This is a known issue affecting VMware vRealize Automation 7.0.
Currently, there is no resolution.
To work around this issue, recover the vRealize Orchestrator to its default configuration:
- Remove all vco services registered in the component registry:
- Log in to all of the vRealize Automation/ Orchestrator appliance nodes through console or SSH session.
- Run this command:
vcac-config service-delete --service-name vco
- Restore the sso.properties and cafe.properties to default settings in the embedded vRealize Orchestrator servers:
- Log in to all of the vRealize Automation / Orchestrator appliance nodes through console or SSH session.
- Edit the /etc/vco/app-server/sso.properties file on each server and update these entries:
- com.vmware.o11n.sso.default.tenant = vsphere.local
- com.vmware.o11n.sso.admin.group.name = vcoadmins
- com.vmware.o11n.sso.admin.group.domain = vsphere.local
- Edit the /etc/vco/app-server/cafe.properties file on each server and update these entries to the defaults.
- vco.cafe.service.host = vRealize_Automation/Orchestrator_or_load_balancer_VIP_FQDN
- vco.cafe.service.port = 443
- vco.cafe.property.is-embedded = true
- Restore the vRO cluster to default settings:
- Log in to all of the vRealize Automation/Orchestrator appliance nodes by console or SSH session.
- Run the following commands on each server:
- rm /var/lib/vco/app-server/conf/vco-registration-id
- vcac-vami vco-service-reconfigure
- If vRealize Orchestrator or vRealize Automation instance is clustered, execute the below steps:
- Log in to all of the vRealize Automation/ Orchestrator appliance nodes by console or SSH session.
- On the primary vRealize Automation/ Orchestrator appliance node, start the configuration service by running the command:
service vco-configurator start
Note: This may report an error if the service is already started.
- On the secondary vRealize Automation/ Orchestrator appliance nodes, run these commands:
- chown vco /var/lib/vco/app-server/conf/security/passwordencryptor.key
- chgrp vco /var/lib/vco/app-server/conf/security/passwordencryptor.key
- service vco-configurator start
Note: This step may report an error if the service is already started.
- Re-Cluster the secondary Orchestrator nodes:
- Log into https://Host_FQDN:8283/vco-controlcenter as the appliance root user(on your secondary appliance)
- Navigate to Home > Manage > Join Node to Cluster and provide the location and credentials of the first vRealize Automation/Orchestrator node.
- To resolve the BadCredentialsException error, see the VMware Knowledge Base article 2143150.
- Configure vRealize Orchestrator default administrators group to use an AD group instead of vsphere.local\vcoadmins.
To Configure the default administrators group to use an AD group in Orchestrator instances:
- In embedded Orchestrator instances:
- Log in to all of the vRealize Automation/Orchestrator appliance nodes by console or SSH session.
- Edit the /etc/vco/app-server/sso.properties file on each server and update the following entries to your values:
- com.vmware.o11n.sso.default.tenant = new_tenant
- com.vmware.o11n.sso.admin.group.name = vRO_administrators_group
- com.vmware.o11n.sso.admin.group.domain = group_domain
- Edit the /etc/vco/app-server/cafe.properties file on each server and verify that the property vco.cafe.service.port has a value of 443.
- Restart the vco service by running this command:
service vco-server restart
- In external Orchestrator instances:
- Log in to the Control Center for all external vRealize Orchestrator appliance nodes.
- Navigate to the Configure Authentication Provider on each.
- Click on Change for the Admin Group.
- Select the new AD group for the vcoadmins and click Save.
- Restart the vco service by running this command:
service vco-server restart
- Complete the configuration:
- Restart vco and vcac services on all appliances by running these commands:
service vcac-server restart
service vco-server restart
- Log in to your vRealize Automation tenant as a tenant administrator.
- Navigate to Administration > Directories Management > Identity Providers and select the current Identity Provider.
- Ensure that the IdP hostname field is set to the vRealize Automation server host name or, if vRealize Automation is clustered, the load balancer VIP address and change if needed.