be verified by reviewing the ini file and looking for hostname entry. cat /etc/liagent.ini
  • You will now see the agent in log insight server. Verify that the agent is filtered correctly for you vCD Active group.



vCloud Director 8: vCenter Server status error

Had issue this week come up where vCloud Director is unable to communicate with vCenter server.  I had this many years ago but seems to be still relevant in vCD-SP8 so thought just write up about it with reference to good information:

In my environment this caused template deployments to fail with “Cannot retrieve list of the supported Operating Systems from Provider VDC “PVDC”. Please ensure vCenter is connected and available.”


After reviewing vCenter Server vSphere resource under Manage and Monitor I found that vCenter is not connected.
KB 1035506 from VMware documents this issue but request that you call support to get this resolved.

The issue seems to be related to quart table and I am not going to get into much details here since Jason Boche wrote a nice detailed article how the problem comes about and how to resolve it.

vCloud Director 8: Wildcard certificate

I have a wildcard.pfx certificate which I need to use in my vCD instance.  Here are the steps to convert the certificate and import into vCD:

  1. Convert the pfx to pem:
    1. openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes
  2. Extract the private key from the certificate.cer.
    1. copy from —–BEGIN PRIVATE CERTIFICATE—–
    2. to end of —–END PRIVATE CERTIFICATE—–
    3. Create new file called certificate.key and paste
  3. Recreate pfx and set alias for http
    1. openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name http -passout pass:yourpassword -out http.pfx
  4. Recreate pfx and set alias for consoleproxy
    1. openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name consoleproxy -passout pass:yourpassword -out consoleproxy.pfx
  5. Import the 2 PKCS12 keystores into Java keystore using keystore
    1. ./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 -destkeystore certificate.ks -deststoretype JCEKS -deststorepass yourpassword -srcalias http -destalias http -srcstorepass yourpassword
    2. ./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore certificate.ks -deststoretype JCEKS -deststorepass yourpassword -srcalias consoleproxy -destalias consoleproxy -srcstorepass yourpassword
  6. Now import the root and intermediate certificates (if any) to the same keystore
    1. ./keytool -importcert -alias root -file GeoTrust_Global_CA.cer -storetype JCEKS -keystore certificate.ks -storepass yourpassword
    2. keytool -importcert -alias intermediate -file RapidSSL.cer -storetype JCEKS -keystore certificate.ks -storepass yourpassword
To replace it your can read my previous blog post

vCloud Director 8: Replace certificates

I currently have some self signed certificates on my vCloud Director 8 installation and want to update them with new certificates.  Here are the simplified steps to get this accomplished:

Firstly you need to create 2 certificates for each member of the group (cell) and import the certificates into host keystores.  Each vCD has 2 IP address which allows support for 2 different SSL endpoints(http and consoleproxy).  Each endpoint requires its own SSL certificate.

Requirements for cert include an X.500 distinguished name, while Subject Alternative Name is not necessary.

Replace certificate using vCD configuration script:
this process will also validate the db connection and prompt for SSL certificate and skips all other.

  1. SSH to vCD cell
  2. Stop the vCD services
    1. service vmware-vcd stop
  3. Run the configuration
    1. /opt/vmware/vcloud-director/bin/configure
    2. Specify full path to java keystore that holds the new certificates
    3. Provide keystore and certificate password
This will replace the certificates and restart the vCD services.
Certificates command of the cell management tool automates process replace certificates in JCEKS keystore.
  1. # cd /opt/vmware/vcloud-director/bin
  2. # ./cell-management-tool certificates -j -p -k /tmp/.ks -w kspw
  3. Restart the cell for changes to take affect.
    1. # service vmware-vcd restart

vCloud Director 8 – what’s new

I finally got around to installing vCD-SP 8 and here are my finding on what’s new and upcoming.

  • Support for vCenter 6.0
    • ESXi and vCSA 6.0 U1 is a big advantage to 5.5 and allow SP’s to take advantage of new features and optimization provided with 6.
  • Support for NSX 6.2 and 6.2.1!
    • This allows connection to a NSX manager instead of a vShield Manager appliance in backward compatibility mode.
    • When using NSX manager the VSE is deployed with version 5.5.4-2673026
  • vDC template
    • Create Organization specific virtual datacenter templates with pre-set resources delegation rule-set.  Have not tested this but provide some feedback later. 
  • vApp enhancements
    • Reconfigure of VMs within a vApp.
    • Reconfigure of networking connectivity and capabilities during creation.
    • I have not seen anything from a UI perspective on this but seems to be more under the cover work through API.  
  • oAuth for identify source
    • tokens now supported.
  • Tenant throttling
    • This prevents noisy tenants from consuming all the resources of a single instance.
    • Helps ensure fairness of execution and scheduling of among tenants

As mentioned in previous blog VMware did post about new UI changes coming to vCD-SP in 2016 and the following advanced networking selections seems to indicate this.  I did again not find anything in documentation on these menu selections but hopefully seem some of vCloud Air features soon:


vCloud Director 8 – Failed to create external network as port group dvportgroup-XXX or its VLAN ID XXX is in use

I just received the following error in my lab when i tried to create a new external network.  This seems to be a known issue in vCD 5.1 & 5.5 but has not been resolved in v8.

I did not delete any port groups or VSE’s directly from vCenter server so assume the database was not successfully delete when i removed external networks.

VMware provides a comprehensive KB article on this so not going to get into to much details but solution is to remove the stale entries from Resource_Assignment table in the database.

KB: 2042474


vCloud Director 8: UI, then and what now?

Just more than a month ago we were given very exciting news from the vCloud team regarding further limited enhancements to the UI of vCD-SP for 2016.

// How things can change within a month:

 Lets hope that none of these recent activities has any impact on the vCD-SP UI announcements but only time will tell…