vRA & SovLabs: Installing the plugin modules

As mentioned in my initial blog post on SovLabs, you would have to create custom code in vRO to support the automation of many of the additional steps like custom naming, IPAM, DNS, AD, Load Balancer, but with SovLabs software modules this is really easy. Below are my notes for the prerequisites and the initial installation of the SovLabs modules.

Some prerequisites needs to be completed before installing the plugin:

  1. Configure the vRO service accounting in vRA
    1. Login to the root vRA tenant
    2. Click Administration -> Users & Groups > Custom Groups
    3. Create a Custom Group
    4. Enter a group name and description.
      1. DO NOT put spaces in the group name.
    5. Select the following roles listed in the Add Roles to this Group box
      1.  Tenant Administrator
      2. XaaS Architect
      3. Screen Shot 2017-04-13 at 2.00.41 PM.png
    6. Click Next
    7. Type in the vRO service account or vRO service account group
      1. If this account does not appear make sure it is sync’d.
    8. Click Add
  2. Configure vRO endpoint in vRA
    1. I have an enterprise install with external vRO so I am assuming you already setup the external vRO server in vRA.
    2. Login to vRA tenant
    3. Click Infrastructure tab > Endpoints > Endpoints
    4. Click on New > Orchestration > vRealize Orchestrator
    5. Screen Shot 2017-04-13 at 2.11.58 PM.png
    6. Enter the information
    7. Click on New Custom Property.
    8. Name: VMware.VCenterOrchestrator.Priority
    9. Value: (number, 1 being highest priority)
    10. Click OK
  3. Configure extensibility message timeout in vRA
    1. Login to vRA tenant
    2. Click Infrastructure tab -> administration -> Global Settings
    3. Click the Extensibility lifecycle message timeout row
    4. Click the Edit button
    5. Screen Shot 2017-04-13 at 2.44.44 PM.png
    6. Input a value that will be greater than the longest event workflow subscription timeout (e.g. 04:00:00)
  4.  Execution permission in vRO
    1. This is necessary for vRO to execute external applications and perform actions like ping. 
    2. These steps also need to be performed on all vRO nodes.
    3. SSH/Putty vRO server as root
    4. Modify the vmo.properties file:
      1. vi /etc/vco/app-server/vmo.properties
      2. Press the i key on the keyboard
      3. Copy & paste the following line to the end file:
      4. com.vmware.js.allow-local-process=true
      5. Press the esc key on the keyboard
      6. Type in :wq! and press the Enter key
    5. Modify the js-io-rights.conf file:
      1. vi /etc/vco/app-server/js-io-rights.conf
      2. Press the i key on the keyboard
      3. Copy & paste the following line to the end file:
      4. +rwx /tmp
      5. Press the esc key on the keyboard
      6. Type in :wq! and press the Enter key
    6. Ensure that the file has the appropriate permissions:
      1. cd /etc/vco/app-server
      2. chown vco:vco js-io-rights.conf
      3. chmod 640 js-io-rights.conf
    7. Restart the vRO server(s)
      1. service vco-server restart
  5. EMC and Kerberos configuration in vRO
    1. There are some additional steps that you need perform if you are using EMC FEHC 3 and 4, as well as Kerberos.
    2. I am not using these so will skip but documentation provides all the information needed.
    3. http://docs.sovlabs.com/vRA7x/current.html#4.2-first-install
  6. Configure vRA Endpoints in vRO  (use vRO to create workflows in order to interact with vRA)
    1. Perform the following once in vRO for each vRA tenant
    2. Login to vRO Client
    3. Select Design mode
    4. Click workflow tab
    5. Run workflow:  /Library/vRelease Automation/Configuration/Add a vRA host
      1. Screen Shot 2017-04-13 at 2.56.29 PM.png
      2. Enter vRA host name
      3. Host URL
      4. Automatically install Certs = yes
      5. Session mode = shared session
      6. Tenant name
      7. Username and password
        • username@domain.com
      8. Rest of fields not mentioned just leave default
    6. Click Submit
    7. If this fails make sure the service account is searchable in vRA directory users and groups.
  7. Add an IaaS host in vRO
    1. Perform the following once in vRO for each vRA tenant
    2. Login to vRO Client
    3. Select the Design mode
    4. Click Workflow tab
    5. Run workflow:  /Library/vRealize Automation/Infrastructure Administration/Configuration/Add an IaaS host
      1. Screen Shot 2017-04-13 at 3.41.47 PM.png
      2. Enter Host Name (IaaS Host FQDN)
      3. Enter Host URL (https://IaaS Host FQDN)
      4. Automatically install Certs = yes
      5. Use proxy = no
      6. Click Next
      7. Default connection settings = yes
      8. Click Next
      9. Host authentication type = NTLM
        • For the NTLM, is it a local user or an LDAP/AD user?
        • If it’s local, you use user@tenant
        • You can also use SSO
      10. Enter Username and password
        • for Username only specify the username and do not add the domain
      11. Workstation leave blank
      12. Enter domain name for NTLM authentication
    6. Click Submit
  8. Environment setup
    1. Review the documentation for additional setup configurations.
    2. http://docs.sovlabs.com/vRA7x/current.html#4.2-first-install
      1. Firewall configurations provided in documentation
      2. WinRM setup for SovLabs modules utilizing any Windows servers in the environment (for AD, DNS, IPAM, Puppet and etc.)
      3. Configuration of Windows member server when direct access to AD server is not permitted in the environment.

