VMware vRealize Orchestrator 7.1 Release Notes

vRealize Orchestrator Appliance 7.1 | 23 August 2016 | Build 4276164

Check frequently for additions and updates to these release notes.

Release Notes last updated on 29 Mar 2017.

What's in the Release Notes

The release notes cover the following topics:

What's New in vRealize Orchestrator 7.1

vRealize Orchestrator 7.1 introduces a number of improvements, bug fixes, and extends the automated configuration with new options:

  • Configuration push from one node to all other nodes in the cluster and the ability to restart all nodes from a single node.
  • Monitoring of configuration differences between the nodes in a cluster by using the available in Control Center fingerprints for the currently running or pending configuration.
  • Added a REST API to update resource elements.

vRealize Orchestrator 7.1 also introduces a number of plug-in improvements:

  • Swagger definition support for adding a REST host in the HTTP-REST Plug-in.
  • Improved search capabilities in the Active Directory Plug-in.
  • Pagination support and arbitrary entry querying in the Active Directory Plug-in.

With the certificate management mechanism based on ISsslService, implemented in version 7.1, the server and trusted certificates are stored in the database. Plug-ins must use the API from the Plug-in SDK to retrieve the trusted certificates.

The Orchestrator client no longer processes the notification events related to the inventory tree that are sent by the Orchestrator plug-ins. This makes the use of the IPluginNotificationHandler obsolete and requires users to manually refresh the inventory tree.

Feature and Support Notice

The following feature is deprecated in vRealize Orchestrator 7.1 and is scheduled for removal in future releases. This feature should not be used as part of any vRealize Orchestrator solution.

  • LDAP authentication

Deploying the VMware vRealize Orchestrator Appliance 7.1

VMware vRealize Orchestrator 7.1 is available as a preconfigured virtual appliance. The appliance significantly reduces the time and skills required to deploy vRealize Orchestrator and provides a low-cost alternative to a traditional Windows-based installation.

The Orchestrator Appliance is distributed as an OVF file. It is prebuilt and preconfigured with Novell SUSE Linux Enterprise Server, PostgreSQL, and In-Process ApacheDS LDAP, and it can be used with vCenter Server 5.5 and later.

The Orchestrator Appliance functionality is suitable for any use case from lab evaluation to large-scale production, when an external database is used. The appliance offers the flexibility to use either the prebuilt directory services and database, or Single Sign-On authentication, provided by vRealize Automation and vSphere 6.0, and external database servers like Oracle or Microsoft SQL.

The Orchestrator Appliance is a fast, easy to use, and more affordable way to integrate the VMware cloud stack, including vRealize Automation and vCenter Server, with your IT processes and environment.

Upgrading to vRealize Orchestrator 7.1

For instructions about deploying and using the Orchestrator Appliance, see Installing and Configuring VMware vRealize Orchestrator.

Important: For security reasons, the password expiry of the root account of the Orchestrator Appliance is set to 365 days. To increase the expiry time for an account, log in to the Orchestrator Appliance as root, and run the following command:

passwd -x number_of_days name_of_account

To make your Orchestrator Appliance root password last forever, run the following command:

passwd -x 99999 root

Plug-Ins Installed with vRealize Orchestrator 7.1

The following plug-ins are installed by default with vRealize Orchestrator 7.1:

  • vRealize Automation Center Infrastructure Administration Plug-In 7.1.0
  • vRealize Automation Plug-In 7.1.0
  • vRealize Orchestrator vCenter Server Plug-In 6.5.0
  • vRealize Orchestrator Mail Plug-In 7.0.1
  • vRealize Orchestrator SQL Plug-In 1.1.4
  • vRealize Orchestrator SSH Plug-In 7.0.1
  • vRealize Orchestrator SOAP Plug-In 2.0.0
  • vRealize Orchestrator HTTP-REST Plug-In 2.1.0
  • vRealize Orchestrator Plug-In for Microsoft Active Directory 3.0.2
  • vRealize Orchestrator AMQP Plug-In 1.0.4
  • vRealize Orchestrator SNMP Plug-In 1.0.3
  • vRealize Orchestrator PowerShell Plug-In 1.0.9
  • vRealize Orchestrator Multi-Node Plug-In 7.1.0
  • vRealize Orchestrator Dynamic Types 1.2.0
  • vRealize Orchestrator vCloud Suite API (vAPI) Plug-In 7.1.0
  • vRealize Orchestrator Plug-In for vRealize Automation 7.1.0

Internationalization Support

vRealize Orchestrator 7.1 supports internationalization level 1. Although Orchestrator is not localized, it can run on non-English operating systems and supports non-English text.

