With installing and integrating vCenter Server/ vCenter Orchestrator 5.1 (vCO) virtual appliances on a regular basis I came up with a standard way of doing it. This differs from the minimum / base installation and integration with adding some additional steps that I think are useful for the person who want to setup a development / test vCenter Orchestrator environment. There are many other ways of doing it and even ways to automate this but this document can definitely help you to get started.
Using the virtual appliance version of vCenter Server & vCenter Orchestrator is a convenient way to set up an Orchestration environment without requiring operating system licenses, IT compliance (i.e Anti Virus, other standard software, updates), maintenance (i.e updates, backup).
- If you prefer to run vCenter Server & vCenter Orchestrator on Windows (Server, 64 bit, check compatible versions) then this document may not be relevant since vCenter Orchestrator 5.1 comes fully installed, configured and integrated with vCenter when using the Windows based installation of vCenter 5.1.
- If you prefer to use the vCenter Server & vCenter Orchestrator Virtual Appliances then there are a minimal amount of steps to integrate these that are included in this document as well as optional steps providing further benefits.
- You can also decide on having a mixed environment (i.e vCenter Server 5.1 on windows, vCenter Orchestrator 5.1 Virtual Appliance). If you do so only some sections of this document will be relevant.
- VMware vCenter Orchestrator Appliance 5.1.0
- vCenter 5.1 Server
The vCO appliance is the core requirement to author and test workflows. It provides the orchestration platform including the orchestration engine, plug-in adapters and their library workflows, a workflow designer.
vCenter Server is required for creating workflows automating vCenter operations and also to provide the vSphere Web client that will likely be used to start these workflows. This last functionality requires using the vCenter Server Single Sign On server.
Other components such as ESXi hosts are necessary to operate a virtual infrastructure but are out of scope for this document.
For orchestrating vCloud Director, vCloud Director (1.5 or 5.1) and vCloud Director plug-in for vCO (1.5 or 5.1) are required.
The goal of this tutorial is to deploy a vCenter Orchestrator demo / test / development environment setup with your own credentials.
The demo licenses are valid for 60 days. These can be replaced by purchased licenses (Need at least Standard license level to be able to edit workflows).
Installation & configuration instructions
- Download VMware vCenter Server Appliance 5.1.0.
- Download VMware vCenter Orchestrator Appliance 5.1.0.
Import the appliances in either vCloud Director, vCenter, Workstation, Fusion.
Depending on which of these you use you may have the option to set them up with a static IP address. You should do so since this is a both ways integration and an IP changing because of an expired DHCP lease will break the integration and will require fixing it manually. If you do not have the option we will handle this later as an optional step.
If you are on an older version you may not be able to import an OVF file directly. If this is the case use the freely downloadable ovftool (Documentation & product download)
Synchronize the time on the virtual appliances
Since the integration relies on the Single Sign On feature it is really important that the VMs times are synchronized. Single sign on authentication fails when the VM authenticating time is drifting too much from the time on the SSO server.
This step is optional but recommended if the VMs time are not synched (type date in the command line).
There are different ways to accomplish this the easiest one I have found is to add this line to the vCenter Server and vCenter Orchestrator appliance .VMX file
tools.syncTime = "TRUE"
If the VMs run on different hosts that may not be time synchronized and if the VMs have access to the internet another way is to use a NTP server. To do so log in the appliances (user = root, password = vmware), edit the /etc/ntpd.conf (for example using vi) and add the following lines
server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org
Start the vCenter VA.
If you did not setup a static IP & host name before it is recommended to do it before the first appliance configuration, otherwise go to the vCenter VA first configuration section
Set a static IP Address and a hostname
This is an optional step. Using static IP addresses is not required but recommended to avoid loosing the vCenter Server / vCenter Orchestrator both way integration.
In the VM console press <Enter> to log in.
Log in as root / vmware and start yast.
Use the cursor keys to select the network settings.
Use the tab key to edit the network configuration.
Use the tab key to get to "Statically assigned IP Address". Use the space bar to select. Enter your IP Address, subnet mask and hostname. Use the tab key to get to [Next]
Use tab and the cursor key to get to Hostname / DNS and set these. Once done use tab to get to [OK]. yast will save the configuration changes. You can now use tab to get to [Quit].
vCenter VA first configuration
This step is mandatory. It can be automated following this tutorial.
