Installing and Configuring Automation

Orchestrator

July 2024
VMware Aria Automation 8.18
VMware Aria Automation Orchestrator 8.18
Installing and Configuring Automation Orchestrator

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its
subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names, service
marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

Installing and configuring Automation Orchestrator 6

1 Key features of the Automation Orchestrator platform 8

2 User roles 11

3 System requirements 13
Default Appliance Components 13
Hardware requirements 14
Scalability Maximums 14
Network Requirements 14
Ports and Endpoints 15
Supported browsers 15
Internationalization Support 16

4 Setting Up Automation Orchestrator Components 17

vCenter setup 17
Authentication Methods 18

5 Installing Automation Orchestrator 19

Download and Deploy the Automation Orchestrator Appliance 19
Power on the Automation Orchestrator Appliance and Open the Home Page 21
Activate or Deactivate SSH Access to the Automation Orchestrator Appliance 22

6 Initial Configuration 23
Configuring a Standalone Automation Orchestrator Server 23
Authenticating with VMware Aria Automation 23
Authenticating with vSphere 25
Feature enablement with licenses 27
Automation Orchestrator Database Connection 28
Manage Automation Orchestrator certificates 28
Generate a custom TLS certificate 29
Set a custom TLS certificate 30
Import a Trusted Certificate with the Control Center 33
Activate the certificate path validation algorithm 33
Configuring the Automation Orchestrator plug-ins 34
Automation Orchestrator High Availability 35
Configure an Automation Orchestrator cluster 35

VMware by Broadcom 3
Installing and Configuring Automation Orchestrator

Remove an Automation Orchestrator cluster node 37

Scale out a standalone Automation Orchestrator deployment 38
Monitoring a cluster 39
Recovering a Cluster Node 40
Configuring the Customer Experience Improvement Program 41
Categories of Information That VMware Receives 41
Join or Leave the Customer Experience Improvement Program 41
Configuring the Automation Orchestrator Appliance authentication provider with the command
line interface 42
Additional command line interface configuration options 45

7 Using the Automation Orchestrator API Services 50

Managing SSL Certificates Through the REST API 50
Delete a TLS Certificate by Using the REST API 51
Import TLS Certificates by Using the REST API 51
Create a Keystore by Using the REST API 52
Delete a Keystore by Using the REST API 53
Add a Key by Using the REST API 53

8 Additional Configuration Options 55

Reconfiguring Authentication 55
Change the Authentication Provider 55
Change the Authentication Parameters 56
Configuring the Workflow Run Properties 56
Automation Orchestrator Log Files 57
Logging Persistence 57
Automation Orchestrator Logs Configuration 58
Configure Logging Integration with Operations for Logs 59
Create or overwrite a syslog integration 59
Delete a Syslog Integration in Automation Orchestrator 60
Enable Kerberos Debug Logging 61
Enabling the Opentracing extension 61
Configure the Opentracing Extension 62
Configure the Wavefront Extension 63
Enable Time Synchronization for Automation Orchestrator 64
Deactivate Time Synchronization for Automation Orchestrator 65
Configure Automation Orchestrator Kubernetes CIDR 65
Update the DNS Settings for Automation Orchestrator 67
Back Up and Restore Automation Orchestrator 67

9 Configuration Use Cases and Troubleshooting 69

Verify the Automation Orchestrator server build number 69

VMware by Broadcom 4
Installing and Configuring Automation Orchestrator

Configure the Automation Orchestrator Plug-in for the vSphere Web Client 70
Cancel Running Workflows 71
Enable Automation Orchestrator Server Debugging 71
Resize the Automation Orchestrator Appliance Disks 73
How to Scale the Heap Memory Size of the Automation Orchestrator Server 74
Disaster Recovery of Automation Orchestrator by Using Site Recovery Manager 77
Configure Virtual Machines for vSphere Replication 77
Create Protection Groups 77
Create a Recovery Plan 80
Organize Recovery Plans in Folders 81
Edit a Recovery Plan 81

10 Setting System Properties 83

Setting Server File System Access for Workflows and Actions 83
Rules in the js-io-rights.conf File Permitting Write Access to the Automation Orchestrator
System 83
Set Server File System Access for Workflows and Actions 84
Set JavaScript Access to Java Classes 85
Set Custom Timeout Property 86
Adding a JDBC connector for the Automation Orchestrator SQL plug-in 86
Activating basic authentication 88

11 Where to go from here 89

VMware by Broadcom 5
Installing and configuring Automation
Orchestrator

Installing and configuring Automation Orchestrator provides information and instructions about
installing and configuring VMware Aria Automation Orchestrator.

What is Automation Orchestrator

Automation Orchestrator is a development- and process-automation platform that provides a
library of extensible workflows to allow you to create and run automated, configurable processes
to manage VMware products as well as other third-party technologies.

Automation Orchestrator automates management and operational tasks of both VMware and
third-party applications such as service desks, change management systems, and IT asset
management systems.

Automation Orchestrator architecture

Automation Orchestrator contains a workflow library and a workflow engine to allow you to
create and run workflows that automate orchestration processes. You run workflows on the
objects of different technologies that Automation Orchestrator accesses through a series of
plug-ins.

Automation Orchestrator Control Web Services

Client Center REST

vCenter Active HTTP- VMware Aria Third-Party

PowerShell
Server Directory REST Automation Plug-in
Authentication Automation
Providers Orchestrator
Database
vCenter VMware Aria
Server Automation

Automation Orchestrator provides a standard set of plug-ins, including plug-ins for vCenter and
VMware Aria Automation, to allow you to orchestrate tasks in the different environments that
the plug-ins expose. Automation Orchestrator also presents an open architecture for plugging
in external third-party applications to the orchestration platform. You can run workflows on the
objects of the plugged-in technologies that you define yourself.

Automation Orchestrator connects to an authentication provider to manage user accounts and to

a preconfigured PostgreSQL database to store information from the workflows that it runs.

VMware by Broadcom 6
Installing and Configuring Automation Orchestrator

You can access Automation Orchestrator, the objects it exposes, and the Automation
Orchestrator workflows through the Automation Orchestrator Client, or through Web services.
Monitoring and configuration of Automation Orchestrator workflows and services is done
through the Automation Orchestrator Client and Control Center.

Automation Orchestrator plug-ins

Plug-ins allow you to use Automation Orchestrator to access and control external technologies
and applications. By exposing an external technology in an Automation Orchestrator plug-in, you
can incorporate objects and functions in workflows that access the objects and functions of that
external technology.

The external technologies that you can access by using plug-ins include virtualization
management tools, email systems, databases, directory services, and remote-control interfaces.

For more information about the Automation Orchestrator plug-ins, see Using the Automation
Orchestrator Plug-Ins.

For more information about third-party Automation Orchestrator plug-ins, see VMware
Marketplace.

Intended Audience
This information is intended for advanced vSphere administrators and experienced system
administrators who are familiar with virtual machine technology and data center operations.

VMware by Broadcom 7
Key features of the Automation
Orchestrator platform 1
Automation Orchestrator is composed of three distinct layers: an orchestration platform that
provides the common features required for an orchestration tool, a plug-in architecture to
integrate control of subsystems, and a library of workflows. Automation Orchestrator is an open
platform that can be extended with new plug-ins and content, and can be integrated into larger
architectures through a REST API.

Automation Orchestrator includes several key features that help with running and managing
workflows.

Persistence
A production-grade PostgreSQL database is used to store relevant information, such as
processes, workflow states, and the Automation Orchestrator configuration.

Central management
Automation Orchestrator provides a central tool to manage your processes. The application
server-based platform, with full version history, can store scripts and process-related primitives in
the same storage location. This way, you can avoid scripts without versioning and proper change
control on your servers.

Check-pointing
Every step of a workflow is saved in the database, which prevents data-loss if you must restart
the server. This feature is especially useful for long-running processes.

Control Center
Control Center is a web-based portal that increases the administrative efficiency of Automation
Orchestrator instances by providing a centralized administrative interface for runtime operations,
workflow monitoring, and correlation between the workflow runs and system resources.

Note The Control Center service is deprecated and will be removed in a future release.

VMware by Broadcom 8
Installing and Configuring Automation Orchestrator

Versioning
All Automation Orchestrator platform objects have an associated version history. Version history
is useful for basic change management when distributing processes to project stages or
locations.

Git integration
With the Automation Orchestrator Client, you can integrate a Git repository to further improve
version and source control of your Automation Orchestrator content. With Git, you can manage
workflow development across multiple Automation Orchestrator instances. See Using Git with the
Automation Orchestrator Client in the Using Automation Orchestrator guide.

Scripting engine
The Mozilla Rhino JavaScript engine provides a way to create building blocks for the Automation
Orchestrator Client platform. The scripting engine is enhanced with basic version control, variable
type checking, name space management, and exception handling. The engine can be used in the
following building blocks:

n Actions

n Workflows

n Policies

In addition to JavaScript, you can also use Python, Node.js, and PowerShell/PowerCLI runtimes
as a way of creating workflows and actions. For more information, go to Core Concepts for
Python, Node.js, and PowerShell Scripts.

Workflow engine
The workflow engine is used by Automation Orchestrator for core processes such as:

n Processing the workflow schema

n Performs the workflow and action runs

n Manages user interactions

n Creates checkpoints for Automation Orchestrator objects

The capabilities to manage Automation Orchestrator content are provided by the Orchestrator
platform and Automation Orchestrator Client.

Users, other workflows, schedules, or policies can start workflows.

VMware by Broadcom 9
Installing and Configuring Automation Orchestrator

Policy engine
You can use the policy engine to monitor and generate events to react to changing conditions
in the Automation Orchestrator Client server or a plugged-in technology. Policies can aggregate
events from the platform or the plug-ins, which helps you to handle changing conditions on any
of the integrated technologies.

Automation Orchestrator Client

Create, run, edit, and monitor workflows with the Automation Orchestrator Client. You can also
use the Automation Orchestrator Client to manage action, configuration, policy, and resource
elements. See Using Automation Orchestrator.

Development and resources

The Automation Orchestrator landing page provides quick access to resources to help you
develop your own plug-ins, for use in Automation Orchestrator. You will also find information
about using the Automation Orchestrator REST API to send requests to the Automation
Orchestrator server.

Security
Automation Orchestrator provides the following advanced security functions:

n Public Key Infrastructure (PKI) to sign and encrypt content imported and exported between
servers.

n Digital Rights Management (DRM) to control how exported content can be viewed, edited,
and redistributed.

n Transport Layer Security (TLS) to provide encrypted communications between the

Automation Orchestrator Client, Automation Orchestrator server, and HTTPS access to the
Web front end.

n Advanced access rights management to provide control over access to processes and the
objects manipulated by these processes.

Encryption
Automation Orchestrator uses a FIPS-compliant Advanced Encryption Standard (AES) with a
256-bit cipher key for encryption of strings. The cipher key is randomly generated and is unique
across appliances that are not part of a cluster. All nodes in a cluster share a cipher key.

VMware by Broadcom 10
Automation Orchestrator user
roles 2
Automation Orchestrator provides different tools and interfaces based on the specific
responsibilities of the global user roles. In Automation Orchestrator you can have users with
full rights, that are a part of the administrator group (administrators), developers (workflow
designers), troubleshooting users (viewers), and users with limited access.

Automation Orchestrator user roles are managed in the Role Management menu of the
Automation Orchestrator Client. For more information on configuring user roles in the
Automation Orchestrator Client, go to Assign Roles in the Automation Orchestrator Client in the
Using Automation Orchestrator guide.

Note For Automation Orchestrator deployments authenticated with VMware Aria Automation,
or using a VMware Cloud Foundation license, user roles are assigned with the Identity
and Access Management service of the VMware Aria Automation platform. Go to Configure
Automation Orchestrator Client Roles in VMware Aria Automation in Using Automation
Orchestrator.

User Role Description

Administrator This user has full access to all Automation Orchestrator platform capabilities and content,
including content created by specific groups. Primary administrator user responsibilities include:
n Installing and configuring Automation Orchestrator.
n Adding users to the Automation Orchestrator Client, assigning roles, and creating and
deleting groups. Go to Create Groups in the Automation Orchestrator Client in Using
Automation Orchestrator.
n Creating an integration with a Git repository for the developers in their Automation
Orchestrator environment. Go to Configure a Connection to a Git Repository in Using
Automation Orchestrator.
n Troubleshooting their Automation Orchestrator environment through features like workflow
validation and debugging workflow scripts.

Viewer This user has read-only access to all Automation Orchestrator Client, including all groups and
group content. This user can view but cannot create, edit, or run content, or export workflow
runs, workflow run logs, or packages. Viewers are not limited by group permissions.

Note The viewer role is supported only for Automation Orchestrator instances authenticated
with VMware Aria Automation. This role is not mapped to a VMware Aria Automation role by
default so it must be explicitly assigned to users.

VMware by Broadcom 11
Installing and Configuring Automation Orchestrator

User Role Description

Workflow Designer This user can extend the Automation Orchestrator platform functionality by creating and editing
objects. Workflow designers do not have access to the administrative and troubleshooting
features of the Automation Orchestrator Client. Primary workflow designer responsibilities
include:
n Creating, editing, running, and deleting Automation Orchestrator objects like workflows,
actions, policies, and configuration elements.
n Scheduling workflow runs. Go to Schedule Workflows in the Automation Orchestrator Client
in Using Automation Orchestrator.
n Adding content created by the workflow developer to groups they are assigned to.
n Pushing local changes to the remote Git repository in the active branch defined by an
administrator. Go to Push Changes to a Git Repository in Using Automation Orchestrator.

Users with limited Users with no assigned role can still log in to the Automation Orchestrator Client, but have limited
rights access to client features and content. If they are assigned to a group, this user can view and run
content included in that group. Users who are not assigned to a group can only view their own
workflow runs through the available integrations to VMware Aria Automation.

VMware by Broadcom 12
Automation Orchestrator system
requirements 3
Your system must meet the technical requirements that are necessary for Automation
Orchestrator to work properly.

For a list of the supported versions of vCenter, the vSphere Web Client, VMware Aria
Automation, and other VMware solutions, see VMware Product Interoperability Matrix.

Note Automation Orchestrator does not support changing the time zone of the Automation
Orchestrator Appliance to a time zone other than UTC+0.

Read the following topics next:

n Automation Orchestrator Appliance Components

n Hardware requirements

n Scalability Maximums

n Network Requirements for Automation Orchestrator

n Ports and Endpoints

n Supported browsers

n Level of Internationalization and Localization Support

Automation Orchestrator Appliance Components

The Automation Orchestrator Appliance is a Photon-based virtual appliance running in
containers.

The Automation Orchestrator Appliance includes the following components:

n An infrastructure level Kubernetes layer.

n A preconfigured PostgreSQL database.

n The core Automation Orchestrator services: the server service, Control Center service, and
orchestration UI service.

Note The Control Center service is deprecated and will be removed in a future release.

VMware by Broadcom 13
Installing and Configuring Automation Orchestrator

The default Automation Orchestrator Appliance database configuration is production ready.

Note To use the Automation Orchestrator Appliance, you must configure the Automation
Orchestrator server to authenticate through VMware Aria Automation or vSphere.See
Configuring a Standalone Automation Orchestrator Server.

Hardware requirements
The Automation Orchestrator Appliance is a preconfigured Photon-based virtual machine that
runs in containers. Before you deploy the appliance, verify that your system meets the minimum
hardware requirements.

The Automation Orchestrator Appliance has the following hardware requirements:

n 4 CPUs

n 12 GB of memory

n 200 GB hard disk

Do not reduce the default memory size, because the Automation Orchestrator server requires at
least 8 GB of free memory.

Scalability Maximums
The scalability limit table outlines the recommended maximums on Automation Orchestrator
deployments.