How to Provide Feedback

Your active feedback is appreciated. Provide your feedback by using one of the following methods:

  • Support Requests (SRs)
  • Orchestrator Discussion Forum

Support Requests

File all issues that you find as Support Requests (SRs), even if you report them to VMware by other means.

You can find the VMware Support's commitment to SRs filed by customers and instructions on how to file an SR at https://www.vmware.com/support/services/beta.

Include log files in your SRs. To gather log files and configuration from Orchestrator:

  1. Go to Control Center at https://orchestrator_server_ip_address:8283/vco-controlcenter.
  2. Log in as root.
  3. Click Export Logs.
  4. Click Export logs.
  5. Save the generated ZIP file.
  6. Upload the saved ZIP file to VMware Support.

Earlier Releases of vRealize Orchestrator

Features and issues from earlier releases of vRealize Orchestrator are described in the release notes for each release. To review release notes for earlier releases of vRealize Orchestrator, click one of the following links:

Resolved Issues

vRealize Orchestrator 7.1 resolves the following issues:

  • Specifying a root object for selecting a value in a presentation does not work.
    When a workflow contains a root object and you must define a value for this object, the Select (object_name) dialog box shows the entire Orchestrator plug-ins inventory, instead of filtering only the plug-in to which the selected root object belongs.
  • The issue is resolved in this release.

  • Java object deserialization vulnerability (CVE-2015-6934)
    Serialized-object interfaces allow remote attackers to execute arbitrary commands through a crafted serialized Java object, related to the Apache Commons Collections library.

    The issue is resolved in this release.

  • You cannot download the appliance log bundle from the Virtual Appliance Management Interface.
    Downloading the appliance log bundle from the Logs page under the Admin tab of the Virtual Appliance Management Interface fails with the Cannot find support bundle implementation error.

    The issue is resolved in this release.

  • The Create a proxy workflow run fails if the remote workflow has a properties type or array type input parameter.
    When you use Create a proxy workflow from the Multi-Node Plug-in, the workflow run fails if the remote workflow has an input parameter of type array or properties.

    The issue is resolved in this release.

  • If a remote workflow has an array type output parameter the Create a proxy workflow run fails, even though the remote workflow run succeeded.

    The issue is resolved in this release.

  • The Import a certificate from URL using proxy server workflow fails.
    You cannot import a certificate from a URL through a proxy server.

    The issue is resolved in this release.

  • You cannot configure LogInsight after an upgrade.
    Configuring LogInsight from Control Center fails with a Failed to edit Log Insight Agent configuration file! error.

    The issue is resolved in this release.

  • After upgrading Orchestrator with Oracle database from version 6.0.3 or 6.0.4, the database schema fails to initialize and the Orchestrator server does not start.

    The issue is resolved in this release.

  • You cannot import a trusted certificate from Control Center if a proxy is used.
    When a proxy server is used, importing a trusted certificate from Control Center fails with a Cannot init trust certificate action! error.

    The issue is resolved in this release.

  • When the Orchestrator Client is used on Windows, the Import package from folder function does not import the workflow versions, comments and history.

    The issue is resolved in this release.

  • The presentation deletes the input parameter values during the validation phase, if these values are of SecureString type and one of the values verifies the other.

    The issue is resolved in this release.

  • Packages are exported with the wrong certificate chain.
    When the exported package contains a chain of trust certificates that have the same Common Name, the package signing certificate is incorrect and the package cannot be imported to another Orchestrator instance.

    The issue is resolved in this release.

  • Specifying a root object for an input parameter chooser in presentation does not work.
    Even when you define a specific root object to use as an input parameter, the chooser shows the whole inventory tree.

    The issue is resolved in this release.

  • The resource viewer does not refresh after the update of a resource element.
    When you update a resource element, the resource viewer does not refresh to show the new text.

    The issue is resolved in this release.

  • The JDBC URL generator workflow does not generate the correct JDBC Uri when it uses Windows authentication with Microsoft SQL Server.
    When you use Windows authentication to connect to a Microsoft SQL Server, the JDBC URL generator workflow creates a Uri without the useNTLMv2 attribute.

