vRO VMware Update Manager (VUM) plug-in - Technical preview

vRO VMware Update Manager (VUM) plug-in - Technical preview

Update Manager Plug-In Version 7.0.

Official documentation

vRO support matrix

  • VUM plug-in is updated to support vRealize Orchestrator version 7.6 Java client and UI, up to vRO version 8.6.2, except versions 8.4.0 and 8.4.1.  
    vRO

    7.6

    7.6 (Java client)

    8.0.1

    8.1.0 

    8.2.0

    8.3.0

    8.4.0

    8.4.1

    8.4.2 

    8.5.0

    8.5.1

    8.6.0

    8.6.1

    8.6.2

    VUM 7.0

    Note: In versions 8.4.0/8.4.1 you will not be able to create a patch baseline. 
  • VUM plug-in is updated to support vSphere API versions - 6.7, 7.0, 7.0 U1, 7.0 U2.
  • VUM plug-in is updated to support Update Manager API version 6.0 to 8.0. API version 8.0 is the latest vCenter 7.0 and API version 6.0 is vCenter 6.7

Release notes:

7.0.0-19431982

  • upgrade log4j to 2.17.1

7.0.0-19093190

What's new?

  • Export compliance report workflow - the "Save as at" field now has an updated file location: "/var/run/vco/filename.xxx". The compliance report will be exported at location "/data/vco/var/run/vco/" for vRO version 8.x and at "/var/run/vco/filename.xxx" for vRO version 7.x. 
  • VUM's EULA was changed to be the same as vRO's.
  • In order to use VUM plug-in in vRO 7.6, a mandatory prerequisite is to update the vSphere plug-in to version 7.x.
  • The Export compliance report workflow is only supported in vRO versions 7.6 (UI and Java client), 8.6.0 and 8.6.1. It will not work for all other versions.
  • Deprecated method getVirutalApplicaneBaselines/getVirutalApplianceBaselines in VumObjectManager
  • Deprecated method removeAllVcenterWithVum in VumObjectManager
  • Deprecated method registerVcenterInctencesWithVum in VumObjectManager
  • Deprecated method removeVcenterWithVum in VumObjectManager
  • Deprecated method removeVcenterInstancesWithVum in VumObjectManager
  • Substituted method getVirutalApplicaneBaselines/getVirutalApplianceBaselines for getVirtualApplianceBaselines in VumObjectManager
  • Deprecated workflow "Add and Set default vCenter with Update Manager"
  • Deprecated workflow "Remove All configured servers"
  • New "Set a default vCenter with Update Manager" workflow
  • Bug fixing in workflows.

New plug-in use case

The main configuration workflows "Add and Set default vCenter with Update Manager" and "Remove All configured servers" have been deprecated. In the previous plug-in version, you'd first have to first run the vSphere workflow Add a vCenter server instance, then run the VUM Add and Set default vCenter with Update Manager workflow to register a host with Update Manager. In this version, the second step is not necessary. By default, all vCenter hosts added through the vSphere plug-in can also be used with Update Manager and will appear in the drop down menu in all VUM workflows. And vice versa, if you remove a vCenter host through the vSphere plug-in, it will also be removed from Update Manager.

There is also a mandatory step that needs to be done if you have vCenter servers, prior to version 7, attached to vCenter plugin and that is to import a VUM server certificate for each one of them with vRO's "Import a certificate from URL" workflow. As input parameter you need to set vCenter's URL and append port 8084 (ex. https://<vcenter_ip>:8084)

The new Set a default vCenter with Update Manager workflow is optional if you work with the orchestrator through the application (mandatory if you use the REST API directly). If you only have a single host registered through the vSphere plug-in, it will automatically be set as default in Update Manager. If you choose to set a default host, it will be pre-selected in all workflows.  If you don't set a default host, you will have to select one every time.

Security

  • Patched for CVE-2021-45046
Attachments
Comments

Will there ever be a version of the plugin that is compatible with VUM 6.7?

Remediation doesn't work with 6.7 VUM. Tried the sample "Remediation" workflow and I always get this error -

com.vmware.vim.vmomi.client.exception.VmomiProtocolException: com.vmware.vim.vmomi.core.exception.UnmarshallException: Type 'HostRemediationScheduleOption' contains unrecognized property 'enableLoadEsx' (Workflow:Remediate / Remediate (item0)#12758)

Hi guys,

we have updated the plugin and you can see all the details in the description above.