Component Scale targets More information

Virtual machines 35,000

vCenter connections 10 See vCenter setup

Active nodes in a cluster 3 See Configure an Automation Orchestrator cluster

Concurrent running workflows 300 per node See Configuring the Workflow Run Properties

Queued running workflows 10,000 per node

Preserved workflow runs 100 per workflow

Log event expiration days 15

Network Requirements for Automation Orchestrator

Each Automation Orchestrator node requires a network setup.

The network requirements for Automation Orchestrator are:

n Single, static IPv4 and Network Address

VMware by Broadcom 14
Installing and Configuring Automation Orchestrator

n Reachable DNS server set manually

n Valid fully-qualified domain name (FQDN) set manually that can be resolved both forward
and in reverse through the DNS server

Note IP address change or hostname change after installation is not supported and results in a
broken setup that is not recoverable.

Ports and Endpoints

The Automation Orchestrator Kubernetes service includes two endpoints and several main
network ports.

Network Ports
You can access Automation Orchestrator over port 443. The 443 port is secured with a self-
signed certificate that is generated during the installation. When using an external load balancer,
it must be set up to balance on port 443.

To view all Automation Orchestrator ports, refer to the Ports and Protocols tool.

Endpoints
You can access the Automation Orchestrator client and Control Center services at the following
endpoints.

Service Endpoint

Automation Orchestrator Client

https://your_orchestrator_FQDN/orchestration-ui

Control Center
https://your_orchestrator_FQDN/vco-controlcenter

Note The Control Center service is deprecated and will be removed in a future release.

Supported browsers
Confirm that your browsers support Automation Orchestrator.

To access the Automation Orchestrator Client and Control Center, you must use one of the
following browsers:

n Microsoft Edge

n Mozilla Firefox

n Google Chrome

VMware by Broadcom 15
Installing and Configuring Automation Orchestrator

Level of Internationalization and Localization Support

The Automation Orchestrator Control Center and Automation Orchestrator Client include support
for non-English operating systems, non-English data formatting, and multi-language support for
the Control Center and client user interface.

The Automation Orchestrator Control Center and Automation Orchestrator Client support the
use of non-English operating systems, non-English input and output, and support for non-English
formatting of data such as dates, time, and numbers.

The user interfaces of the Automation Orchestrator and Automation Orchestrator Client are
localized to the following languages:

n Spanish

n French

n German

n Traditional Chinese

n Simplified Chinese

n Korean

n Japanese

n Italian

n Dutch

n Brazilian Portuguese

n Russian

VMware by Broadcom 16
Setting Up Automation
Orchestrator Components 4
When you download and deploy the Automation Orchestrator Appliance, the Automation
Orchestrator server is preconfigured. After deployment, the services start automatically.

To enhance the availability and scalability of your Automation Orchestrator setup, follow these
guidelines:

n Install and configure an authentication provider and configure Automation Orchestrator to

work with the provider. See Configuring a Standalone Automation Orchestrator Server.

n For clustered Automation Orchestrator environments, install and configure a load balancing
server and configure it to distribute the workload between the Automation Orchestrator
servers.

Read the following topics next:

n vCenter setup

n Authentication Methods

vCenter setup
Increasing the number of vCenter instances in your Automation Orchestrator setup causes
Automation Orchestrator to manage more sessions. Too many active sessions can cause
Automation Orchestrator to experience timeouts when more than 10 vCenter connections occur.

For a list of the supported versions of vCenter, see the VMware Product Interoperability Matrix.

Note If your network has sufficient bandwidth and latency, you can run multiple vCenter
instances on different virtual machines in your Automation Orchestrator setup. If you are using
LAN to improve the communication between Automation Orchestrator and vCenter, a 100-Mb
line is mandatory.

Standalone Automation Orchestrator support for VMware Cloud on

AWS
Standalone Automation Orchestrator deployments do not support VMware Cloud on AWS
authentication and because of this you cannot run Automation Orchestrator workflows on
VMware Cloud on AWS vCenters.

VMware by Broadcom 17
Installing and Configuring Automation Orchestrator

Authentication Methods
To authenticate and manage user permissions, Automation Orchestrator requires a connection to
either VMware Aria Automation or a vSphere server instance.

When you download, and deploy Automation Orchestrator Appliance, you must configure the
server with a VMware Aria Automation or vSphere authentication. See Configuring a Standalone
Automation Orchestrator Server.

Note Automation Orchestrator 8.x authentication with VMware Aria Automation is only
supported with VMware Aria Automation 8.x.

VMware by Broadcom 18
Installing Automation
Orchestrator 5
Automation Orchestrator consists of a virtual appliance that can be either standalone or an
internal appliance as a part of VMware Aria Automation.

To use Automation Orchestrator, you must deploy the Automation Orchestrator Appliance and
configure the Automation Orchestrator server.

You can change the default Automation Orchestrator configuration settings by using the
Automation Orchestrator Control Center.

Note The Control Center service is deprecated and will be removed in a future release.

Read the following topics next:

n Download and Deploy the Automation Orchestrator Appliance

n Power on the Automation Orchestrator Appliance and Open the Home Page

n Activate or Deactivate SSH Access to the Automation Orchestrator Appliance

Download and Deploy the Automation Orchestrator

Appliance
Before you can access the Automation Orchestrator content and services, you must download
and deploy the Automation Orchestrator Appliance.

Prerequisites

n Verify that you have a running vCenter instance. The vCenter version must be 6.0 or later.

n Verify that the host on which you are deploying the Automation Orchestrator Appliance
meets the minimum hardware requirements. See Hardware requirements.

n If your system is isolated and without Internet access, you must download the .ova file for
the appliance from the VMware website.

Procedure

1 Log in to the vSphere Web Client as an administrator.

2 Select an inventory object that is a valid parent object of a virtual machine, such as a data
center, folder, cluster, resource pool, or host.

VMware by Broadcom 19
Installing and Configuring Automation Orchestrator

3 Select Actions > Deploy OVF Template.

4 Enter the file path or the URL to the .ova file and click Next.

5 Enter a name and location for the Automation Orchestrator Appliance, and click Next.

6 Select a host, cluster, resource pool, or vApp as a destination on which you want the
appliance to run, and click Next.

7 Review the deployment details, and click Next.

8 Accept the terms in the license agreement and click Next.

9 Select the storage format you want to use for the Automation Orchestrator Appliance.

Format Description

Thick Provisioned Lazy Zeroed Creates a virtual disk in a default thick format. The space required for the
virtual disk is allocated when the virtual disk is created. If any data remains
on the physical device, it is not erased during creation, but is zeroed out on
demand later on first write from the virtual machine.

Thick Provisioned Eager Zeroed Supports clustering features such as Fault Tolerance. The space required
for the virtual disk is allocated when the virtual disk is created. If any data
remains on the physical device, it is zeroed out when the virtual disk is
created. It might take much longer to create disks in this format than to
create disks in other formats.

Thin Provisioned Format Saves hard disk space. For the thin disk, you provision as much datastore
space as the disk requires based on the value that you select for the disk
size. The thin disk starts small and, at first, uses only as much datastore
space as the disk needs for its initial operations.

10 Click Next.

11 Configure the network settings and enter the root password.

When configuring the network settings of the Automation Orchestrator Appliance, you must
use the IPv4 protocol. For both DHCP and Static network configurations, you must add a fully
qualified domain name (FQDN) for your Automation Orchestrator Appliance.

If the host name displayed in the shell of the deployed Automation Orchestrator Appliance is
photon-machine, the preceding network configuration requirements are not met.
12 (Optional) Configure additional network settings for the Automation Orchestrator Appliance,
such as enabling SSH access.

Note When configuring a Kubernetes network, the values of the internal cluster CIDR and
internal service CIDR must allow for at least 1024 hosts. Because of this requirement, the
network mask value must be 22 or less. Network mask values higher than 22 are invalid. The
Kubernetes network properties have to following default values:

VMware by Broadcom 20
Installing and Configuring Automation Orchestrator

Kubernetes network property Default value Property description

Kubernetes internal cluster CIDR 10.244.0.0/22 The CIDR used for pods running
inside the Kubernetes cluster.

Kubernetes internal service CIDR 10.244.4.0/22 The CIDR used for Kubernetes
services inside the Kubernetes
cluster.

Note You can also change the Kubernetes CIDR network properties after deployment. See
Configure Automation Orchestrator Kubernetes CIDR.

13 (Optional) To enable FIPS mode for the Automation Orchestrator Appliance, set FIPS Mode
to strict.

Note FIPS 140-2 enablement is supported only for new Automation Orchestrator
environments. If you want to enable FIPS mode on your environment, you must do so during
installation.

14 Click Next.

15 Review the Ready to complete page and click Finish.

Results

The Automation Orchestrator Appliance is successfully deployed.

What to do next

Log in to the Automation Orchestrator Appliance command line as root and confirm that you can
perform a forward or reverse DNS lookup.

n To perform a forward DNS lookup, run the nslookup your_orchestrator_FQDN command.

The command must return the Automation Orchestrator Appliance IP address.

n To perform a reverse DNS lookup, run the nslookup your_orchestrator_IP command. The
command must return the Automation Orchestrator Appliance FQDN.

Note If you have not enabled SSH during deployment, you can also perform DNS lookups from
the virtual machine console in the vSphere Web Client.

If you encounter problems with your Automation Orchestrator Appliance, go to KB 93142.

Power on the Automation Orchestrator Appliance and Open

the Home Page
To use the standalone Automation Orchestrator Appliance, you must first power it on.

Procedure

1 Log in to the vSphere Web Client as an administrator.

VMware by Broadcom 21
Installing and Configuring Automation Orchestrator

2 Right-click the Automation Orchestrator Appliance and select Power > Power On.

3 In a Web browser, navigate to the host address of your Automation Orchestrator Appliance
virtual machine that you configured during the OVA deployment.

https://your_orchestrator_FQDN/vco.

Activate or Deactivate SSH Access to the Automation

Orchestrator Appliance
You can activate or deactivate SSH access to the Automation Orchestrator Appliance.

Prerequisites

n Download and deploy the Automation Orchestrator Appliance.

n Verify that the Automation Orchestrator Appliance is up and running.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 To activate SSH access, run the /usr/bin/toggle-ssh enable command.

3 To deactivate SSH access, run the /usr/bin/toggle-ssh disable command.

What to do next

You can configure the SSH settings of the Automation Orchestrator Appliance by editing
the /etc/ssh/sshd_config file. By editing this file, you can remove any ciphers or MACs that
you do not consider safe.

VMware by Broadcom 22
Initial Configuration
6
Before you begin automating tasks and managing systems and applications with Automation
Orchestrator, you must use the Automation Orchestrator Control Center to configure an external
authentication provider. You can also use the Automation Orchestrator Control Center for
additional configuration tasks such as managing license and certificate information, installing
plug-ins, and monitoring the state of your Automation Orchestrator cluster. You can also
configure your Automation Orchestrator deployment through the command line interface.

Read the following topics next:

n Configuring a Standalone Automation Orchestrator Server

n Automation Orchestrator feature enablement with licenses

n Automation Orchestrator Database Connection

n Manage Automation Orchestrator certificates

n Configuring the Automation Orchestrator plug-ins

n Automation Orchestrator High Availability

n Configuring the Customer Experience Improvement Program

n Configuring the Automation Orchestrator Appliance authentication provider with the

command line interface

n Additional command line interface configuration options

Configuring a Standalone Automation Orchestrator Server

Although the Automation Orchestrator Appliance is a preconfigured Photon-based virtual
machine, you must configure an authentication provider before you access the full functionality
of the Automation Orchestrator Control Center and Automation Orchestrator Client.

Configure a standalone Automation Orchestrator server with

VMware Aria Automation authentication
To prepare the Automation Orchestrator Appliance for use, you must configure the host settings
and the authentication provider. You can configure Automation Orchestrator to authenticate with
VMware Aria Automation.

VMware by Broadcom 23
Installing and Configuring Automation Orchestrator

Prerequisites

n Download and deploy the latest version of the Automation Orchestrator Appliance. Go to
Download and Deploy the Automation Orchestrator Appliance.

n Install and configure VMware Aria Automation and verify that your VMware Aria Automation
server is running. See the VMware Aria Automation documentation.

Important The product version of the VMware Aria Automation authentication provider
must match the product version your Automation Orchestrator deployment.

n If you plan to create a cluster, set up a load balancer to distribute traffic among multiple
instances of Automation Orchestrator. Go to Load Balancing Guide.

Procedure

1 Access the Control Center to start the configuration wizard.

a Navigate to https://your_Automation-Orchestrator_FQDN/vco-controlcenter.

b Log in as root with the password you entered during OVA deployment.

2 Configure the authentication provider.

a On the Configure Authentication Provider page, select VMware Aria Automation from
the Authentication mode drop-down menu.

b In the Host address text box, enter your VMware Aria Automation host address and click
Connect.

The format of the VMware Aria Automation host address must be https://your_VMware-
Aria-Automation_hostname.
c Click Accept Certificate.

d Enter the credentials of the VMware Aria Automation organization owner under which
Automation Orchestrator will be configured. Click Register.

e Click Save Changes.

A message indicates that your configuration is saved successfully.

Results

You have successfully finished the Automation Orchestrator server configuration.

What to do next

n Verify that CSP is the configured license provider at the Licensing page.

n Verify that the node is configured properly at the Validate Configuration page.

Note Following the configuration of the authentication provider, the Automation

Orchestrator server restarts automatically after 2 minutes. Verifying the configuration
immediately after authentication can return an invalid configuration status.

VMware by Broadcom 24
Installing and Configuring Automation Orchestrator

Configure a standalone Automation Orchestrator server with

vSphere authentication
You register the Automation Orchestrator server with a vCenter Single Sign-On server by using
the vSphere authentication mode. Use vCenter Single Sign-On authentication with vCenter 7.0
and later.

Depending on the configuration of the vCenter server being used to authenticate Automation
Orchestrator, your authentication uses either the built-in identity provider or VMware Single
Sign-On (VMware SSO).VMware SSO allows you to use an external identity provider to sign in to
your vCenter server hosts.

Note You can configure VMware SSO in vSphere 8.0 Update 3 or later. For more information on
configuring VMware SSO, go to Configure VMware Single Sign-On.

If both the built-in and external identity providers are available in the vCenter server used for
authentication, the external identity provider is the preferred method.

Prerequisites

n Download and deploy the latest version of the Automation Orchestrator Appliance. See
Download and Deploy the Automation Orchestrator Appliance.

n Install and configure a vCenter with vCenter Single Sign-On running. See the vSphere
documentation.

n If you plan to create a cluster, set up a load balancer to distribute traffic among multiple
instances of Automation Orchestrator. Go to Load Balancing Guide.

Procedure

1 Access the Control Center to start the configuration wizard.

Note You can also configure the authentication provider from the command line
interface. For more information, go to Configuring the Automation Orchestrator Appliance
authentication provider with the command line interface.

a Navigate to https://your_orchestrator_FQDN/vco-controlcenter.

b Log in as root with the password you entered during OVA deployment.

VMware by Broadcom 25
Installing and Configuring Automation Orchestrator

2 Configure the authentication provider.

a On the Configure Authentication Provider page, select vSphere from the Authentication
mode drop-down menu.

b In the Host address text box, enter the fully qualified domain name or IP address of the
vCenter Server instance that contains the vCenter Single Sign-On and click Connect.

Note If you use an external vCenter Server or multiple vCenter Server instances behind a
load balancer, you must manually import the certificates of all vCenter Server that share a
vCenter Single Sign-On domain.

Note To integrate a different vSphere Client with your configured Automation

Orchestrator environment, you must configure vSphere to use the same vCenter Server
registered to Automation Orchestrator. For High Availability Automation Orchestrator
environments, you must replicate the vCenter Server instances behind the Automation
Orchestrator load balancer server.

c Review the certificate information of the authentication provider and click Accept
Certificate.

d Enter the credentials of the local administrator account for the vCenter Single Sign-On
domain. Click REGISTER.

For the built-in identity provider, the default account is [email protected]

and the name of the default tenant is vsphere.local. The credentials for external
identity provider depend on the specific provider which your vSphere environment is
using.

e In the Admin group text box, enter the name of an administrators group and click Search.

