I recently ran in to an issue where I could not use an external IPAM provider and needed to use the native one in vRA. The only problem was that I could not do IP reservations in the ranges declared in the network profiles. With the blessing of vmware support I have written a tool to reserve IP addresses in the native IPAM. It is still a beta and I am not done with it yet, but if it helps anyone it is here for you:
Looking for some help with the questions below:
We are going through an audit of the vRA applications and there are several questions around logging of operations and where the actions are captured. Is there any detailed information on what data is contained in the different logs. I found a link that calls out all the log files that are used but there is limited information around what is captured. (https://kb.vmware.com/s/article/2141175)?
I’m looking for detailed level information that would be able to assist in a potential malicious attack or researching nefarious events that might have been the result of compromised security. This would include login attempts, base application level configuration changes, tenant level changes, etc. With any of these we would want to know if the user attempting the operation was logged, the event was time stamped and what log file would contain the information. Also, are there best practices defined around off-loading log files outside of vRealize Log Insight (ie. Rsyslog, etc)
Lastly, would there be any logs that would document the initial configuration or setup of the application that might be valuable to assist in the recovery or rebuild of the application in the case of a catastrophic failure? Also, what are best practices for exporting configuration of the application setup or the internal tenant and blueprint structure in the application.
Hi All,
I am trying to provision a computer using Djoin . I created a workflow in VRO to invoke an external script which located on powershell host , so it works without errors but no blob file was created on powershell host .
when i run the script locally on the powershell host it works and the file is created . I already checked the script and i think that the problem is ,that when i am invoking the 'djoin,exe' from vrealire orchestrator through powershell host , it is not responding .But it responds when i run the script locally on powershell host .
I am also not recieving any errors regarding the credentials . so how could i resolve this issue ?
the code :
[CmdletBinding()]
param(
[parameter(Mandatory = $true)]
[string]$ADUsername,
[parameter(Mandatory = $true)]
[string]$ADPassword,
[parameter(Mandatory = $true)]
[string]$ComputerOU,
[parameter(Mandatory = $true)]
[string]$ComputerName,
[parameter(Mandatory = $true)]
[string]$OutputFolder,
[switch]$reuse
)
try {
$SecurePassword = ConvertTo-SecureString $ADPassword -AsPlainText -Force
$cred = [PSCredential]::New($ADUsername, $SecurePassword)
$ProvisioningFilePath = "$($OutputFolder)\$($ComputerName).txt"
$excluded = ('aa', 'bb', 'cc') #domains
$location = $ComputerOU.Split(',') | Where-Object { $_ -like 'DC=*' } | ForEach-Object { $_.Split('=')[1] } | Where-Object { $_ -notin $excluded }
$DomainName = "$location.domainname"
$ComputerOU = '"' + $ComputerOU + '"'
if ($reuse) {
$Cmd = @{
FilePath = (Join-Path -Path ([System.Environment]::SystemDirectory) -ChildPath 'djoin.exe')
ArgumentList = "/PROVISION /DOMAIN $DomainName /MACHINE $ComputerName /MACHINEOU $ComputerOU /SAVEFILE $ProvisioningFilePath /reuse"
}
Write-Output('Provisioning successfull with reuse')
}
else {
$Cmd = @{
FilePath = (Join-Path -Path ([System.Environment]::SystemDirectory) -ChildPath 'djoin.exe')
ArgumentList = "/PROVISION /DOMAIN $DomainName /MACHINE $ComputerName /MACHINEOU $ComputerOU /SAVEFILE $ProvisioningFilePath"
}
Write-Output('Provisioning successfull')
}
try {
Start-Process @Cmd -Wait -PassThru -Credential $cred | Out-Null
}
catch {
#skip
}
$ProvisioningFilePath
}
catch {
Write-Host 'Script, '$MyInvocation.MyCommand.Name' caught exception: '$_.Exception.Message
exit 255
}
Hi all,
is there a way to read number of running workflows on a VRO server?
The same number, that VRO client displays:
Best options would be a REST call...
Second best would be some internal VRO class that holds this information...
Worst case would be to iterate all the workflows' executions and check their state...
The scenario is: I want to wait for the last workflow to finish before wiping the server as a part of CI. Any other way to approach that?
Thanks!
Can anyone advise what event triggers the Successful status when provisioning a virtual machine?
I'd expect that once a vm template has been cloned and customized successfully that should be it.
For example, guest customization completed on the VM thats being provisioned below completed at 1:54PM yet the status didn't go successful until 2:02PM.
