VMware Cloud Community
future2000
Enthusiast
Enthusiast

vRO 7 - Authentication Method when using vRA

Hi,

I've setup a new external vRO 7 appliance and configured it with a new internally signed SSL certificate.

I am now attempting to setup the authentication method. I cannot get either of the following authentication methods to work?

vSphere (Error received is 'Error! An error was received while retrieving single sign on from:hostname')

SSO Legacy (Error received is 'Error! Error configure authentication: Error communicating to the remote server:my hostname STSService URL

both configurations are being entered exactly as detailed in the orchestrator 7 configuration pdf.

To add to this I'm not even sure which method I should be using. This vRO instance needs to work with vRA 7 and the vSphere web client. Perhaps only simple authentication should be used!

Previously our vRA 6.0.3 instance used SSO authentication and worked perfectly with vRA 6.2.3 and vSphere 6.

6 Replies
future2000
Enthusiast
Enthusiast

Please note I managed to get SSO (Legacy) working after noticing the documentation here on page 131 or 366 appears to list an incorrect STS URL for vSphere 6 PSC anyway!...

http://pubs.vmware.com/orchestrator-70/topic/com.vmware.ICbase/PDF/vrealize-orchestrator-70-install-...

The STS URL listed in the documentation shows the following:--

https://your_vcenter_single_sign_on_server/ims/STSService/vsphere.local

Modifying this to the following

https://your_vcenter_single_sign_on_server/sts/STSService/vsphere.local‌

Then allowed the legacy SSO configuration to function.

Reply
0 Kudos
ivand
VMware Employee
VMware Employee

Thanks for spotting this error in documentation.

To authenticate to PSC you should try to use vSphere authentication. Although at the end vRO will work the same way no matter which you are using. The difference is that using vSphere authentication, vRO will auto discover URLs you have to add if you are using SSO (legacy). Also license will be auto detected.

About vSphere 6 - vRA 7 - vRO 7 configuration, you will not be able to authenticate to VRA 7 if you are using vCenter PSC 6.0. You have to use basic authentication from vRA - vRO communication.

future2000
Enthusiast
Enthusiast

My pleasure, thanks for the helpful hints.

Attempting to use vSphere authentication fails with my vSphere 6 Update1a vCenter with embedded PSC. I get the following error...

Error! An Error occurred while retrieving Single Sign-on from: myvCenterURL/cm

I am therefore only able to use SSO (Legacy) as the authentication method.

I wish to use an external vRO 7 instance with vRA 7 and I have not had any luck at all. I logged another discussion in the vRA 7 forum but have not had any replies. There isn't exactly much in the way of clear guidance on what method I should use to configure the integration between vRA 7, vRO 7 and vSphere 6. What mechanism do you mean with regard to vSphere 6 - vRA 7 - vRO 7?

Cheers

Reply
0 Kudos
gkostova
VMware Employee
VMware Employee

You can use the combination vSphere 6 0 vRA 7 - vRO 7 in the next mechanism:

Go to vRO 7 control center and set vRO to use vRA authentication

Then go to vRA 7 and set to use the external orchestrator vRO 7

Then go to vRO 7 client and add vCenter as vRO endpoint (shared session) and register vRO as vSphere extension.

I'm using this combination and it is working. It should work for you as well. I think that this is the mechanism as far as I can understand your case.

Cheers

future2000
Enthusiast
Enthusiast

Many thanks. In the end I got it working!

vRO 7 is using SSO (Legacy) authentication.

The vRO 7 endpoint has been added successfully to vRA using basic authentication (domain\service_account).

vRA 7 has a a Active Directory over LDAP connection to my domain.

Reply
0 Kudos
HariRajan
Hot Shot
Hot Shot

Hi ,

I have got the problem which you are facing here and it is not well documented in the VRA 7 documentation . I think you have below Infrastructure in your environment .

VRA 7 or 7.0.1

VRO 7 or 7.0.1

Forget about the vSphere SSO here now , our aim is to use VRO integration  with VRA,, that helps to trigger the workflow bidirectional. so I would recommend to use to the existing SSO of vrealize automation regardless of anything .

In VRO 7.0 external LDAP configuration having some bug and it's been fixed in 7.0.1 , also would like to point you that LDAP authentication is deprecated and will not available in the future release of VRO. Please see the release not of VRO 7.0.1 ,

Feature and Support Notice

The features listed below are deprecated in vRealize Orchestrator 7.0.1 and scheduled for removal in future releases. None of the deprecated features should be used as part of any vRealize Orchestrator based solution.

  • LDAP authentication

Hope till this part is clear about to you and now we will go to configuration part where I will address the issue which you are facing while configuring the authentication provider in VRO .

Please follow below steps .

TAKE SSH Connection to VRA (Please dont skip these steps)

STOP exiting VRO as your are going to use external VRO

-------------------------------------------------------------------------------------

service vco-server stop

service vco-configurator stop

-------------------------------------------------------------------------------------

Edit the /etc/hosts file

add below lines in /etc/hosts file

** Change the IP address to your VRO IP and FQDN to your VRO FQDN and VRO HOSTNAME

120.78.15.131  myvro.mylab.com myvro

Save and exit

--------------------------------------------------------------------------------------------

Try to do a ping from the SSH console to VRO

#ping myvro.mylab.com

#ping myvro

It should works fine now!.

-------------------------------------------------------------------------------------------------

Now you need to do the same thing in VRO as well .  TAKE SSH CONNECTION TO VRO

Edit the /etc/hosts file

add below lines in /etc/hosts file

** Change the IP address to your VRA IP and FQDN to your VRA FQDN and VRA HOSTNAME

120.78.15.132  myvra.mylab.com myvra

Save and exit

try to do a ping from the SSH console to VRA

ping myvra.mylab.com

ping myvra

It should works fine now!.

---------------------------------------------------------------------------------------------------------------------------------

You are almost done , this changes is really needed if the DNS name resolution works as well.

DATE AND TIME SHOULD MATCH WITH VRA

check the Date and TIme in VRO , it should be exactly matched with VRA ,

if not set the time in VRO to make it correct to SSO , using date command    date -s "2 APR 2016 18:00:00"

(Change the fields and submit) , reboot the VRO if you change the time

--------------------------------------------------------------------------------------------------------------------------------------------

Ensure that all the services of VRA is up by going to the VRA:5480 ports .

If things are good proceed further

Take the VRO 8283 control center interface

https://VROPIP:8283/vco-controlcenter/

Click on the validate configuration to ensure that everything is ok and if not correct those .

-----------------------------------------------------------------------------------------------------------------------------------------------

Configuring Authentication Provider in VRO

--------------------------------------------------------------------------------------------------------------------------------------------

go to Configure  Authentcation Provider

SELECT Authencation Mode : Vrealize Automation

UTL : IMPORTANT YOU SHOULD GIVE ONLY FQDN of VRA which is mentioned in the /etc/hosts file

example : URL  myvra.mylab.com

Click on Connect

Provide  Admin User Name : Administrator (NOT administrator@vsphere.local)

Password (your administrator@vsphere.local)

Admin group : vsphere.local\ALL USERS

Default tenant vsphere.local

---------------------------------------------------------------------------------------------------------------------------------------------------

##Now everything should be green and check the test login option . Let me know if this is not working for you .

Thanks & Regards in Plenteous . Hari Rajan