    The issue is resolved in this release.

  • The Orchestrator Plug-In for Microsoft Active Directory recognizes Computer objects in Active Directory as User objects.
    When you search for User objects in Active Directory, the Orchestrator Plug-In for Microsoft Active Directory returns Computer objects as well.

    The issue is resolved in this release.

  • You cannot search Active Directory objects within a large inventory.

    The Orchestrator Plug-In for Microsoft Active Directory now supports pagination. See What's New.

  • The Orchestrator service stops with an Out of Memory error after running for a few weeks, due to a problem related to the way in which user sessions are managed.

    The issue is resolved in this release.

Known Issues

The known issues are grouped as follows:

Installation Issues

  • The Orchestrator service cannot recover after a back up and restore procedure.
    When you back up and restore Orchestrator, the server is not accessible from vRealize Automation with an Unable to establish a connection to vCenter Orchestrator server error. This results into Orchestrator being unable to start, while having a STARTED status, missing tasks and policies, and workflows that must be re-run.

    Workaround: Re-create the missing scheduled tasks and policies, re-run the scheduled workflows that did not start, and restart the Orchestrator service.

Configuration Issues

  • The vRealize Orchestrator SQL plug-in cannot connect to a MySQL database.
    When you run the Add a database workflow fails against a MySQL database, the workflow fails with a The driver 'com.mysql.jdbc.Driver' for 'MySQL' database cannot be found! error message.

    NOTE: The support for MySQL databases was removed in vRealize Orchestrator 7.0.

    Workaround: To enable support for MySQL database, you must install the JDBC driver for MySQL on the Orchestrator platform.

    1. Download the latest JDBC driver for MySQL from http://dev.mysql.com/downloads/connector/j/.
    2. Extract the downloaded archive.
    3. In the extracted folder, locate the mysql-connector-java-x.x.x.jar file, where x.x.x is the current subminor version.
    4. Copy the mysql-connector-java-x.x.x.jar to the /usr/lib/vco/app-server/lib directory on the Orchestrator server.
    5. Change the ownership of the mysql-connector-java-x.x.x.jar file.
    6. chown vco:vco mysql-connector-java-x.x.x.jar

    7. Change the permissions of the mysql-connector-java-x.x.x.jar.
    8. chmod 644 mysql-connector-java-x.x.x.jar

    9. Restart the Orchestrator server service.
    10. service vco-server restart

  • Orchestrator does not support importing a mail server certificate to Trusted certificates when the used port requires issuing the STARTTLS command.
    When you import a mail server SSL/TLS certificate by using the Import from URL option and the URL contains SMTP port 587, the import fails with an Error! IOException. Message: 'Unrecognized SSL message, plaintext connection?' error message.

    Workaround: Export the certificate to a PEM-encoded file and import it to Orchestrator manually.

    1. Use SSH to access the Orchestrator appliance and log in as root.
    2. Run the command:
    3. openssl s_client -connect smtp.office365.com:587 -debug -starttls smtp

    4. Copy the Server certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it in a file.
    5. Import the certificate file to Trusted Certificates in Control Center, by using the Import from a PEM-encoded file option.

  • The SOAP plug-in cannot connect through an authenticated proxy server.
    When you run the Add a SOAP host workflow, use a proxy server that does not require authentication.
  • Updated timeout values of a REST Host take effect only after the Orchestrator server is restarted.
    When you run the Update a REST Host workflow to change the REST Host timeout configuration, you must restart the Orchestrator server for the changes to take effect.

    Workaround: Restart the Orchestrator server.

  • The Orchestrator client does not run on versions of Java earlier than Java 8.
    You need Java 8 to run the Orchestrator client.
  • If you experience issues connecting to a SOAP or a REST host, or importing a certificate, you might have to explicitly enable certain versions of SSL or TLS.
    For information about this issue, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html.

    Workaround: For information about explicitly enabling SSLv3 and TLSv1 for outgoing HTTPS connections, see Enable TLSv1 for outgoing HTTPS connections in vRealize Orchestrator 6.0.4 and 7.0.x manually (KB 2144318).

  • vCenter Server objects not accessible in the vSphere Web Client.
    Orchestrator cannot access vCenter Server objects in the vSphere Web Client if the vCenter Server instance that you are attempting to access is registered in Orchestrator by IP address.

    Workaround: Register the vCenter Server instance by host name.