Open a browser on https://IP_ADDRESS:5480. Authenticate with root / vmware
The EULA will show up. Accept it and click next.
On the next screen come an interesting note:
I tried that but did not find out how to relaunch the wizard as it seems that as soon as you accept the EULA a variable is set in the server for not restarting the wizard. There is definitely a way to reset this variable but since we have already managed the IP & hostname change we can move on anyway.
Use the "Configure with default settings"
Keep embedded for Database & SSO settings.
Click Next and then Start
Wait it completes or better have a small break.
Create vCO user, group, role and permissions
This step is optional since the vCenter Server Appliance is coming with default root & admin users but recommended so you can authenticate with your own username to create and operate the workflows.
Since vCO will be using vCenter SSO we have the option to create a specific vCO user and group with administrator role and permissions on the vCenter server objects. For this we will use the default System Domain identity. It is possible to add other entities such as Active Directory Domains but is out of scope in this document.
Log in the vSphere web client: https://IP_ADDRESS:9443
Browse to Administration / Access / SSO Users and Groups
In the Users tab click on the + icon to add an user.
Fill the fields and select Administrator user. Click OK.
In the Groups tab click on the + icon to add a vcoadmins group. Click OK.
Select vCO Admins click add principal (the icon with a + and a character).
Add your user and root (Search for your user in System-Domain and root user in localos identity source).
In home / venter / vCenter Servers / your venter Server name select Manage tab and then permission tab
click + to add a permission
Select vcoadmins and click add and OK.
To assigned role select administrator. click OK
vCenter Orchestrator Configuration
This step is mandatory. This is the one that provides the vCenter Server to vCenter Orchestrator bidirectional integration.
Start the vCO VA.
Once started follow the "Set a static IP Address and a hostname" section.
Open a browser on https://IP_ADDRESS. This will get you to the vCO greeting page.
Click on the "Orchestrator Configuration" link.
Authenticate with vmware / vmware
Once you click on Login you will have to enter & verify a new password.
Click "Apply changes"
On the left section click on the Startup Options Tab. Click on Stop Service.
The vCenter Orchestrator Appliance is configured to run stand alone. We are going to change its settings so it can use vCenter SSO for authentication and configure the vCenter Server plug-in.
First in the network tab Change the default IP (0.0.0.0) to the one you set for vCO. If you did set a host name it will show up in the DNS name field.
Click on "Apply changes"
Now we need to import the vCenter Server and vCenter SSO certificates. Click on the SSL Trust Manager tab.
In the URL from which to import a certificate enter the IP_of_the_vCenter_Server:443
Click import. This will display the certificate. Click on the import link.
Repeat the operation on IP_of_the_vCenter_Server:7444
Your SSL certificates should look like this:
On the left section click on the Authentication tab. You will see that as default the vCO VA is configured for the local LDAP server. Change Authentication mode to SSO Authentication. Enter the IP of the vCenter VA and the root / vmware credential. Click on "Register Orchestrator"
You will be greeted by a
The Orchestrator solution user is registered. You must complete the SSO configuration.
To do so in the "vCO Admin - domain and group" select "SYSTEM-DOMAIN vcoadmins"
As you can see clock tolerance is set to 300 seconds. This should be fine since we synched the two VMs time previously.
Click on Accept Orchestrator Configuration.
On the left section click on the Plug-ins tab. We need to provide a vCO admin user to install the plug-ins when the vCO server will be restarted. Use the user previously created in vCenter SSO. Then we need to enable the vCenter Server plug-in. Check it. Click on Apply changes.
On the left section click on the vCenter Server (5.1.0) tab. Click on the New vCenter Server Host.
Enter the IP of the vCenter host. You can use "Share a unique session" if you want all the operations on vCenter to be performed as the user you provide or use a Session per user if you want to authenticate in vCenter as the user that will authenticate in vCO. In this case you still have to provide an admin credential for the configuration session. Click on "Apply Changes"
In order to make all the configuration changes active and in order to install the vCenter plug-in it is necessary to restart the vCO service.