For example, vsphere.local\vcoadmins

Note When using a external identity provider, local groups such as vsphere.local are
not supported. You can only select groups coming from the external identity provider.

f Select the administration group you want to use. The administration group you select
receives adminsitrator privilages in Automation Orchestrator.

g Click Save changes.

A message indicates that your configuration is saved successfully.

Results

You have successfully finished the Automation Orchestrator server configuration.

VMware by Broadcom 26
Installing and Configuring Automation Orchestrator

What to do next

Verify that the node is configured properly at the Validate Configuration page.

Note Following the configuration of the authentication provider, the Automation Orchestrator
server restarts automatically after 2 minutes. Verifying the configuration immediately after
authentication can return an invalid configuration status.

Automation Orchestrator feature enablement with licenses

Access to certain Automation Orchestrator features is based on the license applied to your
Automation Orchestrator deployment.

After authentication, your Automation Orchestrator instance is assigned a license based on

the license edition of the authentication provider. Licenses control access to the following
Automation Orchestrator features:

n Git integration

n Role management

n Multi-language support (Python, Node.js, and PowerShell)

You can view the details of your currently applied license, such as the license expiry date, by
logging in to to the Automation Orchestrator Client, navigating to Administration > Licensing
and selecting the Overview tab. To manually change the license of the Automation Orchestrator
deployment, select the Manual License tab.

Core Automation Orchestrator operations such as running workflows, actions, scheduling tasks,
and ruinnig policies are restricted and connot be started if your Automation Orchestrator
deployment does not have a valid license entitlement. In such a scenario, operations intiated
by users will fail.

Note There is no limit to the number of Automation Orchestrator deployments to which you
can apply the same license, regardless of the license type. For VMware Aria Automation licenses,
having a deployed and configured VMware Aria Automation environment is not required.

VMware by Broadcom 27
Installing and Configuring Automation Orchestrator

Role Multi-language
Authentication Current licensing Legacy licensing Git Integration management support

vSphere VMware vSphere vSphere No No No

Standard vCloud Suite
VMware vSphere Standard
Foundation

vSphere Manually added VMware Aria Yes Yes Yes

VMware Cloud Automation
Foundation VMware Aria
license Suite Advanced
or Enterprise
vCloud Suite
Advanced or
Enterprise

VMware Aria VMware Cloud VMware Aria Yes Roles are Yes
Automation Foundation Automation managed from
VMware Aria the VMware
Suite Advanced Aria Automation
or Enterprise instance used
to authenticate
vCloud Suite
Automation
Advanced or
Orchestrator.
Enterprise

Note Legacy licenses such as vSphere and VMware Aria Automation continue to be
valid. However, if your deployment is uses a VMware Cloud Foundation or VMware vSphere
Foundation license, the older licence becomes irrelevant.

You will receive a notification message in your Automation Orchestrator Client when there is a
upcoming change to your licenses, such as a license expiry. In case your license expires, you
will have a set grace period of 60 days during which you must renew your license or risk losing
access to Automation Orchestrator functionality.

Automation Orchestrator Database Connection

The Automation Orchestrator server requires a database for storing data.

The deployed Automation Orchestrator Appliance includes a preconfigured PostgreSQL

database used by the Automation Orchestrator server to store data.

The postgreSQL database is not accessible for users.

Manage Automation Orchestrator certificates

Issued for a particular server and containing information about the server public key, the
certificate allows you to sign all elements created in Automation Orchestrator and guarantee
authenticity. When the client receives an element from your server, typically a package, the client
verifies your identity and decides whether to trust your signature.

VMware by Broadcom 28
Installing and Configuring Automation Orchestrator

You can manage the Automation Orchestrator certificates from the Certificates page in the
Automation Orchestrator Control Center or with the Automation Orchestrator Client, by using the
ssl_trust_manager tagged workflows .

Import a certificate to the Automation Orchestrator trust store

Automation Orchestrator Control Center uses a secure connection to communicate with vCenter,
relational database management system (RDBMS), LDAP, Single Sign-On, and other servers. You
can import the required TLS certificate from a URL or a PEM-encoded file. Each time you want
to use a TLS connection to a server instance, you must import the corresponding certificate
from the Trusted Certificates tab on the Certificates page and import the corresponding TLS
certificate.

You can load the TLS certificate in Automation Orchestrator from a URL address or a PEM-
encoded file.

Option Description

Import from URL or The URL of the remote server:

proxy URL https://your_server_IP_address or your_server_IP_address:port

Import from file Path to the PEM-encoded certificate file.

Note You can also import a trusted certificate by running the Import a trusted certificate from a
file workflow in the Automation Orchestrator Client. The file imported through this workflow must
be DER-encoded.

For more information on importing a certificate, see Import a Trusted Certificate with the Control
Center.

Package signing certificate

Packages exported from an Automation Orchestrator server are digitally signed. Import, export,
or generate a new certificate to be used for signing packages. Package signing certificates are a
form of digital identification that is used to guarantee encrypted communication and a signature
for your Automation Orchestrator packages.

The Automation Orchestrator Appliance includes a package signing certificate that is generated
automatically, based on the network settings of the appliance. If the network settings of
the appliance change, you must generate a new package signing certificate manually. After
generating a new package signing certificate, all future exported packages are signed with the
new certificate.

Generate a custom TLS certificate for Automation Orchestrator

You can use the Automation Orchestrator Appliance to generate a new TLS certificate for your
environment or set an existing custom certificate.

VMware by Broadcom 29
Installing and Configuring Automation Orchestrator

The Automation Orchestrator Appliance includes a Trusted Layer Security (TLS) certificate that
is generated automatically, based on the network settings of the appliance. If the network
settings of the appliance change, you must generate a new certificate manually. You can create
a certificate chain to guarantee encrypted communication and provide a signature for your
packages. However, the recipient cannot be sure that the self-signed package is in fact a
package issued by your server and not a third party claiming to be you. To prove the identity of
your server, use a certificate signed by a Certificate Authority (CA).

Automation Orchestrator generates a server certificate that is unique to your environment. The
private key is stored in the vmo_keystore table of the Automation Orchestrator database.

Note To configure your Automation Orchestrator Appliance to use an existing custom TLS
certificate, see Set a custom TLS certificate for Automation Orchestrator.

Prerequisites

Verify that SSH access for the Automation Orchestrator Appliance is enabled. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

Procedure

1 Log in to the Automation Orchestrator Appliance command line over SSH as root.

2 Run the vracli certificate ingress --generate auto --set stdin command.

3 To apply the custom certificate to your Automation Orchestrator Appliance, run the
deployment script.

a Navigate to the /opt/scripts/ directory.

cd /opt/scripts/

b Run the ./deploy.sh script.

Important Do not interrupt the deployment script. You receive the following message
when the script finishes running:

Prelude has been deployed successfully.

To access, go to your_orchestrator_address

What to do next

To confirm that the new certificate chain is applied, run the vracli certificate ingress
--list command.

Set a custom TLS certificate for Automation Orchestrator

Set a custom TLS Certificate for your Automation Orchestrator Appliance.

The Automation Orchestrator Appliance includes a Trusted Layer Security (TLS) certificate that is
generated automatically, based on the network settings of the appliance.

VMware by Broadcom 30
Installing and Configuring Automation Orchestrator

You can configure your Automation Orchestrator Appliance to use an existing custom TLS
certificate. You can set the certificate by importing the relevant PEM file from your local machine
into the Automation Orchestrator Appliance. You can also set your custom TLS certificate
by copying the certificate chain directly into the Automation Orchestrator Appliance. Both
procedures require you to run the ./deploy.sh script before the new TLS certificate can be
used in your Automation Orchestrator deployment.

For information on generating a new custom TLS certificate, see Generate a custom TLS
certificate for Automation Orchestrator.

Prerequisites

n Verify that SSH access for the Automation Orchestrator Appliance is enabled. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

n Verify that the PEM file containing the TLS certificate contains the following components in
the set order:

a The private key for the certificate.

b The primary certificate.

c If applicable, the Certificate Authority (CA) intermediate certificate or certificates.

d The root CA certificate.

For example, the TLS certificate can have the following structure:

-----BEGIN RSA PRIVATE KEY-----

<Private Key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<Primary TLS certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root CA certificate>
-----END CERTIFICATE-----

VMware by Broadcom 31
Installing and Configuring Automation Orchestrator

Procedure

1 Set the certificate by importing the PEM file into the Automation Orchestrator Appliance.

a Import the certificate PEM from your local machine by running a secure copy (SCP)
command from an SSH shell.

For Linux, you can use a terminal SCP command:

scp ~/PEM_local_filepath/your_cert_file.PEM root@orchestrator_FQDN_or_IP:/

PEM_orchestrator_filepath/your_cert_file.PEM

For Windows, you can use a PuTTY client PSCP command:

pscp C:\PEM_local_filepath\your_cert_file.PEM root@<orchestrator_FQDN_or_IP>:/

PEM_orchestrator_filepath/your_cert_file.PEM

b Log in to the Automation Orchestrator Appliance command line over SSH as root.

c Run the vracli certificate ingress --set your_cert_file.PEM command.

2 (Optional) Set the certificate by copying the certificate chain directly into the appliance.

a Log in to the Automation Orchestrator Appliance command line over SSH as root.

b Run the vracli certificate ingress --set stdin command.

c Copy and paste the certificate chain, and press Ctrl+D.

3 To apply the new TLS certificate, run the deployment script.

a Navigate to the /opt/scripts/ directory.

cd /opt/scripts/

b Run the ./deploy.sh script.

Important Do not interrupt the deployment script. You receive the following message when
the script finishes running:

Prelude has been deployed successfully.

To access, go to https://your_orchestrator_FQDN

Results

You have set custom TLS certificate for your Automation Orchestrator Appliance.

What to do next

To confirm that the new certificate chain is applied, run the vracli certificate ingress
--list command.

VMware by Broadcom 32
Installing and Configuring Automation Orchestrator

Import a Trusted Certificate with the Control Center

To communicate with other servers securely, the Automation Orchestrator server must be able
to verify their identity. For this purpose, you might need to import the TLS certificate of the
remote entity to the Automation Orchestrator trust store. To trust a certificate, you can import
it to the trust store either by establishing a connection to a specific URL, or directly as a PEM-
encoded file.

Procedure

1 Log in to Control Center as root.

2 Go to the Certificates page.

3 Select Trusted Certificates and click Import.

4 To import the certificate from a file, select Import from a PEM-encoded file.

5 Browse to the certificate file and click Import.

6 To import the certificate from a URL address, select Import from URL.

7 Enter the URL address where your certificate is stored and click Import.

Results

You have successfully imported a remote server certificate to the Automation Orchestrator trust
store.

Activate the certificate path validation algorithm

By adding a system property, you can activate the certificate path validation algorithm for your
trusted certificates.

Automation Orchestrator uses an enhanced public-key infrastructure X.509 (PKIX) certification

path when working with certificates for establishing an SSL or TLS connection with a host.
Automation Orchestrator must work uninterrupted when establishing a connection with a host
with an updated certificate issued by a trusted certificate authority (CA) included in the
Automation Orchestrator trust store.

If the subject certificate or some of the intermediate certificates are renewed, the algorithm
makes an informed trust decision on whether it can trust any certificate that is not already
explicitly trusted.

Note Activating the com.vmware.o11n.certPathValidator system property makes certificate

validation stricter and done according to RFC5280. After activating the certificate validation
algorithm, some workflows associated with a host with a trusted but outdated certificate start
to fail. To resolve this certificate issue, renew the specific host to use a valid and up to date
certificate and add it to the Automation Orchestrator trust store again.

VMware by Broadcom 33
Installing and Configuring Automation Orchestrator

Procedure

1 Log in to the Control Center as root.

2 Select System Properties, and click New.

3 In the Key text-box, enter com.vmware.o11n.certPathValidator.

4 In the Value text-box, enter true.

5 (Optional) Add a description for the system property.

6 Click Add.

A pop-up window appears.

7 To finish adding the new system property, click Save changes from the pop-up window.

8 Wait for the server to automatically restart so the changes are applied.

Results

The certificate validation algorithm is now active. For more information on managing Automation
Orchestrator certificates, see Manage Automation Orchestrator certificates.

What to do next

If your Automation Orchestrator deployment uses vSphere as an authentication provider and

you change the vCenter certificate, you must restart the Automation Orchestrator pod so the
environment can use the new certificate. To restart your pod, use the following procedure:

1 Log in to the Automation Orchestrator Appliance as root.

2 Run the following commands:

kubectl -n prelude scale deployment vco-app --replicas=0

kubectl -n prelude scale deployment vco-app --replicas=1

Note For clustered Automation Orchestrator deployments, replace the second command
with the following:

kubectl -n prelude scale deployment vco-app --replicas=3

Configuring the Automation Orchestrator plug-ins

The Automation Orchestrator Appliance provides access to a library of preinstalleddefault plug-
ins. The default Automation Orchestrator plug-ins are configured with plug-in specific workflows
run in Automation Orchestrator.

The default Automation Orchestrator plug-ins come with configuration workflows. You can run
these workflows from Automation Orchestrator to register endpoints for management.

VMware by Broadcom 34
Installing and Configuring Automation Orchestrator

The configuration workflows have the configuration tag. For example, to access workflows that
are used to manage AMQP brokers and subscriptions, enter the tags AMQP and Configuration in
the search text box of the workflow library.

For more information about the Automation Orchestrator plug-ins, go to the Using Automation
Orchestrator Plug-Ins guide.

Automation Orchestrator High Availability

To increase the availability of the Automation Orchestrator services, start multiple Automation
Orchestrator server instances in a cluster with a shared database. Automation Orchestrator
works as a single instance until it is configured to work as part of a cluster.

Multiple Automation Orchestrator server instances with identical server and plug-ins
configurations work together in a cluster and share one database.

All Automation Orchestrator server instances communicate with each other by exchanging
heartbeats. Each heartbeat is a timestamp that the node writes to the shared database of
the cluster at a certain time interval. Network problems, an unresponsive database server, or
overload might cause an Automation Orchestrator cluster node to stop responding. If an active
Automation Orchestrator server instance fails to send heartbeats within the failover timeout
period, it is considered non-responsive. The failover timeout is equal to the value of the heartbeat
interval multiplied by the number of the failover heartbeats. It serves as a definition for an
unreliable node and can be customized according to the available resources and the production
load.

An Automation Orchestrator node enters standby mode when it loses connection to the
database, and remains in this mode until the database connection is restored. The other nodes in
the cluster take control of the active work, by resuming all interrupted workflows from their last
unfinished items, such as scriptable tasks or workflow invocations.

You can monitor the state of your Automation Orchestrator cluster from the System tab of
the Automation Orchestrator Client dashboard. To configure the cluster heartbeat, number
of failover heartbeats, and the number of active nodes, navigate to the Orchestrator Cluster
Management page of the Automation Orchestrator Control Center.

For information about scalability maximums, go to Chapter 3 Automation Orchestrator system

requirements.

Configure an Automation Orchestrator cluster

You can configure your new Automation Orchestrator deployment to run in high availability by
deploying three nodes and connecting them as a cluster.

An Automation Orchestrator cluster consists of three Automation Orchestrator instances that

share a common PostgreSQL database. The database of the configured Automation Orchestrator
cluster can only run in asynchronous mode.

VMware by Broadcom 35
Installing and Configuring Automation Orchestrator

To create an Automation Orchestrator cluster, you must select one Automation Orchestrator
instance to be the primary node of the cluster. After configuring the primary node, you join the
secondary nodes to it.

The Automation Orchestrator cluster you created is pre-configured with automatic failover.

Note Failure of the automatic failover can lead to loss of database data.

Prerequisites

n Download and deploy three standalone Automation Orchestrator instances. Go to Download

and Deploy the Automation Orchestrator Appliance.

