Could you look if your vCenter appears in Inventory tab in Orchestrator client? Also if the orchestrator extension is registered in vCenter mob - https://vcenter_ip/mob - go to content -> extension manager - there you should have vco extension. If both are yes - there is no reason to not see your orchestrator in the vsphere web client. Also please attach the vco logs located \var\log\vco\app-server\server.log and \var\log\vco\configuration\catalina.out
Thanks for your reply.
I can indeed see the vCenter in the inventory tab, and the vCenter extension looks to be correctly registered (com.vmware.vco). I've attached the logs requested. Does it matter which user I log into the webclient with? I have an AD group, vCenterAdmins, which has Administrator rights on the vCenter server, and that group was used in the Orchestrator configuration when choosing a group (after SSO setup). I'm logging into the web client with a user who's also in that group. I must admit I'm unclear on how Orchestrator uses permissions.
Another question - do I have any options in regard to versions? ie Can I deploy vCO 5.5 to vCenter6? I'm hoping I can get something up and running without trashing the vCenter6 environment. Checking the compatibility matrix for the webclient it looks as if each release is 'paired' to it's respective vCenter/webclient version.
If you see the whole vRO plug-in UI in the Web Client (without content like workflows, etc.) instead of just 'getting started' page, this means the connection between Web Client and vRO has been established correctly and the vRO plug-in has been downloaded/deployed properly.
Yes, it matters which user do you use to connect to Web Client. This user or group(s) it belongs to should have sufficient permissions both on WebClient/vCenter side and on vRO side.
There a few things to check:
- Web Client and vRO should be configured to use the same SSO server - this way, the SAML tokens issued for the used logged into Web Client can be used to authenticate vRO REST API calls.
- Verify that you are able to login to vRO Java Client with the same user you use to login to Web Client and that you can navigate vRO Java client inventory and start workflows.
- There is a 'test connection' button in vRO UI in Web Client - go to 'vRO Servers' -> 'Manage' -> 'Servers' -> 'Edit configuration'. Check if you are able to successfully verify connection to your vRO server.
- Check Web Client and SSO logs for errors/exceptions around the same time you do 'test connection' step above.
Thanks for the suggestions and help Ilian.
I don't think I see the full vRO UI in the vCenter client - all I see is the getting started page, and if I close that a blank page. The 'Orchestrator' icon doesn't show a (1) for a listed server - it doesn't even show a (0). I can't therefore test the connection etc. When I registered vRO with SSO I initially used an AD group (which was in turn in the SSO Administrators group) but just in case the permissions don't propagate correctly I've since reregistered it using the SSO Administrator (email@example.com). This registration appears to succeed - I get a 'Solution User' for VCO, the client plug-in shows as enabled, and the GUI states 'registration succesful'. I've tried using an AD administrators group as the vRO group (after initial SSO registration) and the vsphere.local Administrator user, but it doesn't seem to make a difference. The AD administrators group has the 'Administrator' role at both a Global level and at the top level in vCenter, both set to propagate. I've tried logging into the web client with both an AD admin group user and firstname.lastname@example.org - I get a blank Orchestrator icon each time. I've also tried multiple browsers but that doesn't seem to make a difference either.
I had trouble starting the Java vRO client (either Java not present or wrong version, I forget now) but I can login to the installable client using the same users I've been trying above and all seems well. I can view the vCenter server under 'Administration' and I've successfully run both the vCenter registration workflows and a test workflow (to create a new cluster) and they all succeeded.
I can confirm both servers are using the same SSO server - this is a clean build lab, with only a VCSA (v6), vROps, and now a vRO server.
From what I can tell everything is working fine and registered correctly - I can't can't see anything in the web client.
OK, if you see only the 'getting started page', this means the vRO plug-in hasn't been downloaded and deployed in vSphere Web Client.
In 6.x, the plug-in binaries are hosted in vRO server, and vSphere Web Client downloads and deploys it. The way the plug-in location is discovered is via the URL registered in VC extension.
The first thing to check if whether the URL is valid and the plug-in can be downloaded from it. Open managed object browser, then go to ExtensionManager -> 'com.vmware.vco' extension -> client -> url. Its value should be something like https://vcoip:8281/vco/vsphere-web-client/vco-plugin.zip. Open this URL in a browser and verify that the ZIP file is downloaded.
If the ZIP file can be downloaded without problems, check vSphere Web Client log file (vsphere_client_virgo.log) for traces related to failed plug-in download (you may search for the name of the file vco-plugin).
If there is nothing related to vco-plugin in the logs then maybe vSphere Web Client hasn't attempted to download it. I think it does search for plug-ins on startup so you can try to restart vSphere Web Client service (in appliance, it is named vsphere-client so you can restart it using the command 'service vsphere-client restart').