On the left section click on the Startup Options Tab. Click on "Start Service".
Testing the integration
This section is completely optional. It is a walk through the different components to check everything work as expected.
Open the vCO appliance in a browser and click on the "Start Orchestrator Client" link. This will download a Java web start link (works on Linux, MacOS, Windows). Open the file. Alternatively you can download the client for your platform and install it locally. Enter your vCO IP and your credentials.
Install / Ignore the certificate. If you manage to log in it means SSO authentication worked. The next step is to create a workflow. This will prove you are part of the vCO Admins group and that you have the right type of license to author workflows. On the workflow tab Right Click on the workflow tree root and select "Add folder". Name the folder as you want.
Now right click on the folder and slect "new workflow". Name it "Create Datacenter".
Our workflow will call a library workflow with changing the workflow presentation to allow this workflow to be used contextually on the vCO inventory. This is called "wrapping" a workflow and is a good alternative to change the original workflow as it permits to have several different versions based on the same one. Also most Library workflows are read only so wrapping them is a good choice and a better one than duplicating the library workflows because you will not benefit from Library workflow updates.
Go on the Schema tab, drag and drop the "Workflow Element from the "Generic" Palette on the left to the blue arrow on the schema.
Now choose the Create Datacenter workflow version 0.2.0 with typing "create datacenter" in the filter field.
vCO 5.1 will ask you if you want to propagate the create datacenter input and outputs to your workflow. Click on Setup.
Just let the default and click promote.
At this point our workflow is doing the same thing as the library "Create Datacenter" workflow. One difference is the presentation properties. To propagate these to our workflow richt click on the Create Datacenter workflow, select synchronize, synchronize presentation.
Now if you go to the Presentation tab of the main workflow and click on the folder input and on the Properties tab you will see that it is set as a "Mandatory input". If you click on the left icon with the + sign you can add the "Show in inventory" property. This is the one needed to have this input contextual to inventory objects.
Click ok, save the workflow. vCO 5.1 will ask you to add to version history. You can click increase version.
Now switch to the inventory tab. Unfold the inventory. if it works vCO has access to vCenter. Right Click on the Datacenters Folder and select the Create Datacenter workflow. This will start the workflow you have just created.
The parent folder is already selected. Just enter a name.
Once submited you can reload the inventory by right clicking / refresh on the Datacenters folder. If the workflow completed successfully (meaning you have the right level of permissions to create a datacenter in vCenter) you will see your datacenter and the subfolders.
Now let's check What we have in vCenter. Log in the vSphere web client: https://vCenter_IP_ADDRESS:9443. This time you will log with the user you have created and not with the root account.
Now Click on the vCO home. You will be getting to this page. You can see:
- that you have 1 vCO server registered.
- the recent Create Datacenter task in the right.
This mean that the vSphere server talks to vCO. Now let's start te workflow we have created.
Click on workflows. Then in the search field type datacenter. Right click / Run a workflow on the "Create Datacenter" workflow that has no description (it is usually good practice to put your own description)
If this is the first time you run a workflow you may be prompted for approving permission for token delegation. Approve & remember decision.
The workflow will prompt you for Patent Datacenter folder and for a datacenter folder name. vCenter use container folders for each object and hide these in the user interface. vCO display these in the inventory. Click + to set the folder.
Instead of spending time browsing you can use the filter tab that will list all the datacenter folders. We have a single one. Select it.
Set a name and finish.
Once the workflow is finished you can go to vCenter home and check for the datacenters. You will find the two datacenter created by vCO workflow: one started from the vCO client and one from the vSphere web client.
Since you have been reading all of this here is a bonus : If you create a cluster you can right click on it to see all possible actions. At the end you will see "All vCenter Orchestrator actions". There are some vCO workflows that have been set to be contextual to vCenter objects.
If you want to make your own workflow contextual to the vCenter objects you can do so with going in the "Manage" tab of vCenter Orchestrator home.
A workflow can be contextual to a single object or a list of objects of the same type.
So now you have everything you need to extend vSphere Web client with any functionality you can build in a vCO workflow so basically anything you can imagine.