Note A clustered Automation Orchestrator environment can consist of three nodes.

n Verify that SSH access is enabled for all Automation Orchestrator nodes. Go to Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

n Configure a load balancer server. Go to Load Balancing Guide.

Procedure

1 Configure the primary node.

a Log in to the Automation Orchestrator Appliance command line of the primary node over
SSH as root.

b To configure the cluster load balancer server, run the vracli load-balancer set
load_balancer_FQDN command.
c Log in to the Control Center of the primary node and select Host Settings.

d Click Change and set the host address of the connected load balancer server.

e Configure the authentication provider. Go to Configuring a Standalone Automation

Orchestrator Server.

2 Join secondary nodes to primary node.

a Log in to the Automation Orchestrator Appliance command line of the secondary node
over SSH as root.

b To join the secondary node to the primary node, run the vracli cluster join
primary_node_hostname_or_IP command.
c Enter the root password of the primary node.

d Repeat the procedure for other secondary node.

3 (Optional) If your primary node uses a custom certificate, you must either set the certificate
in the appliance or generate a new certificate. Go to Generate a custom TLS certificate for
Automation Orchestrator.

Note The file containing the certificate chain must be PEM-encoded.

VMware by Broadcom 36
Installing and Configuring Automation Orchestrator

4 Finish the cluster deployment.

a Log in to the Automation Orchestrator Appliance command line of the primary node over
SSH as root.

b To confirm that all nodes are in a ready state, run the kubectl -n prelude get nodes
command.

c Run the /opt/scripts/deploy.sh script and wait for the deployment to finish.

Results

You have created an Automation Orchestrator cluster. After creating the cluster, you can access
your Automation Orchestrator environment only from the FQDN address of your load balancer
server.

Note Because you can only access the Control Center of the cluster with the root password
of the load balancer, you cannot edit the configuration of a cluster node if it has a different
root password. To edit the configuration of this node, remove it from the load balancer, edit the
configuration in the Control Center, and add the node back to the load balancer.

What to do next

To monitor the state of the Automation Orchestrator cluster, log in to the Automation
Orchestrator Client and navigate to the System tab of the dashboard. Go to Monitoring an
Automation Orchestrator cluster.

Remove an Automation Orchestrator cluster node

You can delete an Automation Orchestrator so you can reduce your cluster capacity.

After removing a node from your Automation Orchestrator cluster, that node will no longer be
functional. If you want to use this node again, you must delete its Automation Orchestrator
Appliance from your vCenter and deploy it again. See Download and Deploy the Automation
Orchestrator Appliance.

Prerequisites

Create an Automation Orchestrator cluster. See Configure an Automation Orchestrator cluster.

Procedure

1 Log in to the Automation Orchestrator Appliance command line of the node you want to
remove as root.

2 To remove the node from your Automation Orchestrator, run the vracli cluster leave
command.

3 Log in to the Automation Orchestrator Appliance command line of one of the remaining
nodes as root.

VMware by Broadcom 37
Installing and Configuring Automation Orchestrator

4 Run the kubectl -n prelude get nodes command and confirm that the removed node is
no longer part of the cluster.

Scale out a standalone Automation Orchestrator deployment

You can increase the availability and scalability of your configured Automation Orchestrator
deployment by scaling it out.

Prerequisites

n Download, deploy, and configure an Automation Orchestrator instance. Go to Download and

Deploy the Automation Orchestrator Appliance and Configuring a Standalone Automation
Orchestrator Server.

n Download and deploy two additional Automation Orchestrator instances. Go to Download

and Deploy the Automation Orchestrator Appliance.

n Configure a load balancer server. Go to Load Balancing Guide.

Procedure

1 Configure the primary node.

a Log in to the Control Center of your configured Automation Orchestrator deployment as

root.

b Select Configure Authentication Provider and unregister your authentication provider.

c Select Host Settings and enter the host name of the load balancer server.

d Select Configure Authentication Provider and register your authentication provider

again.

e Log in to the Automation Orchestrator Appliance command line of the configured

instance as root.

f To stop all the services of the Automation Orchestrator instance, run the /opt/scripts/
deploy.sh --onlyClean command.

g To set the load balancer, run vracli load-balancer set load_balancer_FQDN.

h (Optional) If your Automation Orchestrator instance uses a custom certificate, run the
vracli certificate ingress --set your_cert_file.pem command.

Note The file containing the certificate chain must be PEM-encoded.

VMware by Broadcom 38
Installing and Configuring Automation Orchestrator

2 Join secondary nodes to the configured instance.

Note If your Automation Orchestrator deployment is patched, refer to the workaround in KB

96619.

a Log in to the Automation Orchestrator Appliance command line of the secondary node as
root.

b To join the secondary node to the configured instance, run the vracli cluster join
primary_node_hostname_or_IP command.
c Repeat for the other secondary node.

3 Finish the scale-out process.

a Log in to the Automation Orchestrator Appliance command line of the configured

instance as root.

b Run /opt/scripts/deploy.sh and wait for the script to finish.

Results

You have scaled out your Automation Orchestrator deployment.

Note For a deployment with three Automation Orchestrator instances, the scaled out
deployment can withstand one instance failing and still function. Two instances failing renders
the Automation Orchestrator deployment non-functional.

Monitoring an Automation Orchestrator cluster

You can monitor your existing Automation Orchestrator cluster through the System tab of the
Automation Orchestrator Client dashboard.

The recommended method for monitoring the configuration synchronization states of the
Automation Orchestrator instances is through the System tab of the Automation Orchestrator
Client dashboard.

Note If you are unable to access the Automation Orchestrator Client dashboard, you can also
monitor the states of your Automation Orchestrator instances by running the kubectl get
pods -n prelude command from the Automation Orchestrator Appliance command line.

VMware by Broadcom 39
Installing and Configuring Automation Orchestrator

Configuration Synchronization State Description

RUNNING The Automation Orchestrator service is available and can

accept requests.

STANDBY The Automation Orchestrator service cannot process

requests because:
n The node is part of a High Availability (HA) cluster
and remains in a standby mode until the primary node
fails.
n The service cannot verify the configuration
prerequisites, like a valid connection to the database,
authentication provider, and the Automation
Orchestrator instance license.

Failed to retrieve the service's health status The Automation Orchestrator server service cannot be
contacted because it is either stopped or a network issue
is present.

Pending restart Control Center detects a configuration change and the

Automation Orchestrator server restarts automatically.

Recovering a Cluster Node

Restoring a Automation Orchestrator node can cause issues with the Kubernetes service.

To recover a problematic node in your Automation Orchestrator cluster, you must locate the
node, remove it from the cluster, and then add it to the cluster again.

Procedure

1 Identify the primary node of your Automation Orchestrator cluster.

a Log in to the Automation Orchestrator Appliance command line of one of your nodes
over SSH as root.

b Find the node with the primary role by running the kubectl -n prelude exec
postgres-0 command.

kubectl -n prelude exec postgres-0 – chpst -u postgres repmgr cluster show --terse
--compact

c Retrieve the name of the pod in which the primary node is located.

In most cases, the name of the pod is postgres-0.postgres.prelude.svc.cluster.local.

d Find the FQDN address of the primary node by running the kubectl -n prelude get
pods command.

kubectl -n prelude get pods -o wide

e Find the database pod with the name you retrieved and get the FQDN address for the
corresponding node.

VMware by Broadcom 40
Installing and Configuring Automation Orchestrator

2 Locate the problematic node by running the kubectl -n prelude get node command.

The problematic node has a NotReady status.

3 Log in to the Automation Orchestrator Appliance command line of the primary node over
SSH as root.

4 Remove the problematic node from the cluster by running the vracli cluster remove
<NODE-FQDN> command.

5 Log in to the Automation Orchestrator Appliance command line of the problematic node over
SSH as root.

6 Add the node to the cluster again by running the vracli cluster join <MASTER-DB-
NODE-FQDN> command.

Configuring the Customer Experience Improvement

Program
If you choose to participate in the Customer Experience Improvement Program (CEIP), VMware
receives anonymous information that helps to improve the quality, reliability, and functionality of
VMware products and services.

Categories of Information That VMware Receives

The Customer Experience Improvement Program (CEIP) provides VMware with information that
enables VMware to improve our products and services and to fix problems.

Details regarding the data collected through CEIP and the purposes for which it is used
by VMware are set in the Trust & Assurance Center at http://www.vmware.com/trustvmware/
ceip.html. To join or leave the CEIP for this product, see Join or Leave the Customer Experience
Improvement Program.

Join or Leave the Customer Experience Improvement Program

Join the Customer Experience Improvement Program from the Automation Orchestrator
Appliance command line.

Procedure

1 Log in to Automation Orchestrator Appliance command line as root.

2 To join the Customer Experience Improvement Program, run the vracli ceip on command.

3 Review the Customer Experience Improvement Program information, and run the vracli
ceip on --acknowledge-ceip command.

VMware by Broadcom 41
Installing and Configuring Automation Orchestrator

4 Restart the Automation Orchestrator services.

a To restart the server service, run the kubectl -n prelude exec -it your_vro_pod -c
vco-server-app /bin/bash command.

b To stop the service, run the kill 1 command.

c To restart the Control Center service run the kubectl -n prelude exec -it
your_vro_pod -c vco-controlcenter-app /bin/bash command.

d To stop the service, run the kill 1 command.

5 To leave the Customer Experience Improvement Program, run the vracli ceip off
command.

6 Repeat the steps for restarting the services.

Configuring the Automation Orchestrator Appliance

authentication provider with the command line interface
You can now configure your Automation Orchestrator options such as the authentication
provider with the Automation Orchestrator Appliance command line interface (CLI). This does
not replace the existing configuration options in the Control Center.To use these commands,
you must log in to the Automation Orchestrator Appliance as a root user. After making any
authentication changes, you must run the /opt/scripts/deploy.sh script so the change to the
Automation Orchestrator Appliance is applied.

Retrieving the current authentication provider

You can retrieve the current authentication provider by running the following command:

vracli vro authentication

Configure the authentication provider by using a guided wizard

To configure the authentication provider by using a guided configuration wizard, run the
following command:

vracli vro authentication wizard

After running the authentication wizard command, you are prompted to provide the necessary
authentication provider information such as the type of authentication provider, hostname, and
password.

VMware by Broadcom 42
Installing and Configuring Automation Orchestrator

Configure the authentication provider by using predefined

parameters
To configure the authentication provider by using predefined configuration parameters, run
the vracli vro authentication set command. The command can have the following
parameters:

Parameter Importance Description

-p or --provider Required This parameter defines the

authentication provider type. The
parameter value can be either
vsphere or vra depending on the
authentication provider you want to
configure: vSphere or VMware Aria
Automation.

-hn or --hostname Required The hostname or URL of the

authentication provider you want
to configure. Both options are
applicable.

-u or --username Required The username of the administrator

associated with the authentication
provider.

--password-file Optional The path to a file containing

the password of the administrator
account for the authentication
provider. If left empty, you
receive a prompt for adding the
password data. The password
file must be stored inside the /
data/vco/usr/lib/vco directory
of the Automation Orchestrator
Appliance. When adding the
parameter in the command, exclude
the /data/vco part of the filepath.

--admin-group Required for vSphere authetnication Parameter for adding the Automation
providers. Ignored for VMware Aria Orchestrator administrators group of
Automation authentication providers. the specified vSphere deployment.

--admin-group-domain Required for vSphere authetnication This parameter defines the

providers. Ignored for VMware Aria administrator group domain.
Automation authentication providers.

-k or --ignore-certificate Optional Using this parameter, the

authentication process is configured
to automatically trust the certificate
of the authentication provider.

VMware by Broadcom 43
Installing and Configuring Automation Orchestrator

Parameter Importance Description

-f or --force Optional Using this parameter, you are not

prompted for confirmation if the
specified authentication provider is
already configured.

--fqdn Optional This parameter defines the

external address of the Automation
Orchestrator server.

Note You can retrieve the

FQDN address for your environment
by running the nslookup
<your_orchestrator_IP>
command.

Example authentication configurations

echo "my-pass" > /data/vco/usr/lib/vco/password_file
vracli vro authentication set -p vra -hn https://my-aria-automation.local -u
[email protected] --password-file /usr/lib/vco/password_file

vracli vro authentication set -p vsphere -hn https://my-vsphere.local -u

[email protected] --tenant vsphere.local --admin-group Administrators --admin-group-
domain vsphere.local

Unregister an authentication provider

You can unregister the current authentication provider by running the vracli vro
authentication unregister command. This command can have the following parameters:

Parameter Importance Description

-u or --username Required The username of the administrator

associated with the authentication
provider.

--password-file Optional The path to a file containing

the password of the administrator
account for the authentication
provider. If left empty, you
receive a prompt for adding the
password data. The password
file must be stored inside the /
data/vco/usr/lib/vco directory of
the appliance. When including the
parameter in the command, exclude
the /data/vco part of the filepath.

VMware by Broadcom 44
Installing and Configuring Automation Orchestrator

CLI command logs

Automation Orchestrator CLI commands print their logs in the /services-logs/prelude/
vco-app/file-logs/vco-server-app_cfg-cli.log file. When a command returns a result
different than zero and the standard output does not show a specific error, the exception is
visible in this file.

Additional configuration options

Aside from configuring the authentication provider of your Automation Orchestrator deployment,
you can use CLI commands for:

n License configuration

n System properties configuration

n Extension configuration

n Troubleshooting

n Retrieving system information

n Logging configuration

For more information on these additional configuration options, go to Additional command line
interface configuration options .

Additional command line interface configuration options

Aside from configuring your authentication provider, you can also use command line interface
commands to configure other Automation Orchestrator options. To use these commands, you
must log in to the Automation Orchestrator Appliance as a root user.

Aside from configuring the authentication provider of your Automation Orchestrator deployment,
you can use command line interface (CLI) commands for:

n License configuration

n System properties configuration

n Extension configuration

n Troubleshooting

n Retrieving system information

n Logging configuration

For information on configuring the authentication provider with CLI commands, go to Configuring
the Automation Orchestrator Appliance authentication provider with the command line interface

VMware by Broadcom 45
Installing and Configuring Automation Orchestrator

License configuration
You can retrieve the current Automation Orchestrator license configuration by running the
following command:

vracli vro license

You can set a new license key by running the following command:

vracli vro license set <license_key>

You can reset the current license to the default license of the authentication provider by running
the following command:

vracli vro license default

System property configuration

You can retrieve a list of all configured Automation Orchestrator system properties, as a JSON
file, by running the following command:

vracli vro properties

You can set a system property by running the following command:

vracli vro properties set

This system property command has the following properties:

Property Importance Description

-k or --key Required This property defines the name of the

system property you want to set.

-v or --value Required This property defines the value of the

system property.

-n or --noRestart Optional This property defines if the set

system property requires a restart of
the Automation Orchestrator service.
By default, setting any new system
property performs a restart of the
service.

The following is an example of this system property command:

vracli vro properties set -k com.vmware.o11n.property -v true

VMware by Broadcom 46
Installing and Configuring Automation Orchestrator

You can remove existing system properties by running the following command:

vracli vro properties remove -k <key_value>

Note The -k or --key property must include the name of the system property you want to
remove.

You can retrieve the name, value, and description of the most commonly used system properties
by running the following command:

vracli vro properties advanced

Extension configuration
You can retrieve a list of all configured Automation Orchestrator extensions by running the
following command:

vracli vro extensions

You can activate an extension by running the following command:

vracli vro extensions <extension_name> activate

You can deactivate an extension by running the following command:

vracli vro extensions <extension_name> deactivate

You can list all the configuration properties of a specific extension by running the following
command:

vracli vro extensions <extension_name> list

You can set a extension property by running the following command:

vracli vro extensions <extension> set

This extension property command can have the following properties:

Property Importance Description

-k or --key Required This property defines the ID of the

extension property.

-v or --value Required This property defines the value of the

extension property.

