"Unable to connect on port" error when logging in to the vRealize Orchestrator

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
When you are communicating or integrating between vRealize Orchestrator and vRealize Automation, you experience these symptoms:

The configuration of vRealize Orchestrator authentication settings is incorrect.
Unable to login to the vRealize Orchestrator client with an Active Directory user, configured in vRealize Orchestrator with vRealize Automation authentication settings.
Able to login to the vRealize Automation console (https://VRA_HOSTNAME/vcac/) with the same credentials.
There are more vco-service entries than expected in the vRealize Automation appliance management (VAMI) services page.
Navigating to Administration > vRO configuration > Server configuration reports these errors:
- Unable to connect on port
- Unable to establish a connection to vCenter Orchestrator server

Environment

VMware vRealize Orchestrator 7.0.x
VMware vRealize Automation 7.0.x

Cause

This issue occurs when the vRealize Orchestrator to vRealize Automation integration is mis-configured.

Resolution

This is a known issue affecting VMware vRealize Automation 7.0.

Currently, there is no resolution.

To work around this issue, recover the vRealize Orchestrator to its default configuration:

Remove all vco services registered in the component registry:
1. Log in to all of the vRealize Automation/ Orchestrator appliance nodes through console or SSH session.
2. Run this command:
  
  vcac-config service-delete --service-name vco
Restore the sso.properties and cafe.properties to default settings in the embedded vRealize Orchestrator servers:
1. Log in to all of the vRealize Automation / Orchestrator appliance nodes through console or SSH session.
2. Edit the /etc/vco/app-server/sso.properties file on each server and update these entries:
  - com.vmware.o11n.sso.default.tenant = vsphere.local
  - com.vmware.o11n.sso.admin.group.name = vcoadmins
  - com.vmware.o11n.sso.admin.group.domain = vsphere.local
3. Edit the /etc/vco/app-server/cafe.properties file on each server and update these entries to the defaults.
  - vco.cafe.service.host = vRealize_Automation/Orchestrator_or_load_balancer_VIP_FQDN
  - vco.cafe.service.port = 443
  - vco.cafe.property.is-embedded = true
Restore the vRO cluster to default settings:
1. Log in to all of the vRealize Automation/Orchestrator appliance nodes by console or SSH session.
2. Run the following commands on each server:
  - rm /var/lib/vco/app-server/conf/vco-registration-id
  - vcac-vami vco-service-reconfigure
If vRealize Orchestrator or vRealize Automation instance is clustered, execute the below steps:
1. Log in to all of the vRealize Automation/ Orchestrator appliance nodes by console or SSH session.
2. On the primary vRealize Automation/ Orchestrator appliance node, start the configuration service by running the command:
  
  service vco-configurator start
  
  Note: This may report an error if the service is already started.
3. On the secondary vRealize Automation/ Orchestrator appliance nodes, run these commands:
  - chown vco /var/lib/vco/app-server/conf/security/passwordencryptor.key
  - chgrp vco /var/lib/vco/app-server/conf/security/passwordencryptor.key
  - service vco-configurator start
    
    Note: This step may report an error if the service is already started.
4. Re-Cluster the secondary Orchestrator nodes:
5. Log into https://Host_FQDN:8283/vco-controlcenter as the appliance root user(on your secondary appliance)
6. Navigate to Home > Manage > Join Node to Cluster and provide the location and credentials of the first vRealize Automation/Orchestrator node.
7. To resolve the BadCredentialsException error, see the VMware Knowledge Base article 2143150.
Configure vRealize Orchestrator default administrators group to use an AD group instead of vsphere.local\vcoadmins.

To Configure the default administrators group to use an AD group in Orchestrator instances:
1. In embedded Orchestrator instances:
  1. Log in to all of the vRealize Automation/Orchestrator appliance nodes by console or SSH session.
  2. Edit the /etc/vco/app-server/sso.properties file on each server and update the following entries to your values:
    - com.vmware.o11n.sso.default.tenant = new_tenant
    - com.vmware.o11n.sso.admin.group.name = vRO_administrators_group
    - com.vmware.o11n.sso.admin.group.domain = group_domain
  3. Edit the /etc/vco/app-server/cafe.properties file on each server and verify that the property vco.cafe.service.port has a value of 443.
  4. Restart the vco service by running this command:
    
    service vco-server restart
2. In external Orchestrator instances:
  1. Log in to the Control Center for all external vRealize Orchestrator appliance nodes.
  2. Navigate to the Configure Authentication Provider on each.
  3. Click on Change for the Admin Group.
  4. Select the new AD group for the vcoadmins and click Save.
  5. Restart the vco service by running this command:
    
    service vco-server restart
Complete the configuration:
1. Restart vco and vcac services on all appliances by running these commands:
  
  service vcac-server restart
  service vco-server restart
2. Log in to your vRealize Automation tenant as a tenant administrator.
3. Navigate to Administration > Directories Management > Identity Providers and select the current Identity Provider.
4. Ensure that the IdP hostname field is set to the vRealize Automation server host name or, if vRealize Automation is clustered, the load balancer VIP address and change if needed.

Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.
Error 'BadCredentialsException' when connecting to the embedded vRO instance on a clustered or HA distribution of vRA 7.0
vRealize Orchestrator へのログイン時の「ポートに接続できません (Unable to connect on port)」エラー
登录到 vRealize Orchestrator 时出现“无法在端口上进行连接 (Unable to connect on port)”错误