 

Thanks,

VUM plugin team

Hi, am running vRealize Orchestrator 8.6.0 (18693716) (vCenter 6.7) and installed the plugin o11nplugin-vum-7.0.0-19081041.vmoapp.zip.

Running the wflow  "Set a default vCenter with Update Manager" runs fine, but all of the other flows or inventory throws the error:

at com.vmware.o11n.web.SameTenantContextFilter.doFilterWithTenancyContext(SameTenantContextFilter.java:72) [o11n-security-sso-provider-8.6.0.j ar:?]
at com.vmware.vcac.authentication.http.tenancy.TenancyContextFilter.doFilter(TenancyContextFilter.java:54) [cafe-sdk-8.6.0.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.13.RELEAS E.jar:5.1.13.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.13.RELEASE.jar:5.1.1 3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.13.RELEASE.jar:5.1.13.RELEAS E]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.19.RELEASE.jar:5.1.19.R ELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.19.RELEASE.jar:5.1.19.RELEASE ]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.60]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.60]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) [catalina.jar:8.5.60]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:8.5.60]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) [catalina.jar:8.5.60]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [catalina.jar:8.5.60]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.60]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) [catalina.jar:8.5.60]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) [catalina.jar:8.5.60]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:8.5.60]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.60]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624) [tomcat-coyote.jar:8.5.60]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.60]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) [tomcat-coyote.jar:8.5.60]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634) [tomcat-coyote.jar:8.5.60]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.60]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.60]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.security.NoSuchProviderException: no such provider: BC
at sun.security.jca.GetInstance.getService(GetInstance.java:83) ~[?:?]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) ~[?:?]
at java.security.Security.getImpl(Security.java:742) ~[?:?]
at java.security.KeyStore.getInstance(KeyStore.java:926) ~[?:?]
at com.vmware.o11n.security.SSOKeystoreCache.loadKeyStore(SSOKeystoreCache.java:178) ~[o11n-security-7.6.0.jar:?]
... 158 more
'-'] {} ch.dunes.vso.sdk.SDKFinder - Unable to execute 'fetchRelation' for type : VumObjects : com.vmware.o11n.vmo.plugin.vmware_update_manager.except ion.VumClientException: Cannot create a VUM client.
java.lang.reflect.InvocationTargetException: null
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at ch.dunes.vso.sdk.DirectInvoker.invoke(DirectInvoker.java:79) ~[o11n-sdkcenter-8.6.0.jar:?]
at ch.dunes.vso.sdk.SDKPluginFactoryInvoker.fetchRelation(SDKPluginFactoryInvoker.java:81) ~[o11n-sdkcenter-8.6.0.jar:?]
at ch.dunes.vso.sdk.SDKFinder.fetchRelation(SDKFinder.java:1128) ~[o11n-sdkcenter-8.6.0.jar:?]
at ch.dunes.vso.sdk.SDKFinder._findRelation(SDKFinder.java:1103) ~[o11n-sdkcenter-8.6.0.jar:?]
at ch.dunes.vso.sdk.SDKFinder.findRelation(SDKFinder.java:1022) ~[o11n-sdkcenter-8.6.0.jar:?]
at ch.dunes.vso.sdk.ModulesFactory.findRelation(ModulesFactory.java:1685) ~[o11n-sdkcenter-8.6.0.jar:?]

 

 

 

Hi VitorJorge,

how many vCenters do you have attached in your vCenter plugin?

Did you import the certificate for your vCenter as stated in the description above?

Hi VitorJorge

Did you find a solution for this issue ?

I have the same.

Thank you

Hi,

No I did not find a solution :(.

I tried the plugin in a 6.7 environment and in a new fresh 7.X environment with only 1 vcenter and 1 host, same error.

Yes I did import the vCenter certificate.

I even opened a vmware support request, the support guy was a bust  as always, we said it was a permissions error, the logged user did not had permissions, lol, closed the ticket immediately, have no time todo debug and teach the support.