VMware by Broadcom 47
Installing and Configuring Automation Orchestrator

For example, the workflow of activating an extension, listing all its properties, and setting a
system property could look similar to this:

vracli vro extensions tokenreplay activate

vracli vro extensions tokenreplay list

vracli vro extensions tokenreplay set -k recordScripting -v true

Troubleshooting
You can cancel all active workflow runs by running the following command:

vracli vro cancel executions

You can cancel a specific workflow run by adding its ID to the following command:

vracli vro cancel workflow <workflow_id>

You can suspend all active scheduled tasks by running the following command:

vracli vro cancel tasks

You can retrieve a list of all trusted certificates by running the following command:

vracli vro keystore list

System information
You can retrieve the current system information of your Automation Orchestrator deployment by
running the following command:

vracli vro info

Note You can add the optional property of -d or --details to the system information command
to all check the health status API of the Automation Orchestrator server.

Logging configuration
You can retrieve the current Automation Orchestrator logging configuration by running the
following command:

vracli vro logs

You can configure the Automation Orchestrator logging server by running the following
command:

vracli vro logs configure

VMware by Broadcom 48
Installing and Configuring Automation Orchestrator

The logging server command can have the following parameters

Parameter Importance Description

-l or --level Optional This parameter defines the server

logging level.

-sc or --scripting-count Optional This parameter defines the number of

saved scripting log rotations.

-sl or --scripting-level Optional This parameter defines the scripting

log level.

-ss or --scripting-size Optional This parameter defines the scripting

log size in megabytes (MB).

Note The valid level values are ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL and OFF.

CLI command logs

Automation Orchestrator CLI commands print their logs in the /services-logs/prelude/
vco-app/file-logs/vco-server-app_cfg-cli.log file. When a command returns a result
different than zero and the standard output does not show a specific error, the exception is
visible in this file.

VMware by Broadcom 49
Using the Automation
Orchestrator API Services 7
In addition to configuring Automation Orchestrator by using Control Center, you can modify
the Automation Orchestrator server configuration settings by using the Automation Orchestrator
REST API, the Control Center REST API, or the command-line utility, stored in the appliance.

The Configuration plug-in is included in the Automation Orchestrator package, by default.

You can access the Configuration plug-in workflows from either the Automation Orchestrator
workflow library or the Automation Orchestrator REST API. With these workflows, you can
change the trusted certificate and keystore settings of the Automation Orchestrator server. For
information on all available Automation Orchestrator REST API service calls, see the Automation
Orchestrator Server API documentation, located at https://your_orchestrator_FQDN/vco/api/
docs.

n Managing TLS Certificates and Keystores by Using the REST API

In addition to managing TLS certificates by using Control Center, you can also manage
trusted certificates and keystores when you run workflows from the Configuration plug-in or
by using the REST API.

Managing TLS Certificates and Keystores by Using the REST

API
In addition to managing TLS certificates by using Control Center, you can also manage trusted
certificates and keystores when you run workflows from the Configuration plug-in or by using the
REST API.

The Configuration plug-in contains workflows for importing and deleting TLS certificates and
keystores. You can access these workflows by navigating to Library > Workflows > SSL Trust
Manager and Library > Workflows > Keystores in the Automation Orchestrator Client. You can
also run these workflows by using the Automation Orchestrator REST API.

The Control Center REST API provides access to resources for configuring the Automation
Orchestrator server. You can use the Control Center REST API with third-party systems to
automate the Automation Orchestrator configuration. The root endpoint of the Control Center
REST API is https://your_orchestrator_FQDN/vco/api. For information on all available service
calls that you can make to the Control Center REST API, see the Automation Orchestrator Control
Center API documentation, at https://your_orchestrator_FQDN/vco-controlcenter/docs.

VMware by Broadcom 50
Installing and Configuring Automation Orchestrator

Delete a TLS Certificate by Using the REST API

You can delete a TLS certificate by running the Delete trusted certificate workflow of the
Configuration plug-in or by using the REST API.

Procedure

1 Make a GET request at the URL of the Workflow service of the Delete trusted certificate
workflow.

GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Delete trusted

certificate

2 Retrieve the definition of the Delete trusted certificate workflow by making a GET request at
the URL of the definition.

GET https://{orchestrator_host}:{port}/vco/api/workflows/8a70a326-
ffd7-4fef-97e0-2002ac49f5bd

3 Make a POST request at the URL that holds the execution objects of the Delete trusted
certificate workflow.

POST https://{orchestrator_host}:{port}/vco/api/workflows/8a70a326-
ffd7-4fef-97e0-2002ac49f5bd/executions/

4 Provide the name of the certificate you want to delete as an input parameter of the Delete
trusted certificate workflow in an execution-context element in the request body.

Import TLS Certificates by Using the REST API

You can import TLS certificates by running a workflow from the Configuration plug-in or by using
the REST API.

You can import a trusted certificate from a file or a URL. See Import a Trusted Certificate with the
Control Center

Procedure

1 Make a GET request at the URL of the Workflow service.

Option Description

Import trusted certificate from a file Imports a trusted certificate from a file.

Import trusted certificate from URL Imports a trusted certificate from a URL address.

Import trusted certificate from URL Imports a trusted certificate from a URL address by using a proxy server.
using proxy server

Import trusted certificate from URL Imports a trusted certificate with a certificate alias, from a URL address.
with certificate alias

VMware by Broadcom 51
Installing and Configuring Automation Orchestrator

To import a trusted certificate from a file, make the following GET request:

GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Import
trusted certificate from a file

2 Retrieve the definition of the workflow by making a GET request at the URL of the definition.

To retrieve the definition of the Import trusted certificate from a file workflow, make the
following GET request:

GET https://{orchestrator_host}:{port}/vco/api/workflows/
93a7bb21-0255-4750-9293-2437abe9d2e5

3 Make a POST request at the URL that holds the execution objects of the workflow.

For the Import trusted certificate from a file workflow, make the following POST request:

POST https://{orchestrator_host}:{port}/vco/api/workflows/
93a7bb21-0255-4750-9293-2437abe9d2e5/executions

4 Provide values for the input parameters of the workflow in an execution-context element of
the request body.

Parameter Description

cer The CER file from which you want to import the TLS certificate.
This parameter is applicable for the Import trusted certificate from a file
workflow.

url The URL from which you want to import the TLS certificate. For non-HTPS
services, the supported format is IP_address_or_DNS_name:port.
This parameter is applicable for the Import trusted certificate from URL
workflow.

Create a Keystore by Using the REST API

You can create a keystore by running the Create a keystore workflow of the Configuration
plug-in or by using the REST API.

Procedure

1 Make a GET request at the URL of the Workflow service of the Create a keystore workflow.

GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Create a keystore

2 Retrieve the definition of the Create a keystore workflow by making a GET request at the URL
of the definition.

GET https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0-
ad08-5318178594b3/

VMware by Broadcom 52
Installing and Configuring Automation Orchestrator

3 Make a POST request at the URL that holds the execution objects of the Create a keystore
workflow.

POST https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0-
ad08-5318178594b3/executions/

4 Provide the name of the keystore you want to create as an input parameter of the Create a
keystore workflow in an execution-context element in the request body.

Delete a Keystore by Using the REST API

You can delete a keystore by running the Delete a keystore workflow of the Configuration
plug-in or by using the REST API.

Procedure

1 Make a GET request at the URL of the Workflow service of the Delete a keystore workflow.

GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Delete a keystore

2 Retrieve the definition of the Delete a keystore workflow by making a GET request at the URL
of the definition.

GET https://{orchestrator_host}:{port}/vco/api/workflows/
7a3389eb-1fab-4d77-860b-81b66bb45b86/

3 Make a POST request at the URL that holds the execution objects of the Delete a keystore
workflow.

POST https://{orchestrator_host}:{port}/vco/api/workflows/
7a3389eb-1fab-4d77-860b-81b66bb45b86/executions/

4 Provide the keystore you want to delete as an input parameter of the Delete a keystore
workflow in an execution-context element in the request body.

Add a Key by Using the REST API

You can add a key by running the Add key workflow of the Configuration plug-in or by using the
REST API.

Procedure

1 Make a GET request at the URL of the Workflow service of the Add key workflow.

GET https://{orchestrator_host}:{port}/vco/api/workflows?conditions=name=Add key

2 Retrieve the definition of the Add key workflow by making a GET request at the URL of the
definition.

GET https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0-
ad08-5318178594b3/

VMware by Broadcom 53
Installing and Configuring Automation Orchestrator

3 Make a POST request at the URL that holds the execution objects of the Add key workflow.

POST https://{orchestrator_host}:{port}/vco/api/workflows/6c301bff-e8fe-4ae0-
ad08-5318178594b3/executions/

4 Provide the keystore, key alias, PEM-encoded key, certificate chain and key password as
input parameters of the Add key workflow in an execution-context element in the request
body.

VMware by Broadcom 54
Additional Configuration Options
8
You can use the Control Center to change the default Automation Orchestrator behavior.

Read the following topics next:

n Reconfiguring Authentication

n Configuring the Workflow Run Properties

n Automation Orchestrator Log Files

n Enabling the Opentracing extension

n Enable Time Synchronization for Automation Orchestrator

n Deactivate Time Synchronization for Automation Orchestrator

n Configure Automation Orchestrator Kubernetes CIDR

n Update the DNS Settings for Automation Orchestrator

n Back Up and Restore Automation Orchestrator

Reconfiguring Authentication
After you set up the authentication method during the initial configuration of Control Center, you
can change the authentication provider or the configured parameters at any time.

Change the Authentication Provider

To change the authentication mode or the authentication provider connection settings, you must
first unregister the existing authentication provider.

Procedure

1 Log in to Control Center as root.

2 On the Configure Authentication Provider page, click the UNREGISTER button next to the
host address text box to unregister the authentication provider that is in use.

Results

You have successfully unregistered the authentication provider.

VMware by Broadcom 55
Installing and Configuring Automation Orchestrator

What to do next

Reconfigure the authentication in Control Center. See Configuring a Standalone Automation

Orchestrator Server.

Change the Authentication Parameters

When you use vSphere as an authentication provider in Control Center, you can change the
default tenant of the Automation Orchestrator administrators group.

Prerequisites

Configure vSphere as the authentication provider for your Automation Orchestrator deployment.
See Configure a standalone Automation Orchestrator server with vSphere authentication.

Note The VMware Aria Automation authentication does not include these parameters.

Procedure

1 Log in to the Control Center as root.

2 Select Configure Authentication Provider.

3 Click the CHANGE button next to the Default tenant text box.

4 Replace the name of the tenant.

5 Click the CHANGE button next to the Admin group text box.

Note If you do not reconfigure the administrators group, it remains empty and you are no
longer able to access Control Center.

6 Enter the name of an administrator group and click SEARCH.

7 Select an administrator group.

8 Change the administrators group.

9 To finish editing the authentication parameters, click SAVE CHANGES.

Configuring the Workflow Run Properties

By default, you can run up to 300 workflows per node, and up to 10,000 workflows can be
queued if the number of actively running workflows is reached.

When the Automation Orchestrator node has to run more than 300 concurrent workflows, the
pending workflow runs are queued. When an active workflow run completes, the next workflow
in the queue starts to run. If the maximum number of queued workflows is reached, the next
workflow runs fail until one of the pending workflows starts to run.

You can modify these workflow run characteristics by configuring the workflow run properties.

VMware by Broadcom 56
Installing and Configuring Automation Orchestrator

Option Description

Enable safe mode If safe mode is enabled, all running workflows are canceled and are not resumed on
the next Automation Orchestrator node start.

Number of concurrent running The number of workflows that run simultaneously.

workflows

Number of concurrent running The number of workflow run requests that the Automation Orchestrator server
workflows accepts before becoming unavailable.

Maximum number of preserved The maximum number of finished workflow runs that are kept as history per workflow.
runs per workflow If the number is exceeded, the oldest workflow runs are deleted.

Log events expiration days The number of days that log events are kept in the database before they are purged.

To configure a workflow run property, log in to the Control Center, navigate to the System
Properties page, and add the corresponding property and value.

Option System property Default value

Enable safe mode ch.dunes.safe-mode false

Number of concurrent running com.vmware.vco.workflow- 300

workflows engine.executors-count

Maximum amount of running com.vmware.vco.workflow- 10000

workflows in the queue engine.executors-max-queue-size

Maximum number of preserved runs ch.dunes.task.max-workflow-tokens 100

per workflow

Log events expiration days com.vmware.o11n.log-events- 15

expiration-days

Automation Orchestrator Log Files

VMware Technical Support routinely requests diagnostic information when you submit a support
request. This diagnostic information contains product-specific logs and configuration files from
the host on which the product runs.

Automation Orchestrator Appliance logs are stored in the /data/vco/usr/lib/vco/app-

server/logs/ directory. You export the logs of your Automation Orchestrator Appliance
deployment by logging in to the appliance command line and running the vracli log-
bundle command. The generated log bundle is saved on the root folder of your Automation
Orchestrator Appliance.

Logging Persistence
You can log information in any kind of Automation Orchestrator script, for example workflow,
policy, or action. This information has types and levels. The type can be either persistent or
non-persistent. The level can be DEBUG, INFO, WARN, ERROR, TRACE, and FATAL.

VMware by Broadcom 57
Installing and Configuring Automation Orchestrator

Table 8-1. Creating Persistent and Non-Persistent Logs

Log Level Persistent Type Non-Persistent Type

DEBUG Server.debug("short text", "long System.debug("text")

text");

INFO Server.log("short text", "long text"); System.log("text");

WARN Server.warn("short text", "long text"); System.warn("text");

ERROR Server.error("short text", "long text"); System.error("text");

Persistent Logs
Persistent logs (server logs) track past workflow run logs and are stored in the Automation
Orchestrator database.

Non-Persistent Logs
When you use a non-persistent log (system log) to create scripts, the Automation Orchestrator
server notifies all running Automation Orchestrator applications about this log, but this
information is not stored in the database. When the application is restarted, the log information
is lost. Non-persistent logs are used for debugging purposes and for live information. To view
system logs, you must select a completed workflow run in the Automation Orchestrator Client
and select the Logs tab.

Automation Orchestrator Logs Configuration

You can set the level of server log and the scripting log that you require. If either of the logs is
generated multiple times a day, it becomes difficult to determine what causes problems.

To configure the Automation Orchestrator Appliance logs, log in to the Automation Orchestrator
Client and navigate to System Settings > Log Configuration.

The default log level of the server log and the scripting log is INFO. Changing the log level affects
all new messages that the server enters in the logs and the number of active connections to the
database. The logging verbosity decreases in descending order.

Caution Only set the log level to DEBUG or ALL to debug a problem. Do not use these settings in
a production environment because it can seriously impair performance.

Generate Automation Orchestrator Logs

You can export the logs of your deployment by logging in to the Automation Orchestrator
Appliance command line as root and running the vracli log-bundle command. The generated
log bundle is stored in the root folder of the appliance.

Note When you have more than one Automation Orchestrator instance in a cluster, the log-
bundle includes the logs from all Automation Orchestrator instances in the cluster.

VMware by Broadcom 58
Installing and Configuring Automation Orchestrator

Configure Logging Integration with Operations for Logs

You can configure Automation Orchestrator to send your logging information to a Operations for
Logs server.

You can configure a logging integration to a Operations for Logs server through the Automation
Orchestrator Appliance command line.

Note For information on configuring a logging integration with a remote syslog server, see
Create or overwrite a syslog integration in Automation Orchestrator.

Prerequisites

n Configure your Operations for Logs server. See Operations for Logs Documentation.

n Verify that your Operations for Logs version is 4.7.1 or later.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 To configure the logging integration with Operations for Logs, run the vracli vrli set
vRLI_FQDN command.

Note If your Automation Orchestrator instance uses a self-signed certificate, you can
deactivate the SSL authentication by including the optional -k or --insecure argument.

What to do next

For more information on Operations for Logs configuration options, run the vracli vrli -h
command.

Create or overwrite a syslog integration in Automation Orchestrator

You can configure Automation Orchestrator to send your logging information to one remote
syslog server.