  • Orchestrator authentication configuration might become invalid, if the authentication provider certificate changes or regenerates.
    When Orchestrator is configured to use vCenter Single Sign-On, if the certificate of the vCenter Single Sign-On server changes or regenerates, the Orchestrator authentication configuration becomes invalid and the Orchestrator server cannot start.

    Workaround: Import the new authentication provider certificate:

    1. Log in to Control Center as root.
    2. Click Certificates.
    3. Click Import on the Trusted Certificates tab.
    4. Load the SSL certificate from a URL or a file.
    5. Click Import.
    6. Restart the Orchestrator server from the Startup Options page in Control Center.

  • Orchestrator does not work with forest and external trusts in Active Directory.

    Multiple domains that are not in the same tree but have a two-way trust, are not supported and do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain tree. Forest and external trusts are not supported.

  • Support for TNSNames missing when you connect to an Oracle database.
    You cannot use TNSNames to connect to an Oracle database. You can connect to an Oracle database by using an IP address or a DNS name.

    Workaround: See Add support for RAC and TNS configuration for Oracle 11g Database instances to vRealize Orchestrator (KB 1022828).

Client Issues

  • In the log pane of the Orchestrator client you cannot see debug log messages for the workflow token.

    Workaround: Update the log level for the scripting logs.

    1. Use ssh into the Orchestrator appliance and log in as root.
    2. Open the /etc/vco/app-server/log4j.xml file with a text editor.
    3. Change the log level by updating:
    4. <category additivity="false" name="SCRIPTING_LOG">
      <priority value="INFO"/>

      to

      <category additivity="false" name="SCRIPTING_LOG">
      <priority value="DEBUG"/>

    5. Save and close the file.

  • Boolean input parameters are shown with a No value in the user interaction presentation.
    In user-interaction workflows, when you configure an input parameter with a Boolean value that is equal to Yes and run the workflow, the user input parameter appears as a No value.

  • The task scheduler does not run when the Orchestrator server and the Orchestrator client use different time zones.
    If your Orchestrator client uses a time zone that is different from UTC, the Orchestrator server always interprets the scheduled time in UTC for any scheduled task and the task does not run at the designated time.
  • Workaround: Always enter the time for the scheduled tasks in UTC.

  • OGNL expressions of an input parameter run with every input parameter update.
    When an input parameter includes an OGNL expression, which is bound to more than one input parameter, the OGNL expression runs every time any of the input parameters is updated, instead of running once, when all input parameters are updated. If the OGNL expression invokes a resource-consuming operation, for example data mining, the presentation might run slowly.
  • The value of an input parameter is reset to default if the default value is bound to another input parameter.
    When you update the first input parameter, the second input parameter resets to its default value, even after it was updated.

  • The version history of a duplicated workflow is also copied, even without being selected.

  • When you import a configuration from a package, the Dynamic Type Plug-in types are not updated and you cannot use them immediately.

    Workaround: Restart the Orchestrator Client to update all plug-in types.

  • Problems handling non-ASCII characters in certain contexts
    Using non-ASCII characters in input parameters results in incorrect behavior in the following situations:
    • If you run the SCP put or SCP get workflows from the SSH folder on a file with a name that contains non-ASCII characters, the workflow runs, but name of the resulting file on the destination machine is unreadable.
    • If you try to insert non-ASCII characters into attribute names, the characters do not appear. This issue occurs for workflow attributes and action attributes.

  • Use of the Orchestrator client through Java WebStart if the Orchestrator Appliance is behind Network Address Translation (NAT) is not supported.

Miscellaneous Issues

  • Compiling a custom model-driven plug-in fails if you use an extension method that contains lambda expressions.
    When you use model-driven to create plug-ins and you add extension methods to a certain extension, the plug-in does not compile if the extension method contains lambda expressions. The plug-in compilation fails with an error message, similar to the following: Caused by: java.lang.ArrayIndexOutOfBoundsException: 52789

    Workaround: Do not use lambda expressions in the body of the extension methods.

  • Custom event schema elements do not work in an Orchestrator cluster.
    Resuming a workflow run based on a Wait for custom event schema element does not work when the Orchestrator server is configured in a cluster. The custom event schema elements work only on single Orchestrator nodes.
  • The Send notification and Send notification to mailing list workflows fail when the configured SMTP port is 587.
    When you use the Send notification or the Send notification to mailing list workflows from the Mail Plug-in, the workflow run fails with an error Cannot send mail: 'Could not convert socket to TLS' Cause: 'unable to find valid certification path to requested target', even though the SSL/TLS certificate of the remote mail server is imported to Trusted Certificates.