It was the only deployment running, and no event subscriptions or external workflows were executing during this time.
This is a consistent and frequent occurrence.
Thanks,
vRealize Automation 8.0 is now available
What’s New
The many benefits of vRA 8.0 include:
For more information, refer to the Release Notes
Resources
Builds:
Hello
I just installed the client in version 4.7 and when I try to connect I have the following error message :
Error: Failure in adding/retrieving certificate in truststore. iaas.lab.net.intra.laposte.fr. Please login again to reset truststore and its permissions.
what should be done ?
Thank you for your answers
Hi Friends,
One of customer requirement is , Before submit the Power-On or Power-off. we have to give "disclaimer" msg. for "reconfigure" action. need to disable storage tab.
is there any way to modify the in-built action or clone and modify the Action. I think we can achieve with XaaS action, but difficult design the request form same like original one.
Has anyone used the _debug_deployment property in vRA to troubleshoot deployment failures? I have tried to set this property for a blueprint, but the VM still gets deleted. The deployment is marked as partially successful, but the VM is still deleted. According to https://docs.vmware.com/en/vRealize-Automation/7.6/vrealize-automation-76-custom-properties.pdf :
"by setting _debug_deployment to true, you can more easily debug customization and first-boot (for example, agent) issues because the setting ensures that machines are not destroyed after a provisioning failure."
I am trying to find out why guest customization is timing out and for that I need the logs inside the VM. The issue is intermittent and usually late at night (automation) so I can never catch it in the act.
Has anyone else used this property and had the VM not get destroyed? Is this a bug? Is there any other way to stop vRA from destroying machines in a failed deployment?
I tried setting doDeletes to false in VRMAgent.exe.config, but I found out that applies to all deletions not just ones on failures. This has caused the vm storage to fill up, so I will have to revert that change.
Hi All
I need to fix some old vRA that was not in use for ages . I mange to recreate certs on both vRA and VMware Identity appliance and login to vRA with default SSO acc. (administrator@vsphere.local). I can see tenant and associated identity store but AD authentication is not working.
vmware-sts-idmd.log log on VMware Identity appliance indicates LDAP connection issues
[2019-10-23 14:02:38,895 vsphere.local 1f78ba5b-6a76-4abc-bdb1-29c9aeea1fab ERROR] [IdentityManager] Failed to authenticate principal [XXX@XXXX.LOCAL]. Login failed javax.security.auth.login.LoginException: Login failed at com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider.authenticate(LdapWithAdMappingsProvider.java:411) at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2423) at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:8170) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:322) at sun.rmi.transport.Transport$2.run(Transport.java:202) at sun.rmi.transport.Transport$2.run(Transport.java:199) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:198) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:567) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(TCPTransport.java:619) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:684) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:681) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:681) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server LDAP error [code: -1]
When I try to test Identity data store I get message "No permissions to test the connection to identity store." Looks like default SSO admin (administrator@vsphere.local) lost permissions?
vmware-sts-idmd.log
[2019-10-23 12:03:51,903 vsphere.local 4b457ae9-d688-445a-af96-d918100e8225 INFO ] [VMwareDirectoryProvider] Cannot find solution user [administrator@vsphere.local@vsphere.local] in [CN=ServicePrincipals,DC=vsphere,DC=local]
This is the only user that I have so how I can fix that issue?
Thanks
Hi, all
I have some question about login page ( branding )
I have several business groups and many users who belong to the business group.
But the vRA pages they connect to are one.
I want to provide them with different pages. The URLs do not have to be different, but can you set each branding separately?
For example, a user named A looks at a branding page with an apple on it, and a user named B looks at a branding page with a banana on it.
I'll wait for your advice !
Thanks.
Hi all,
I understand vRA 8 is very much in its beginnings, but figured it was worth a shot asking this with some of the other brave pioneers with the arrows in their backs out there.
I deployed a simple vRA 8 environment in my lab and I'm trying to apply a new certificate to it. I added a wildcard certificate (with a proper public suffix) to LCM Locker, and the PEM I imported passed validations. I used this certificate to update the LCM instance itself, as well as the IDM instance with no issue. For the IDM instance I used the LCM workflow. I then tried to apply the certificate to the vRA environment via LCM but received the following error:
com.vmware.vrealize.lcm.common.exception.EngineException: Failed to install vRA Certificate on hostname : testvra.lab.net
at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.execute(VraVaInstallCertificateTask.java:135)
at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.retry(VraVaInstallCertificateTask.java:220)
at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Did some digging and it appears the LCM workflow copies the PEM over to the /tmp directory on the vRA appliance and runs a command similar to:
vracli certificate ingress --set /tmp/lcm-cert.pem --sha256 {value}
I tried running this command while SSH'ed into the vRA appliance and got the following error:
Certificate with sha256 sum: {value} have errors in section 'v3_extensions'["Unable to parse certifcate's ['v3_extensions']['critical'] section. "
Popped open the cert and didn't see anything unusual:
I've tried a couple other things such as deleting the critical section, creating a dedicated cert instead of a wildcard, and changing the hashing algorithm but to no effect. I'm thinking that this error might be a red herring, but not sure.