The vracli remote-syslog set command is used to create a syslog integration or overwrite
existing integrations.

The Automation Orchestrator remote syslog integration supports three connection types:

n Over UDP.

n Over TCP without TLS.

Note To create a syslog integration without using TLS, add the --disable-ssl flag to the
vracli remote-syslog set command.

n Over TCP with TLS.

For information on configuring a logging integration with Operations for Logs, go to Configure
Logging Integration with Operations for Logs.

VMware by Broadcom 59
Installing and Configuring Automation Orchestrator

Prerequisites

Configure a remote syslog server.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 To create an integration to a syslog server, run the vracli remote-syslog set command.

vracli remote-syslog set -id name_of_integration protocol_type://

syslog_URL_or_FQDN:syslog_port

Note If you do not enter a port in the vracli remote-syslog set command, the port
value defaults to 514.

Note You can add a certificate to the syslog configuration. To add a certificate file, use the
--ca-file flag. To add a certificate as plaintext, use the --ca-cert flag.

3 (Optional) To overwrite an existing syslog integration, run the vracli remote-syslog set
and set the -id flag value to the name of the integration you want to overwrite.

Note By default, the Automation Orchestrator Appliance requests that you confirm that you
want to overwrite the syslog integration. To skip the confirmation request, add the -f or
--force flag to the vracli remote-syslog set command.

What to do next

To review the current syslog integrations in the appliance, run the vracli remote-syslog
command.

Delete a Syslog Integration in Automation Orchestrator

You can delete syslog integrations from your Automation Orchestrator Appliance by running the
vracli remote-syslog unset command.

Prerequisites

Create one or more syslog integrations in the Automation Orchestrator Appliance. See Create or
overwrite a syslog integration in Automation Orchestrator.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

VMware by Broadcom 60
Installing and Configuring Automation Orchestrator

2 Delete syslog integrations from the Automation Orchestrator Appliance.

a To delete a specific syslog integration, run the vracli remote-syslog unset -id
Integration_name command.
b To delete all syslog integrations on the Automation Orchestrator Appliance, run the
vracli remote-syslog unset command without the -id flag.

Note By default, the Automation Orchestrator Appliance requests that you confirm that
you want to delete all syslog integrations. To skip the confirmation request, add the -f or
--force flag to the vracli remote-syslog unset command.

Enable Kerberos Debug Logging

You can troubleshoot Automation Orchestrator plug-in problems by modifying the Kerberos
configuration file used by the plug-in.

The Kerberos configuration file is located in the /data/vco/usr/lib/vco/app-server/conf/

directory of the Automation Orchestrator Appliance.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 Run the kubectl -n prelude edit deployment vco-app command.

3 In the deployment file, locate and edit the -Djava.security.krb5.conf=/usr/lib/vco/

app-server/conf/krb5.conf string.

-Djava.security.krb5.conf=/usr/lib/vco/app-server/conf/krb5.conf
-Dsun.security.krb5.debug=true

4 Save the changes and exit the file editor.

5 Run the kubectl -n prelude get pods command.

Wait until all pods are running.

6 To monitor the Kerberos login, run the following command.

tail -f /services-logs/prelude/vco-app/console-logs/vco-server-app.log

7 Alternatively, you can enable debug logging in the Automation Orchestrator configurator by
adding the sun.security.krb5.debug = true system property.

Enabling the Opentracing extension

The Opentracing extension for Automation Orchestrator provides tools for gathering data about
your Automation Orchestrator environment. You can use this data for troubleshooting the
Automation Orchestrator system and workflows.

VMware by Broadcom 61
Installing and Configuring Automation Orchestrator

Before you can configure Automation Orchestrator to use the Opentracing extension, you must
enable it in the Automation Orchestrator Appliance.

Note Starting with Automation Orchestrator 8.8.2, the Opentracing extension for Automation
Orchestrator is deprecated and will be removed from the product in a future release.

Prerequisites

n Verify that the Automation Orchestrator Appliance SSH service is enabled. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

n If you have enabled previous versions of the Opentracing extension, you must remove it
before enabling the current version. For example, if you have previously enabled version 8.1.0
of the Opentracing extension, you must run the rm /data/vco/usr/lib/vco/app-server/
extensions/opentracing-8.1.0.jar command.

Procedure

1 Log in to the Automation Orchestrator Appliance over SSH as root.

2 To list all available extensions, run the ls /data/vco/usr/lib/vco/app-server/

extensions/ command.

3 Run the following command to enable the Opentracing extension:

mv /data/vco/usr/lib/vco/app-server/extensions/opentracing-8.17.0.jar.inactive /
data/vco/usr/lib/vco/app-server/extensions/opentracing-8.17.0.jar

4 Log in to the Control Center and confirm that the extension appears in the Extension
Properties page.

What to do next

Configure the Opentracing integration with Automation Orchestrator in the Extension Properties
page. See Configure the Opentracing Extension.

Configure the Opentracing Extension

The Opentracing extension sends data about workflow runs to a Jaeger server. Data includes the
workflow status, input and output parameters, the user that initiated the workflow run, and the
workflow ID data.

Starting with Automation Orchestrator 8.8.2, the Opentracing extension for Automation
Orchestrator is deprecated and will be removed from the product in a future release.

Prerequisites

n Verify sure that Opentracing is enabled in the Automation Orchestrator Appliance. See
Enabling the Opentracing extension.

n Deploy a Jaeger server for use in the Opentracing extension. For more information, see the
Getting Started with Jaeger documentation.

VMware by Broadcom 62
Installing and Configuring Automation Orchestrator

Procedure

1 Log in to the Control Center as root.

2 Select the Extension Properties page.

3 Select the Opentracing extension.

4 Enter the Jaeger server host address and port.

Note Insert two forward slashes ("//") before entering the server address.

5 Click Save.

Results

You have configured the Opentracing extension for Automation Orchestrator.

What to do next

n To access the Jaeger UI containing the data collected by the Opentracing extension, visit the
host address entered during configuration.

n Under the Service option, select Workflows.

n To specify what data to view, use the Tags option. For example, to view data about failed
workflows, enter status=failed.

Configure the Wavefront Extension

Use the Wavefront extension to gather metric data about your Automation Orchestrator system
and workflows.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 To configure a direct connection to your Wavefront instance, run the vracli wavefront
command.

vracli wavefront internal --url ${WAVEFRONT_URL} --token ${API_TOKEN}

Alternatively, you can configure a proxy connection by running the following command:

vracli wavefront proxy --hostname ${PROXY_FQDN}

3 To finish configuring the Wavefront extension, run the /opt/scripts/deploy.sh command.

Results

You have configured the Wavefront extension for Automation Orchestrator.

VMware by Broadcom 63
Installing and Configuring Automation Orchestrator

What to do next

n To access the metrics collected by Wavefront, access the dashboard on the address entered
during configuration.

n To get notifications about specific events in your Automation Orchestrator environment, you
can use Wavefront Alerts. For more information, see the Wavefront Alerts documentation.

Enable Time Synchronization for Automation Orchestrator

You can enable time synchronization on your Automation Orchestrator deployment with the
Automation Orchestrator Appliance command line.

You can configure time synchronization for your standalone or clustered Automation
Orchestrator deployment by using the Network Time Protocol (NTP) communication protocol.
Automation Orchestrator supports two, mutually exclusive, NTP configurations:

NTP configuration Description

ESXi This configuration can be used when the ESXi server

hosting the Automation Orchestrator Appliance is
synchronized with an NTP server. If you are using a
clustered deployment, all ESXi hosts must be synchronized
with an NTP server. For more information on configuring
NTP for ESXi, see Configuring Network Time Protocol
(NTP) on an ESXi host using the vSphere Web Client.

Note If your Automation Orchestrator deployment is

migrated to a ESXi host that is not synchronized to an NTP
server, you can experience clock drift.

systemd This configuration uses the systemd-timesyncd daemon to

synchronize the clocks of your Automation Orchestrator
deployment.

Note By default, the systemd-timesyncd daemon is

enabled, but configured with no NTP servers. If the
Automation Orchestrator Appliance uses a dynamic IP
configuration, the appliance can use any NTP servers
received by the DHCP protocol.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 Enable NTP with ESXi.

a Run the vracli ntp esxi command.

b (Optional) To confirm the status of the NTP configuration, run the vracli ntp status
command.

VMware by Broadcom 64
Installing and Configuring Automation Orchestrator

3 Enable NTP with systemd.

a Run the vracli ntp systemd --set FQDN_or_IP_of_systemd_server command.

Note You can add multiple systemd NTP servers by separating their network addresses
with a comma. Each network address must be placed inside single quotation marks. For
example, vracli ntp systemd --set 'ntp_address_1','ntp_address_2'

b (Optional) To confirm the status of the NTP configuration, run the vracli ntp status
command.

Results

You have enabled time synchronization for your Automation Orchestrator deployment.

What to do next

The NTP configuration can fail if there is a time difference of above 10 minutes between the
NTP server and the Automation Orchestrator deployment. To resolve this problem, reboot the
Automation Orchestrator Appliance.

Deactivate Time Synchronization for Automation

Orchestrator
You can deactivate the Network Time Protocol (NTP) time synchronization on your Automation
Orchestrator deployment with the Automation Orchestrator Appliance command line.

You can also reset the NTP configuration of your Automation Orchestrator Appliance to the
default state by running the vracli ntp reset command.

Prerequisites

Verify that you have configured time synchronization with ESXi or systemd. See Enable Time
Synchronization for Automation Orchestrator.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 To deactivate time synchronization with ESXi or systemd, run the vracli ntp disable
command.

3 (Optional) To confirm the status of the NTP configuration, run the vracli ntp status
command.

Configure Automation Orchestrator Kubernetes CIDR

You can change the Kubernetes Classless Inter-domain Routing (CIDR) subnet masks after
deployment.

VMware by Broadcom 65
Installing and Configuring Automation Orchestrator

The Automation Orchestrator Appliance configures and runs a Kubernetes cluster. The pods and
services in this cluster are deployed in separate IPv4 subnets, represented by the internal cluster
CIDR and internal service CIDR, respectively. The default values of the subnet masks set during
OVF deployment are the following:

Kubernetes network property Default value Property description

cluster-cidr 10.244.0.0/22 The CIDR used for pods running inside

the Kubernetes cluster.

service-cidr 10.244.4.0/22 The CIDR used for Kubernetes services

inside the Kubernetes cluster.

The default CIDR network addresses can create a conflict with outside private networks that you
might be using. In such scenarios, you can change the configuration of these CIDR values either
during or after deploying your Automation Orchestrator Appliance.

Note For information on changing the CIDR configuration during appliance deployment, see
Download and Deploy the Automation Orchestrator Appliance.

Prerequisites

n Verify that the CIDR address values support at least 1024 hosts.

n The internal cluster CIDR and internal service CIDR must not share the same subnet value.

n The CIDR value for one of the subnets cannot include the value you want to add to the other
subnet.

Note For example, the cluster-cidr value cannot be 10.244.4.0/22 10.244.4.0/24,

because this would also include the subnet value for the service-cidr property. Each subnet
value must be added separately.

Procedure

1 Log in to the Automation Orchestrator Appliance as root.

2 Run the vracli upgrade exec -y --prepare --profile k8s-subnets command.

3 Back up your Automation Orchestrator deployment by taking a virtual machine (VM)

snapshot. See Take a Snapshot of a Virtual Machine.

Caution Automation Orchestrator 8.x does not currently support memory snapshots. Before
taking the snapshot of your Automation Orchestrator deployment, verify that the Snapshot
the virtual machine’s memory option is deactivated.

4 Change the values of the cluster CIDR and service CIDR subnets by running the vracli
network k8s-subnets command.

vracli network k8s-subnets --cluster-cidr <CIDR_value> --service-cidr <CIDR_value>

5 To finish the CIDR configuration process, run the vracli upgrade exec command.

VMware by Broadcom 66
Installing and Configuring Automation Orchestrator

Update the DNS Settings for Automation Orchestrator

An administrator can update the DNS settings of the Automation Orchestrator deployment by
using the vracli network dns command.

Prerequisites

Verify that the Automation Orchestrator Appliance SSH service is enabled. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

Procedure

1 Log in to the Automation Orchestrator Appliance command-line over SSH as root.

Note For clustered deployments, log in to appliance of any node in the cluster.

2 To set new DNS servers to your Automation Orchestrator deployment, run the vracli
network dns set command.

vracli network dns set --servers DNS1,DNS2

3 Verify that the new DNS servers are properly applied to all Automation Orchestrator nodes
by running the vracli network dns status command.

4 To stop the Automation Orchestrator services in your deployment, run the following set of
commands:

/opt/scripts/svc-stop.sh
sleep 120
/opt/scripts/deploy.sh --onlyClean

5 Restart the Automation Orchestrator nodes and wait for them to start completely.

6 Log in to the command-line for each Automation Orchestrator node over SSH and verify that
the new DNS servers are listed in the /etc/resolve.conf file.

7 To start the Automation Orchestrator services, run the /opt/scripts/deploy.sh script on

one of the nodes in your deployment.

Results

The Automation Orchestrator DNS settings are changed as specified.

Back Up and Restore Automation Orchestrator

You can back up and restore your Automation Orchestrator deployment by using vSphere virtual
machine (VM) snapshots.

VMware by Broadcom 67
Installing and Configuring Automation Orchestrator

The following procedure is based around backing up and restoring a clustered Automation
Orchestrator deployment. For standalone a Automation Orchestrator deployment, you take a
vSphere snapshot and revert your deployment from it without the additional cluster specific
steps outlined in this procedure.

Note For more information on using vSphere virtual machine snapshots, see Take a Snapshot of
a Virtual Machine and Revert a Virtual Machine Snapshot.

Procedure

1 Identify the primary node of your Automation Orchestrator cluster.

a Log in to the Automation Orchestrator Appliance command line of one of your nodes
over SSH as root.

b Find the node with the primary role by running the kubectl -n prelude exec
postgres-0 command.

kubectl -n prelude exec postgres-0 –-chpst -u postgres repmgr cluster show --terse
--compact

c Find the FQDN address of the primary node by running the kubectl -n prelude get
pods command.

kubectl -n prelude get pods -o wide

2 Back up your Automation Orchestrator deployment.

a Log in to the vSphere Client.

b Take snapshots of your Automation Orchestrator nodes.

When backing up your nodes, you must follow a specific order. First, back up your replica
nodes and after that, back up the primary node.

Note Do not take snapshots of your Automation Orchestrator nodes with the Snapshot
the virtual machine’s memory option enabled.

3 Restore your Automation Orchestrator deployment.

a Revert your Automation Orchestrator nodes from the snapshots you created in step 2.

b Power on the Automation Orchestrator nodes.

When powering on the nodes, you must follow a specific order. First, power on your
primary node and after that, power on your replica nodes.

VMware by Broadcom 68
Configuration Use Cases and
Troubleshooting 9
The configuration use cases provide task flows that you can perform to meet specific
configuration requirements of your Automation Orchestrator server and troubleshooting topics
to understand and solve a problem.

Read the following topics next:

n Verify the Automation Orchestrator server build number

n Configure the Automation Orchestrator Plug-in for the vSphere Web Client

n Cancel Running Workflows

n Enable Automation Orchestrator Server Debugging

n Resize the Automation Orchestrator Appliance Disks

n How to Scale the Heap Memory Size of the Automation Orchestrator Server

n Disaster Recovery of Automation Orchestrator by Using Site Recovery Manager

Verify the Automation Orchestrator server build number

In certain scenarios, you might be required to verify the server build number of your Automation
Orchestrator deployment.

You can verify your Automation Orchestrator server build number by navigating to
https://your_orchestrator_FQDN/vco/api/about. Your server build number is displayed in the
<ns2:build-number> tags.

Verifying your server build number can be useful in use cases such as providing additional
information to a support request (SR) that you have logged with VMware Support.