Continue reading

vRealize Log Insight – vRealize Orchestrator content pack v2 released

VMware recently release the new vRealize Orchestrato content pack for vRealize Log Insight.   This content pack fixes some issues with the first version and now supports agent groups as well as the native Log Insight Agent.

The agent group can be used with either VRA 7.0.1 virtual appliance with embedded vRO, or the standalone VRO virtual appliance.  It is mentioned that results may be unpredictable if agent groups are used on an earlier version of vRO.

  • Select Administration
  • Under management select Agents.
  • Verify the agent group for “vRealize Orchestrator 7.0.1” is available from drop down box after installation.
  • Highlight the agent group and select copy template.(double square icon on far right)
  • Provide new name.
  • A prompt will appearing saying no collection agents have sent data to this log insight server .  A link will appear to download the Log Insight Agent version 3.6.0. This is new and a nice touch!
  • Download the agent.
  • Install on either the vRA server with embedded vRO or standalone vRO appliance.
    • This can be accomplished by upload the file using tool like WinSCP.
    • Copy file to /tmp folder.
    • Run “sudo rpm -i VMware-Log-Insight-Agent-3.6.0-4148343.noarch_10.10.40.55.rpm”.  You will probably get a conflict error for existing 3.3.0-3516686 version of agent that pre-installed.
    • Run “sudo rpm -Uhv VMware-Log-Insight-Agent-3.6.0-4148343.noarch_10.10.40.55.rpm” to update the package.
  • Update the log insight file /var/lib/loginsight-agent/liagent.ini
    • Update hostname=<vrealizeLogInsightserver.domain.com>
    • Some additional parameters are available for configuration like protocol, port, ssl and reconnect.
  • Back on Agent configuration with vRealize log insight..
  • Create filter that limits your specific vCD Cells by either selecting the hostname or IP address to filter by.
    • Verify that you see the agent listed for the vRealize orchestrator server where agent was just installed/update on.
  • Save New Group

Lots of nice dashboards to drool over.

Screen Shot 2016-10-05 at 3.37.56 PM.png


vRealize Orchestrator control center : HTTP Status 500 Failed to edit Log insight configuration file

With latest vRealize Orchestrator 7.0.1 I was configuring syslog logging integration in control center, to send logs to vRealize Log insight, but ran into error “HTTP Status 500 Failed to edit Log insight configuration file”.


Testing on a fresh install and did no run into the problem so came to the conclusion that this error only appears when you upgrade from 7.0 to 7.0.1

SSH into Orchestrator appliance and reviewed the logs.

2016-04-27T17:19:32.013813+00:00 ldvro01 sudo:      vco : a password is required ; TTY=unknown ; PWD=/var/lib/vco/configuration/bin ; USER=root ; COMMAND=/var/lib/vco/app-server                          /../configuration/bin/config_liagent.sh /var/lib/vco/configuration/temp/liagent.tmp /var/lib/loginsight-agent/liagent.ini
2016-04-27T17:20:10.075308+00:00 ldvro01 sshd[20887]: rexec line 79: Unsupported option KerberosAuthentication
2016-04-27T17:20:10.075376+00:00 ldvro01 sshd[20887]: rexec line 85: Unsupported option GSSAPIAuthentication
Found the script that gets executed to be /var/lib/vco/configuration/bin/config_liagent.sh which actually resides on /usr/lib/vco/configuration/bin/config_liagent.sh
Listing the folder shows that vco:vco has rwx permission.
:/usr/lib/vco/configuration/bin # ls -ll
-rwx—— 1 vco vco  218 Feb 19 15:09 config_liagent.sh
-rwx—— 1 vco vco  230 Feb 19 15:09 controlcenter.sh
-rw-r–r– 1 vco vco 6718 Feb 19 15:09 log4j.dtd
-rw-r–r– 1 vco vco 3315 Feb 19 15:09 propagate.sh
-rwx—— 1 vco vco 1321 Feb 19 15:09 setenv.sh
A password is required is throw in the error message which leads me to think the vco user does not have the necessary permissions when trying to execute the command.
Looking in /etc/sudoers file and found the vco missing the path to the config_liagent.sh file.
Add the path to config_liagent.sh for vco user.
# visudo
scroll to bottom of file.
you will see the following:
vco     ALL=(root) NOPASSWD: /etc/init.d/vco-server, /etc/init.d/vco-configurator
update the line as follows:
vco     ALL=(root) NOPASSWD: /etc/init.d/vco-server, /etc/init.d/vco-configurator, /var/lib/vco/configuration/bin/config_liagent.sh

Java problems with vCenter Orchestrator

All applets and web start java applications has defaulted to high security since Update 11.
The security context that is used by vCO Client is set to high so some changes are needed within the Java control panel.


  • Open the Java Control Panel
  • Go to the Security tab. 
  • At the bottom of the dialog you will see the current Exception Site List. 
  • Click the Edit Site List button.
  • In the exception entry dialog, enter the URL for your vCO Server