Figured I'd ask to see if anyone else had any issues with theirs. If I stumble upon the answer, I'll update my thread.
Hi guys
I have installed and configured vRA7.5, and installed the ITSM 5.0 plugin for SNOW.
After I have registered the vRA and try to import the catalogs I get the below error:
Exception caught inside VRASNRegisterVRA.updateAuthToken: ConversionError: The undefined value has no properties.
PLEASE can anyone assist?
thank you
Is there any in-depth documentation on how to pass properties to vRO, when an Event is triggered. The very poor official documentation:
Writing Workflow and Action Code for vRealize Automation Cloud Assembly
just says to pass the payload to vRO, like you do with vRA 7. However no payload object of the Property type is pased to vRO. The only thing I get is a bunch of attributes, with _metadata* as a prefix in the name. There are no machine properties and, as there are no custom proeprties in vRA 8, I do not know how I could force vRA to pass those to a vRO workflow.
Also - in vRA 7, to test a subscription, I could just configure an event subscription that would be triggered on each event topic (Condition -> run for all events). This was really helpful when learning which parameters get passed with each topic. AFIAK there is no way to configure an "any" Event in vRA 8 - or is there?
So I did check the UI. Here is the last part of the log file it suggested I check. I do not know what it means. vRA is installed and I was able to log in on the console to check the log file. But no idea what the errors seen in the attached screenshot mean. So not sure how to fix things.
Any help will be much appreciated. Any ohter info you need let me now.
Thanks in advance,
Michael
Hey guys,
I trying to communicate My VMware ESXi using PHP, also tried postman using the same params and URL.
This is my server data:
Hi there,
I am looking for the best solution to have "End-Users" hit the tenant login page be default when going to the vRA portal.
First some context:
We have a single vRA appliance, we have a single tenant, with multiple Business Groups.
Currently users have to go to https://longservername.longfqdn/vcac/org/tenant/ to hit the login page.
I have a cname being created to use as a short URL, but this by itself will still only hit the server, default vRealize Automation Appliance page, so users will have to add /vcac/org/tenant on the end...
I have googled a lot and read a lot of documentation, this is why now I'm asking...
While we could use a Load Balancer or F5 or proxy in front to do the redirect this is extra overhead which seems un-needed for a single appliance.
I have found the blogs and various other pages saying you can edit the file on the appliance itself. like this one : Will on IT: vRA Redirect To Login while this works I also understand its not best practice to edit files on the appliance.
Is this what im after? Set the vRealize Automation Login URL to a Custom Name it doesnt quite seem like it will do the redirect part.
Is there any official vmware support way of doing this?
Thanks Jonathan.
Hi, we are looking to integrate Cisco ACI with VrOps. I was searching for a Management pack for Cisco ACI, but could not find it. There is a similar one for Cisco UCS - VMware Solution Exchange but nothing for ACI.
Please advise?
Thnx
Hi all,
i am trying to invoke an external process using invoke an external script from vro.
the process is to provision a computer locally in the powershell host and to create a Blob-file .
the script is as the following :
$Cmd = @{
FilePath = (Join-Path -Path ([System.Environment]::SystemDirectory) -ChildPath 'djoin.exe')
ArgumentList = "/PROVISION /DOMAIN $DomainName /MACHINE $ComputerName /MACHINEOU $ComputerOU /SAVEFILE $ProvisioningFilePath "
}
}
try {
Start-Process @Cmd -Credential $cred -wait -PassThru| Out-Null
}
catch {
#skip
}
$ProvisioningFilePath
}
when i run the script from powershell it works successfull , but once i invoke it from vro the workflow will work but without provisining any computer.
Hi
Here is the scenario
I have a single blueprint with few t-shirt sizes available and a lot business groups that can use it.
Can I allow some of the BG to use some additional t-shirt sizes?
Or in more general way how to have resources limit per vm per business group?
Thanks for the help!