Note The Automation Orchestrator server build number is different from the build number of
your Automation Orchestrator Appliance. To verify the build number of your appliance, log in to
the Automation Orchestrator Appliance command line and run the vracli version command.
Verifying the appliance build number can help you confirm if your upgrade to the latest version
of Automation Orchestrator is successful.

VMware by Broadcom 69
Installing and Configuring Automation Orchestrator

Configure the Automation Orchestrator Plug-in for the

vSphere Web Client
To use the Automation Orchestrator plug-in for the vSphere Web Client, you must register
Automation Orchestrator as an extension of vCenter.

After you register your Automation Orchestrator server with vCenter Single Sign-On and
configure it to work with vCenter, you must register Automation Orchestrator as an extension
of vCenter.

Prerequisites

n Verify that SSH access is enabled for the Automation Orchestrator Appliance. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

n You must register Automation Orchestrator with vSphere authentication to the same Platform
Services Controller that your managed vCenter instance authenticates with.

n Copy the vco-plugin.zip to the Automation Orchestrator Appliance:

a Download the vco-plugin.zip file from the VMware Technology Network.

b Open an SSH client.

Note For Linux or MacOS environments, you can use the Terminal command-line
interface. For Windows environments, you can use the PuTTY client.

c To copy the vco-plugin.zip file, run the secure copy command.

For Linux/MacOS: scp ~/<zip_download_dir>/vco-plugin.zip

root@<orchestrator_FQDN_or_IP>:/data/vco/usr/lib/vco/downloads/vco-plugin.zip

For Windows: pscp C:\<zip_download_dir>\vco-plugin.zip root@<orchestrator_FQDN_or_IP>:/

data/vco/usr/lib/vco/downloads/vco-plugin.zip

Procedure

1 Log in to the Automation Orchestrator Client.

2 Navigate to Library > Workflows.

3 Search for the Register vCenter Orchestrator as a vCenter Server extension workflow, and
click Run.

4 Select the vCenter instance to register Automation Orchestrator with.

5 Enter https://your_orchestrator_FQDN or the service URL of the load balancer that redirects
the requests to the Automation Orchestrator server nodes.

6 Click Run.

VMware by Broadcom 70
Installing and Configuring Automation Orchestrator

Cancel Running Workflows

You can use the Automation Orchestrator Control Center to cancel workflows that do not finish
properly.

Procedure

1 Log in to Control Center as root.

2 Click Troubleshooting.

3 Cancel running workflows.

Option Description

Cancel all workflow runs Enter a workflow ID, to cancel all tokens for that workflow.

Cancel workflow runs by ID Enter all token IDs, you want to cancel. Separate IDs with a comma.

Cancel all running workflows Cancel all running workflows on the server.

Note Operations where you cancel workflows by ID might not be successful, as there is no
reliable way to cancel the run thread immediately.

Results

On the next server start, the workflows are set in a canceled state.

Enable Automation Orchestrator Server Debugging

You can start the Automation Orchestrator server in debug mode to debug issues when
developing a plug-in.

Prerequisites

Install and configure the Kubernetes command-line tool on your local machine. See Install and Set
Up kubectl.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 Run the kubectl -n prelude edit deployment vco-app command.

3 Edit the deployment YAML file, by adding a debug environment variable to the vco-server-
app container. The variable must be added under the env section of the vco-server-app
container.

containers:
- command:
...
env:
- name: DEBUG_PORT

VMware by Broadcom 71
Installing and Configuring Automation Orchestrator

value: "your_desired_debug_port"
...
name: vco-server-app
...

Note When adding the debug environment variable to the env section, you must follow the
YAML indentation formatting as presented in the preceding example.

4 Save the changes to the deployment file.

If the edit to the deployment file is successful, you receive the deployment.extensions/
vco-app edited message.

5 Generate the Kubernetes configuration file, by running the vracli dev kubeconfig
command.

As kubeconfig is a developer environment, you are prompted to confirm that you want to
continue. Enter yes to continue or no to stop.

6 Copy the content of the generated configuration file from apiVersion: v1 up to and
including the client-key-data content.

7 Save the generated Kubernetes configuration file on your local machine.

8 Log out of the Automation Orchestrator Appliance.

9 Finish configuring the debug mode on your local machine.

a Open a command-line shell.

b Bind the KUBECONFIG environment variable to the saved configuration file.

Note This example is based on a Linux environment.

export KUBECONFIG=/file/path/fileName

c To validate that the services are running, run the kubectl cluster-info command.

d To finish configuring the debug mode, perform the following Kubernetes API request.

Note The value of the localhost_debug_port variable is the port set in your remote
debugging configuration of your Integrated Development Environment (IDE). The value of
the vro_debug_port variable is generated during step 3 of this procedure.

kubectl port-forward pod/vco_app_pod_ID localhost_debug_port:vro_debug_port

Important When configuring your debugging tool, provide the DNS and IP settings of the
local machine where you performed the port forward command.

Results

You have configured server debugging for your Automation Orchestrator Appliance.

VMware by Broadcom 72
Installing and Configuring Automation Orchestrator

Resize the Automation Orchestrator Appliance Disks

You can modify the disk size of the Automation Orchestrator Appliance by editing the disk size
settings of the Automation Orchestrator Appliance virtual machine in vSphere.

Prerequisites

Verify that the Automation Orchestrator Appliance SSH service is enabled. See Activate or
Deactivate SSH Access to the Automation Orchestrator Appliance.

Procedure

1 Verify the currently available disk space in the Automation Orchestrator Appliance.

Note The Automation Orchestrator Appliance disks need at least 20 percent free disk space.

a Log in to the Automation Orchestrator Appliance command line over SSH as root.

b Run the vracli disk-mgr command.

2 Resize the disk of the Automation Orchestrator Appliance virtual machine in vSphere.

a Log in to the vSphere Client as an administrator.

b Right-click on the virtual machine and select Edit Settings.

c On the Virtual Hardware tab, expand Hard disk to view and change the disk settings, and
click OK.

For more information on changing the disk size of vSphere virtual machines, see Change
the Virtual Disk Configuration in vSphere Virtual Machine Administration.
3 Trigger the automatic resize in the Photon OS.

a Log in to the Automation Orchestrator Appliance command line over SSH as root.

b Run the vracli disk-mgr resize command.

Note You can track the progress of the disk resize procedure at /var/log/vmware/
prelude/disk_resize.log.

You have resized the Automation Orchestrator Appliance disks.

4 Verify that the success of the disk resize procedure by running the disk-mgr command.

vracli disk-mgr

What to do next

To troubleshoot problems with the disk resize procedure, see KB 79925.

VMware by Broadcom 73
Installing and Configuring Automation Orchestrator

How to Scale the Heap Memory Size of the Automation

Orchestrator Server
You can scale the heap memory size of the Automation Orchestrator server by creating a custom
profile and modifying the resource metrics file.

You can adjust the heap memory size of the Automation Orchestrator server, so your
orchestration environment can manage changing workloads. For example, you can increase
the heap memory of your Automation Orchestrator deployment if you are planning to manage
multiple vCenter instances.

Prerequisites

n Scaling the heap memory of the Automation Orchestrator Appliance is only applicable
for standalone Automation Orchestrator instances and is not supported for embedded
Automation Orchestrator instances in VMware Aria Automation.

Note To modify the heap memory of an embedded Automation Orchestrator instance,

you must increase the VMware Aria Automation profile size through the VMware Aria
Suite Lifecycle. For information on supported VMware Aria Automation profiles, see System
Requirements.

n Enable SSH access to the Automation Orchestrator Appliance. See Activate or Deactivate
SSH Access to the Automation Orchestrator Appliance.

n Increase the RAM of the virtual machine on which Automation Orchestrator is deployed up
to the next suitable increment. Because it is important that enough memory is left available
for the rest of the services, the Automation Orchestrator Appliance resources must be scaled
up first. For example, If the desired heap memory is 7G then the Automation Orchestrator
Appliance RAM should be increased with 4G respectively because the subtraction between
the default heap value of 3G and the desired heap memory is 4G. For information on
increasing the RAM of a virtual machine in vSphere, see Change the Memory Configuration in
vSphere Virtual Machine Administration.

Procedure

1 Log in the Automation Orchestrator Appliance command line over SSH as root.

2 To create the custom profile directory and the required directory tree that is used when the
profile is active, run the following script:

vracli cluster exec -- bash -c 'base64 -d <<<

IyBDcmVhdGUgY3VzdG9tIHByb2ZpbGUgZGlyZWN0b3J5Cm1rZGlyIC1wIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZml
sZXMvY3VzdG9tLXByb2ZpbGUvCgojIENyZWF0ZSB0aGUgcmVxdWlyZWQgZGlyZWN0b3J5IHRyZWUgdGhhdCB3aWxsIG
JlIHVzZWQgd2hlbiB0aGUgcHJvZmlsZSBpcyBhY3RpdmUKbWtkaXIgLXAgL2V0Yy92bXdhcmUtcHJlbHVkZS9wcm9ma
Wxlcy9jdXN0b20tcHJvZmlsZS9oZWxtL3ByZWx1ZGVfdmNvLwoKIyBDcmVhdGUgImNoZWNrIiBmaWxlIHRoYXQgaXMg
YW4gZXhlY3V0YWJsZSBmaWxlIHJ1biBieSBkZXBsb3kgc2NyaXB0LgpjYXQgPDxFT0YgPiAvZXRjL3Ztd2FyZS1wcmV
sdWRlL3Byb2ZpbGVzL2N1c3RvbS1wcm9maWxlL2NoZWNrCiMhL2Jpbi9iYXNoCmV4aXQgMApFT0YKY2htb2QgNzU1IC
9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvY3VzdG9tLXByb2ZpbGUvY2hlY2sKCiMgQ29weSB2Uk8gcmVzb3VyY
2UgbWV0cmljcyBmaWxlIHRvIHlvdXIgY3VzdG9tIHByb2ZpbGUKY2F0IDw8RU9GID4gL2V0Yy92bXdhcmUtcHJlbHVk

VMware by Broadcom 74
Installing and Configuring Automation Orchestrator

ZS9wcm9maWxlcy9jdXN0b20tcHJvZmlsZS9oZWxtL3ByZWx1ZGVfdmNvLzkwLXJlc291cmNlcy55YW1sCnBvbHlnbG9
0UnVubmVyTWVtb3J5TGltaXQ6IDYwMDBNCnBvbHlnbG90UnVubmVyTWVtb3J5UmVxdWVzdDogMTAwME0KcG9seWdsb3
RSdW5uZXJNZW1vcnlMaW1pdFZjbzogNTYwME0KCnNlcnZlck1lbW9yeUxpbWl0OiA2RwpzZXJ2ZXJNZW1vcnlSZXF1Z
XN0OiA1RwpzZXJ2ZXJKdm1IZWFwTWF4OiA0RwoKY29udHJvbENlbnRlck1lbW9yeUxpbWl0OiAxLjVHCmNvbnRyb2xD
ZW50ZXJNZW1vcnlSZXF1ZXN0OiA3MDBtCkVPRgpjaG1vZCA2NDQgL2V0Yy92bXdhcmUtcHJlbHVkZS9wcm9maWxlcy9
jdXN0b20tcHJvZmlsZS9oZWxtL3ByZWx1ZGVfdmNvLzkwLXJlc291cmNlcy55YW1sCg== | bash'

3 Edit the resource metrics file in your custom profile with the desired memory values.

vi /etc/vmware-prelude/profiles/custom-profile/helm/prelude_vco/90-resources.yaml

4 The 90-resources.yaml file should contain the following default properties:

polyglotRunnerMemoryRequest: 1000M
polyglotRunnerMemoryLimit: 6000M
polyglotRunnerMemoryLimitVco: 5600M

serverMemoryLimit: 7G
serverMemoryRequest: 5G
serverJvmHeapMax: 4G
serverJvmMetaspaceMax: 1G

controlCenterMemoryLimit: 1.5G
controlCenterMemoryRequest: 700m

VMware by Broadcom 75
Installing and Configuring Automation Orchestrator

Property Type Description

Polyglot properties Memory properties associated with the Polyglot

scripting feature. The value of these properties is set in
megabytes (M). When editing these values, remember
that on average a container needs 64M of memory.
With the default memory limit of 6000M, you can run
approximately 100 Polyglot scripts in parallel.
If you want to increase the number of Polyglot
scripts that can run in parallel, you need to increase
the values of the polyglotRunnerMemoryLimit and
polyglotRunnerMemoryLimitVco properties.

First, edit the memory limit of the

polyglotRunnerMemoryLimit property and then change
the value of polyglotRunnerMemoryLimitVco to
be 300M less than the value you set in the
polyglotRunnerMemoryLimit property.

The following is an example polyglot memory limit

configuration:

polyglotRunnerMemoryRequest: 1000M
polyglotRunnerMemoryLimit: 7000M
polyglotRunnerMemoryLimitVco: 6700M

Server memory properties The memory properties of the Automation

Orchestrator server. The value of these properties
is set in gigabytes (G). First, edit the
serverJvmHeapMax property with the desired memory
value. The values of the serverMemoryLimit and
serverMemoryRequest properties must be adjusted as
follows: serverMemoryRequest must be at least 50%
bigger that serverJvmHeapMax and serverMemoryLimit
should be at least 2G bigger than serverMemoryRequest.
The following is an example server memory
configuration:

serverMemoryLimit: 14G
serverMemoryRequest: 12G
serverJvmHeapMax: 8G
serverJvmMetaspaceMax: 1G

Control Center memory properties The memory properties of the Automation Orchestrator
Control Center. The values of these memory properties
must not be updated.

5 Save the changes to the resource metrics file and run the deploy.sh script.

/opt/scripts/deploy.sh

Results

You have changed the heap memory size of your Automation Orchestrator server.

VMware by Broadcom 76
Installing and Configuring Automation Orchestrator

Disaster Recovery of Automation Orchestrator by Using Site

Recovery Manager
You must configure Site Recovery Manager to protect your Automation Orchestrator. Secure this
protection by completing the common configuration tasks for Site Recovery Manager.

Prepare the Environment

You must ensure that you meet the following prerequisites before you start configuring Site
Recovery Manager.

n Verify that vSphere 6.0 or later is installed on the protected and recovery sites.

n Verify that you are using Site Recovery Manager 8.1 or later.

n Verify that Automation Orchestrator is configured.

Configure Virtual Machines for vSphere Replication

You must configure the virtual machines for vSphere Replication or array based replication in
order to use Site Recovery Manager.

To enable vSphere Replication on the required virtual machines, perform the following steps.

Procedure

1 In the vSphere Web Client, select a virtual machine on which vSphere Replication should be
enabled and click Actions > All vSphere Replication Actions > Configure Replication.

2 In the Replication type window, select Replicate to a vCenter Server and click Next.

3 In the Target site window, select the vCenter for the recovery site and click Next.

4 In the Replication server window, select a vSphere Replication server and click Next.

5 In the Target location window, click Edit and select the target datastore, where the replicated
files will be stored and click Next.

6 In the Replication options window, keep the default setting and click Next.

7 In the Recovery settings window, enter time for Recovery Point Objective (RPO) and Point in
time instances, and click Next.

8 In the Ready to complete window, verify the settings and click Finish.

9 Repeat these steps for all virtual machines on which vSphere Replication must be enabled.

Create Protection Groups

You create protection groups to enable Site Recovery Manager to protect your virtual machines.

VMware by Broadcom 77
Installing and Configuring Automation Orchestrator

You can organize protection groups in folders. The Protection Groups tab displays the names
of the protection groups, but does not display in which folder they are placed. If you have two
protection groups with the same name in different folders, it might be difficult to tell them apart.
Therefore, ensure that protection group names are unique across all folders. In environments in
which not all users have view privileges for all folders, to be sure of the uniqueness of protection
group names, do not place protection groups in folders.

When you create protection groups, wait to ensure that the operations finish as expected. Make
sure that Site Recovery Manager creates the protection group and that the protection of the
virtual machines in the group is successful.