Also, you can try to login to vSphere Web Client with admin user, then go to Administration -> Client plug-ins, and click Check for new plug-ins link.
You were spot on that the vRO plug-in hadn't been deployed within the web client. Using the MOB I checked the URL and oddly there were two entries present (shown in the attachment). The first looks to be an IPv6 address and putting that into my web browser I got a 'page not found' error. The second URL looked correct to me and using that in my browser downloaded the plugin .ZIP file as expected. I wasn't sure how to just remove the first entry (is that possible?) so i just unregistered the 'com.vmware.vco' extension. I then reran the 'Add a vCenter Server instance' workflow within the GUI client and once complete I restarted my VCSA server (it was the lazy option over just restarting the web client service as suggested). After logging back in I was greeted with the integrated Orchestrator options.
Many thanks for sorting that out.
I have a couple of minor questions which this process has raised. I appreciate some are probably RTFM in which case feel free to point me in that direction!
- Any idea how/why the original URL registered for the extension was incorrect? Is it related to the vRO binding configured in the Network tab of the web configuration? I recall that by default it binds to 0.0.0.0 (which presumably means any interface) whereas I may have configured it to the IPv4 address while trying to get things working.
- I'm still confused about vRO permissions. I'm fine with SSO but what's the vRO Admin group for? In the GUI client under the Permissions tab there are no entries, whereas I was expecting to see the AD group I configured.
- It's confusing to me that within the WebClient, under Administration, there are entries for Client Plugins, and vCenter extensions. Even when it wasn't working the Client plugin for vCO showed up as 'enabled' and nothing shows in the vCenter Extensions section regardless of whether it's working or not. Is that expected? Given that the MOB shows lots of vCenter extensions why aren't any listed here? What's the difference between a client plugin and a vCenter extension?
- There is a new configuration wizard in the web configuration portal, named 'vSphere6 infrastructure' (under the General tab) which looks like it automates the initial configuration of the SSO authentication, SSL certs, and licencing. I tried running that initially but wasn't sure if it did something subtlety different - is this the best way to configure the appliance, or should each step still be done manually?
1 person found this helpful
- I'm not quite sure why the IPv6 address doesn't work. I haven't looked in details to code which registers extensions but I suppose that if the binding is set to 0.0.0.0 then all network interfaces are enumerated and an entry is created for each one of them. As for why plug-in deployment has failed when there were 2 extensions, I suppose that during startup Web Client found the com.vmware.vco extension, tried to download the plug-in for the first URL (IPv6 one), failed, and gave up. There is no easy way to edit once created extensions. In MOB, there is a link UpdateExtension (on the main page of ExtensionManager) but it requires to provide an extension data as XML which is quite error prone if done manually.
- vRO admin group is the default group whose members have implicit admin permissions. On permissions tab, only the permissions manually configured by the user are listed. Sorry for the confusion.
- That is question that can be answered by vSphere Web Client guys
- I personally haven't used this new configuration wizard, but I suppose it doesn't do anything that cannot be done without it. It is provided just for convenience.
Great stuff Ilian, many thanks for all your help and quick responses.I guess I'll actually have to automate stuff now!
Hi Ed & Ilian
Thanks for your input into this topic. I am experiencing the same issue in my corporate lab environment - vRO 6.02 virtual appliance installed and working, but not showing in the vSphere Web Client (vCenter 5.5 U1a).
What I've tried:
- I can confirm the extension is successfully registered in the MOB (with a single URL)
- I confirm I can access the vco-plugin.zip URL via the browser
- I followed your suggestion to unregister, and re-add com.vmware.vco instance via workflows in the vRO Client - still no joy.
- I have confirmed user permissions in the Web Client, as email@example.com, that vRO Administrator group, and any relevant users have permissions - still no joy
- I restart the vSphere Web Client service each time I make a change. Also restarted the vRO appliance - still no joy
- I have set vRO plugins to reload at restart - still no joy
- I cannot find that vsphere_client_virgo.log file unfortunately to assist with troubleshooting - any guidance as to where I can find this.
- I can successfully run workflows in the vRO client, just I cannot see vRO extension in vSphere Web Client.
- Also, I do not have the "Check for new plug-ins" link in Web Client, with any admin user?
- vCenter is present in the vRO client under Inventory
Any other suggestions from your experiences would be appreciated, as am hitting a brick wall at the moment
With some more digging I have found out that vRealize Orchestrator 6.0.2 plugin/extension will never work in vSphere Web Client, because the versions are not supported together as per VMware Compatibility Matrix.... I know right, can you believe it!? (See attached) It's supported with our vCenter 5.5 U1a, but it's the Web Client where it falls short. Wonderful!
Not really a resolution, but can at least more on from here now.
Capture.JPG 84.0 K