    Workaround: After you import the mail server SSL/TLS certificate, restart the Orchestrator server and run the workflow.

  • The SOAP plug-in does not support mutual authentication with the SOAP host.
    The available authentication mechanisms support only one-way authentication.
  • The SSH plug-in cannot connect to a Cisco Adaptive Security Appliance (ASA) firewall.
    The SSH plug-in for vRealize Orchestrator 7.1 does not support connectivity to a Cisco Adaptive Security Appliance (ASA) firewall.
  • The console of the Orchestrator appliance constantly displays a warning message.
    The [WARN] Attempted translation of an Invalid IPv6 address message is constantly repeated on the console screen. You can safely ignore this message.

    Workaround: Log in to the appliance as root and log out so that the console shows the Virtual Appliance Management Interface welcome screen.

  • The RESTResponse.getAllHeaders() method returns only one header per header name, even when the HTTP response of the server contains more than one headers with the same name.

  • Restricted access to vCenter Server inventory can cause errors if you select Session per user.
    If you select the Session per user option when adding a vCenter Server instance to Orchestrator, attempting to access the vCenter Server inventory might result in some errors for a user with restricted access to inventory objects.
  • vCenter Server Plug-in does not have valid credentials after upgrading to Orchestrator 6.0.x or later.
    If you upgrade to Orchestrator 6.0.x or later, the vCenter Server Plug-in does not have valid credentials.

    Workaround: After upgrading Orchestrator, update the vCenter Server instance and configure a password for the user.

  • vRealize Orchestrator displays the vCenter Server Plug-in as unusable.
    After you upgrade to vRealize Orchestrator version 6.0.x or later, if you have not upgraded the Site Recovery Manager Plug-in to version 6.0.0, the vCenter Server Plug-in becomes unusable.

    Workaround: Upgrade the Site Recovery Manager Plug-in to version 6.0.0 or disable the Site Recovery Manager 5.8.0 Plug-in.

  • The Orchestrator configuration interface might not be accessible with Internet Explorer 11.
    If you are using Internet Explorer 11, you might be unable to log in to the Orchestrator configuration interface.

    Workaround: Install Internet Explorer version 11.0.11 or a recent version of Google Chrome or Mozilla Firefox.

  • The workflow token remains incomplete, if a workflow's name includes a slash.
    If you have a workflow name that includes a slash, when you run the workflow, the workflow token might never change to completed, although the workflow has completed running.

    Workaround: Remove the slash from the name of the workflow.

  • The Convert disks to thin provisioning workflow does not handle virtual machines with snapshots correctly and does not convert the thick-provisioned disks.
    On completion, the Convert disks to thin provisioning workflow reports that the thick-provisioned disks of virtual machines with snapshots are successfully converted to thin-provisioned, when they are not.

    Workaround: Do not include virtual machines with snapshots in the workflow.

  • Adding values to vCenter Server data object properties of type Array is impossible.
    When Orchestrator runs scripts, the vCenter Server Plug-in converts JavaScript arrays to Java arrays of a fixed size. As a result, you cannot add new values to vCenter Server data objects that take arrays as property values. You can create an object that takes an array as a property if you instantiate that object by passing it a prefilled array. However, after you instantiate the object, you cannot add values to the array.

    For example, the following code does not work:

    var spec = new VcVirtualMachineConfigSpec();
    spec.deviceChange = [];
    spec.deviceChange[0] = new VcVirtualDeviceConfigSpec();
    System.log(spec.deviceChange[0]);

    In the above code, Orchestrator converts the empty spec.deviceChange JavaScript array into the fixed-size Java array VirtualDeviceConfigSpec[] before it calls setDeviceChange(). When calling spec.deviceChange[0] = new VcVirtualDeviceConfigSpec(), Orchestrator calls getDeviceChange() and the array remains a fixed, empty Java array. Calling spec.deviceChange.add() results in the same behavior.

    Workaround: Declare the array as a local variable:

    var spec = new VcVirtualMachineConfigSpec();
    var deviceSpec = [];
    deviceSpec[0] = new VcVirtualDeviceConfigSpec();
    spec.deviceChange = deviceSpec;
    System.log(spec.deviceChange[0]);