Prerequisites

Verify that you performed one of the following tasks:

n Included virtual machines in datastores for which you configured array-based replication.

n Satisfied the requirements in Prerequisites for Storage Policy Protection Groups and
reviewed the Limitations of Storage Policy Protection Groups in the Site Recovery Manager
Administration guide.
n Configured vSphere Replication on your virtual machines.

n Performed a combination of some or all the above.

Procedure

1 In the vSphere Client or vSphere Web Client, click Site Recovery > Open Site Recovery.

2 On the Site Recovery home tab, select a site pair and click View Details.

3 Select the Protection Groups tab, and click New to create a protection group.

4 On the Name and direction page, enter a name and description for the protection group,
select a direction, and click Next.

5 On the Protection group type page, select the protection group type, and click Next.

Option Action

Create an array-based replication Select Datastore groups (array-based replication) and select an array pair.
protection group

Create a vSphere Replication Select Individual VMs (vSphere Replication).

protection group

Create a storage policy protection Select Storage Policies (array-based replication).

group

VMware by Broadcom 78
Installing and Configuring Automation Orchestrator

6 Select datastore groups, virtual machines, or storage policies to add to the protection group.

Option Action

Array-based replication protection Select datastore groups and click Next.

groups When you select a datastore group, the virtual machines that the group
contains appear in the Virtual machines table.

vSphere Replication protection Select virtual machines from the list, and click Next.
groups Only virtual machines that you configured for vSphere Replication and that
are not already in a protection group appear in the list.

Storage policy protection groups Select storage policies from the list, and click Next.

7 On the Recovery plan page, you can optionally add the protection group to a recovery plan.

Option Action

Add to existing recovery plan Adds the protection group to an existing recovery plan.

Add to new recovery plan Adds the protection group to a new recovery plan. If you select this option,
you must enter a recovery plan name.

Do not add to recovery plan now. .Select this option if you do not want to add the protection group to a
recovery plan.

8 Review your settings and click Finish.

You can monitor the progress of the creation of the protection group on the Protection
Group tab.

n For array-based replication and vSphere Replication protection groups, if Site Recovery
Manager successfully applied inventory mappings to the protected virtual machines, the
protection status of the protection group is OK.

n For storage policy protection groups, if Site Recovery Manager successfully protected
all the virtual machines associated with the storage policy, the protection status of the
protection group is OK.

n For array-based replication and vSphere Replication protection groups, if you did not
configure inventory mappings, or if the Site Recovery Manager was unable to apply them,
the protection status of the protection group is Not Configured.

n For storage policy protection groups, if Site Recovery Manager cannot protect all
the virtual machines associated with the storage policy, the protection status of the
protection group is Not Configured.

VMware by Broadcom 79
Installing and Configuring Automation Orchestrator

What to do next

For array-based replication and vSphere Replication protection groups, if the protection status of
the protection groups is Not Configured, apply inventory mappings to the virtual machines:

n To apply site-wide inventory mappings, or to check that inventory mappings that you have
already set are valid, see Configure Inventory Mappings in the Site Recovery Manager
Administration guide. To apply these mappings to all the virtual machines, see Apply
Inventory Mappings to All Members of a Protection Group in the Site Recovery Manager
Administration guide.
n To apply inventory mappings to each virtual machine in the protection group individually, see
Configure Inventory Mappings for an Individual Virtual Machine in a Protection Group in the
Site Recovery Manager Administration guide.
For storage policy protection groups, if the protection status of the protection group is Not
Configured, verify that you have satisfied the requirements in Prerequisites for Storage Policy
Protection Groups and reviewed the Limitations of Storage Policy Protection Groups in the Site
Recovery Manager Administration guide.

Create a Recovery Plan

You create a recovery plan to establish how Site Recovery Manager recovers virtual machines.

Procedure

1 In the vSphere Client or the vSphere Web Client, click Site Recovery > Open Site Recovery.

2 On the Site Recovery home tab, select a site pair, and click View Details.

3 Select the Recovery Plans tab, and click New to create a recovery plan.

4 Enter a name, description, and direction for the plan, select a folder, and click Next.

5 Select the group type from the menu.

Option Description

Protection groups for individual VMs Select this option to create a recovery plan that contains array-based
or datastore groups replication and vSphere Replication protection groups.

Storage policy protection groups Select this option to create a recovery plan that contains storage policy
protection groups.
If you are using stretched storage, select this option.

6 Select one or more protection groups for the plan to recover, and click Next.

7 From the Test Network drop-down menu, select a network to use during test recovery, and
click Next.

If there are no site-level mappings, the default option Use site-level mapping creates an
isolated test network.

8 Review the summary information and click Finish to create the recovery plan.

VMware by Broadcom 80
Installing and Configuring Automation Orchestrator

Organize Recovery Plans in Folders

To control the access of different users or groups to recovery plans, you can organize your
recovery plans in folders.

Organizing recovery plans into folders is useful if you have many recovery plans. You can limit
the access to recovery plans by placing them in folders and assigning different permissions to
the folders for different users or groups. For information about how to assign permissions to
folders, see Assign Site Recovery Manager Roles and Permissions in the Site Recovery Manager
Administration guide.

Procedure

1 On the Site Recovery home tab, select a site pair, and click View Details.

2 Click the Recovery Plans tab, and in the left pane right-click Recovery Plans and click New
Folder.

3 Enter a name for the folder to create, and click Add.

4 Add new or existing recovery plans to the folder.

Option Description

Create a new recovery plan Right-click the folder and select New Recovery Plan.

Add an existing recovery plan Right-click a recovery plan from the inventory tree and click Move. Select a
target folder and click Move.

Edit a Recovery Plan

You can edit a recovery plan to change the properties that you specified when you created it.
You can edit recovery plans from the protected site or from the recovery site.

Procedure

1 In the vSphere Client, click Site Recovery > Open Site Recovery.

2 On the Site Recovery home tab, select a site pair, and click View Details.

3 Click the Recovery Plans tab, right-click a recovery plan, and click Edit.

4 (Optional) Change the name or description of the plan, and click Next.

You cannot change the direction and the location of the recovery plan.

5 (Optional) Select or deselect one or more protection groups to add them to or remove them
from the plan, and click Next.

6 (Optional) From the drop-down menu select a different test network on the recovery site,
and click Next.

VMware by Broadcom 81
Installing and Configuring Automation Orchestrator

7 Review the summary information and click Finish to make the specified changes to the
recovery plan.

You can monitor the update of the plan in the Recent Tasks view.

VMware by Broadcom 82
Setting System Properties
10
You can set system properties to change the default Orchestrator behavior.

Read the following topics next:

n Setting Server File System Access for Workflows and Actions

n Set JavaScript Access to Java Classes

n Set Custom Timeout Property

n Adding a JDBC connector for the Automation Orchestrator SQL plug-in

n Activating basic authentication

Setting Server File System Access for Workflows and

Actions
In Automation Orchestrator, the workflows and actions have limited access to specific file system
directories. You can extend access to other parts of the server file system by modifying the
js-io-rights.conf configuration file.

Rules in the js-io-rights.conf File Permitting Write Access to the

Automation Orchestrator System
The js-io-rights.conf file contains rules that permit write access to defined directories in the
server file system.

Mandatory Content of the js-io-rights.conf File

Each line of the js-io-rights.conf file must contain the following information.

n A plus (+) or minus (-) sign to indicate whether rights are permitted or denied

n The read (r), write (w), and run (x) levels of rights

n The path on which to apply the rights.

Note The js-io-rights.conf file is located in the /data/vco/usr/lib/vco/app-

server/conf/ folder. All content with access to the Automation Orchestrator file system
must be mapped under this root folder.

VMware by Broadcom 83
Installing and Configuring Automation Orchestrator

Default Content of the js-io-rights.conf File

The default content of the js-io-rights.conf configuration file in the Orchestrator Appliance
is as follows:

-rwx /
+rwx /var/run/vco
+rx /etc/vco
-rwx /etc/vco/app-server/security/
+rx /var/log/vco/

The first two lines in the default js-io-rights.conf configuration file allow the following access
rights:

-rwx /

All access to the file system is denied.

+rwx /var/run/vco

Read, write, and run access is permitted in the /var/run/vco directory.

Rules in the js-io-rights.conf File

Automation Orchestrator resolves access rights in the order they appear in the js-io-
rights.conf file. Each line can override the previous lines.

Important You can permit access to all parts of the file system by setting +rwx / in the js-io-
rights.conf file. However, doing so represents a high security risk.

Set Server File System Access for Workflows and Actions

To change which parts of the server file system that workflows and the Automation Orchestrator
API can access, modify the js-io-rights.conf configuration file. The js-io-rights.conf file
is created when a workflow attempts to access the Automation Orchestrator server file system.

Procedure

1 Log in to the Automation Orchestrator Appliance command line as root.

2 Navigate to the /data/vco/usr/lib/vco/app-server/conf directory.

3 Open the js-io-rights.conf configuration file in a text editor.

4 Add the necessary lines to the js-io-rights.conf file to allow or deny access to areas of
the file system.

For example, the following line denies the execution rights in the /data/vco/var/run/vco/
noexec directory:

-x /data/vco/var/run/vco/noexec

VMware by Broadcom 84
Installing and Configuring Automation Orchestrator

/data/vco/var/run/vco/noexec retains execution rights, but /data/vco/var/run/vco/

noexec/bar does not. Both directories remain readable and writable.

Results

You modified the access rights to the file system for workflows and for the Automation
Orchestrator API.

Set JavaScript Access to Java Classes

By default, Automation Orchestrator restricts JavaScript access to a limited set of Java classes.
If you require JavaScript access to a wider range of Java classes, you must set an Automation
Orchestrator system property.

Allowing the JavaScript engine full access to the Java virtual machine (JVM) presents potential
security issues. Malformed or malicious scripts might have access to all the system components
to which the user who runs the Automation Orchestrator server has access. Therefore, by default
the Automation Orchestrator JavaScript engine can access only the classes in the java.util.*
package.

If you require JavaScript access to classes outside of the java.util.* package, you can list in
a configuration file the Java packages to which to allow JavaScript access. You then set the
com.vmware.scripting.rhino-class-shutter-file system property to point to this file.

Procedure

1 Create a text configuration file to store the list of Java packages to which to allow JavaScript
access.

For example, to allow JavaScript access to all the classes in the java.net package and to the
java.lang.Object class, you add the following content to the file.

java.net.*
java.lang.Object

2 Enter a name for the configuration file.

3 Save the configuration file in a subdirectory of /data/vco/usr/lib/vco.

Note The configuration file cannot be saved under another directory.

4 Log in to Control Center as root.

5 Click System Properties.

6 Click New.

7 In the Key text box, enter com.vmware.scripting.rhino-class-shutter-file.

8 In the Value text box, enter /usr/lib/vco/your_configuration_file_subdirectory.

9 In the Description text box, enter a description for the system property.

VMware by Broadcom 85
Installing and Configuring Automation Orchestrator

10 Click Add.

11 Click Save changes from the pop-up menu.

A message indicates that you have saved successfully.

12 Wait for the Automation Orchestrator server to restart.

Results

The JavaScript engine has access to the Java classes that you specified.

Set Custom Timeout Property

When vCenter is overloaded, it takes more time to return the response to the Automation
Orchestrator server than the 20000 milliseconds set by default. To prevent this situation, you
must modify the Automation Orchestrator configuration file to increase the default timeout
period.

If the default timeout period expires before the completion of certain operations, the Automation
Orchestrator server log contains errors.

Operation 'getPropertyContent' total time : '5742228' for 1823 calls, mean

time : '3149.0', min time : '0', max time : '32313' Timeout, unable to get
property 'info' com.vmware.vmo.plugin.vi4.model.TimeoutException

Procedure

1 Log in to Control Center as root.

2 Click System Properties.

3 Click New.

4 In the Key text box enter com.vmware.vmo.plugin.vi4.waitUpdatesTimeout.

5 In the Value text box enter the new timeout period in milliseconds.

6 (Optional) In the Description text box enter a description for the system property.

7 Click Add and wait for the Automation Orchestrator server to restart.

Results

The value you set overrides the default timeout setting of 20000 milliseconds.

Adding a JDBC connector for the Automation Orchestrator

SQL plug-in
This example demonstrates how you can add a MySQL connector for the Automation
Orchestrator SQL plug-in.

VMware by Broadcom 86
Installing and Configuring Automation Orchestrator

Prerequisites

The Automation Orchestrator SQL plug-in supports only certain database database types. Before
adding a MySQL connector, verify that your are using one of the following database types:

n Oracle

n Microsoft SQL Server

n PostgreSQL

n MySQL

Procedure

1 Add the MySQL connector.jar file to the Automation Orchestrator Appliance.

Note For clustered Automation Orchestrator deployments, perform this operation on the
appliances of all the nodes.

a Log in to the Automation Orchestrator Appliance command line over SSH as root.

b Navigate to the /data/vco/var/run/vco directory.

cd /data/vco/var/run/vco

c Create a plugins/SQL/lib/ directory.

mkdir -p plugins/SQL/lib/

d Copy your MySQL connector.jar file from your local machine to the /
data/vco/var/run/vco/plugins/SQL/lib/ directory by running a secure copy (SCP)
command.

scp ~/local_machine_dir/your_mysql_connector.jar root@orchestrator_FQDN_or_IP:/

data/vco/var/run/vco/plugins/SQL/lib/

Note You can also use alternative methods for copying your connector.jar file to the
Automation Orchestrator Appliance, such as PSCP.

2 Add the new MySQL property to the Control Center.

a Log in to the Control Center as root.

b Select System Properties.

c Click New.

d Under Key, enter o11n.plugin.SQL.classpath.

VMware by Broadcom 87
Installing and Configuring Automation Orchestrator

e Under Value, enter /var/run/vco/plugins/SQL/lib/your_mysql_connector.jar.

Note The value text box can include multiple JDBC connectors. Each JDBC connector is
separated by a semicolon (";"). For example:

/var/run/vco/plugins/SQL/lib/your_mysql_connector.jar;/var/run/vco/plugins/SQL/lib/
your_mssql_connector.jar;/var/run/vco/plugins/SQL/lib/your_other_connector.jar

f (Optional) Enter a description for the MySQL system property.

g Click Add, and wait for the Automation Orchestrator server to restart.

Note Do not save your JDBC connector.jar file in another directory and do not
set a different value to the o11n.plugin.SQL.classpath property. Otherwise, the JDBC
connector becomes unavailable to your Automation Orchestrator deployment.

Activating basic authentication

You can activate basic authentication for your Automation Orchestrator deployment by setting a
system property.

The basic authentication of your Automation Orchestrator deployment is deactivated

by default. In certain use cases you must activate this authentication by setting the
com.vmware.o11n.sso.basic-authentication.enabled system property. For example, you must
activate this system property if you are planning on using the Automation Orchestrator Multi-
Node plug-in for deployments which are authenticated with VMware Aria Automation.

Procedure

1 Log in to the Control Center as root.

2 Select System Properties.

3 Click New.

4 Under Key, enter com.vmware.o11n.sso.basic-authentication.enabled.

5 Under Value, enter true.

6 (Optional) Enter a description for the new system property.

7 Click Add, and wait for the Automation Orchestrator server to restart.

VMware by Broadcom 88
Where to go from here
11
When you have installed and configured Automation Orchestrator, you can use Automation
Orchestrator to automate frequently repeated processes related to the management of the
virtual environment.

n Log in to the Automation Orchestrator Client, run, and schedule workflows on the vCenter
inventory objects or other objects that Automation Orchestrator accesses through its plug-
ins. See Using Automation Orchestrator.

n Duplicate and modify the standard Automation Orchestrator workflows and write your own
actions and workflows to automate operations in vCenter.

n To extend the functionality of the Automation Orchestrator platform, develop plug-ins.

n Manage your Automation Orchestrator inventory across multiple Automation Orchestrator

instances with the integration of a remote Git repository. See Using Automation Orchestrator.

n Run workflows on your vSphere inventory objects by using the vSphere Web Client.

VMware by Broadcom 89