Thanks

Hi all,

can you both send the versions (with build numbers) of vRO and vCenter that you use so that we can try too reproduce the same environment as close as possible to what you have thus double checking those issues that you face. And may be some logs as attachments.

The known reasons for that error:

com.vmware.o11n.vmo.plugin.vmware_update_manager.except ion.VumClientException: Cannot create a VUM client

are:

  • you have not imported a certificate of VUM service if vCenter is lower than version 7 as stated in the notes above, but you have done that
  • you have changed the credentials of you vCenter user that you have used to add a vCenter instance with "Add a vCenter Server instance" workflow and after that you have not run "Update a vCenter Server instance" workflow to update the credentials at vRo side.

One thing that I note from the logs that you pasted above is this:

Caused by: java.security.NoSuchProviderException: no such provider: BC
at sun.security.jca.GetInstance.getService(GetInstance.java:83) ~[?:?]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) ~[?:?]
at java.security.Security.getImpl(Security.java:742) ~[?:?]
at java.security.KeyStore.getInstance(KeyStore.java:926) ~[?:?]

Can you double check further on that one. Is vRO running in FIPS mode?

It seems that you have no BouncyCastle in your classpath and that is odd! Look up for that BouncyCastle jar file in your vRO installation:

find /data/vco/usr/lib/vco/ -iname "bc-fips-*.jar"

 

KR,

Stefan G.

Hello

Thank you for help.

Please find below the version of VRO and vCenter

VRO 

Version: 8.4.1
Build number: 18036498
 
vcenter
Version 6.7.0
Build 18831049
 
VRO plugin VUM 6.5.0.5043263

 

# find /data/vco/usr/lib/vco/ -iname "bc-fips-*.jar"
/data/vco/usr/lib/vco/app-server/fips/bc-fips-1.0.2.jar
/data/vco/usr/lib/vco/app-server/temp/dars/o11nplugin-configurator.dar/lib/bc-fips-1.0.2.jar
/data/vco/usr/lib/vco/app-server/temp/dars/o11nplugin-multi-node.dar/lib/bc-fips-1.0.2.jar
/data/vco/usr/lib/vco/configuration/fips/bc-fips-1.0.2.jar

Hi salemchtoui,

I see that you use VRO plugin VUM 6.5.0.5043263, which is an old version of the plugin. Can you update and use the version that is attached in this page (o11nplugin-vum-7.0.0-19093190.vmoapp.zip) and let us know how it went.

KR,

Stefan G.

Hi VitorJorge,

Can you give us the SR ticket number or some other info to double check this issue?

KR,

Stefan G.

Does the current version of this plugin work at all with 7.0U3? I've recently installed it into our 8.3.0 instance of orchestrator. When trying to run say the Get-Compliance workflow, when clicking the + to add objects to the filter it returns an error 

There was a problem invoking action com.vmware.o11n.forms/evalOGNL;
[1][array__of__reference.valueList][com.vmware.o11n.forms/evalOGNL] Cannot create a VUM client. (com.vmware.library.vmware_update_manager/getEntities#1)

 

I have ran the import certificate workflow to add the VUM cert even though that looks like it's for older versions of vcenter. I've also ran the update vcenter workflow just to make sure there's no problem there. 

Another thing I've noticed is that the plugin does not show up in the API explorer and in the inventory when I click VMware Update Manager it just spins forever. 

Hi kujeter,

can you attach the log so we can double check? It can be found here:

/services-logs/prelude/vco-app/file-logs/vco-server-app.log

You can also set VUM plug-in log level to debug in Control Center then re-run the logic that failed and then collect the logs.

Otherwise we have seen the error is thrown in one of those cases:

  • The version of the attached vCenter that we try to connect is lower than version 7
  • There is no connection to the attached vCenter/VUM service
  • The certificates for VUM service may be corrupt/incorrect
  • You have more than one vCenter's attached and you do not run "Set a default vCenter with Update Manager" workflow.

KR,

Stefan G.

Hi kujeter,

one more thing that you can check is how you attach the vCenter instance with "Add a vCenter Server instance" workflow. When you add it you have to use "shared session" so un-check the box and enter only username and password.

 

Thanks,

Stefan G.

Version history
Revision #:
24 of 24
Last update:
‎05-17-2022 01:05 AM
Updated by: