vRealize Automation 8.4.2 | 06 August 2021

  • vRA Easy Installer (ISO) build 18213287
  • vRA product (appliance)  build 18203736

Check regularly for additions and updates to these release notes.

Updates made to this document

Date Description of update Type
27 June 2021 Upgrade from vRA 8.4.x to 8.4.2 might fail while trying to initialize pods after VA reboot Known Issue
22 July 2021 Removed "Limit the number of namespaces for a project on a K8s zone" from list of new features to fix earlier mistake. Feature will be available in future release. Whats New
06 August 2021 vRealize Automation upgrade fails with error code LCMVRAVACONFIG90030 due to password expiration Known Issue
02 March 2022
Added link to KB workaround used to resolve upgrade failure related to the log4j vulnerabilities.

What's in the Release Notes

About vRealize Automation 8.4.2

Important: Before upgrading to vRealize Automation 8.4.2, delete all assignments of "vRealize Automation Migration Assistant" roles to groups. After the upgrade is completed, add the assignments back. If you attempt to upgrade with the "vRealize Automation Migration Assistant" role assigned, the upgrade will fail while trying to initialize pods after rebooting.

vRealize Automation 8.4.2 adds to the vRealize Automation 8.3 capabilities to bring it closer in capability to the vRA 7.x release, reintroducing key capabilities like XaaS and adding capabilities such as Powershell support in ABX and python, node.js and Powershell in vRO.


Upgrade failure after performing steps in KB 87120

Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, see KB 87794.

What's New

The many benefits of vRealize Automation 8.4.2 include: 

Disks added through vRO and extensibility reflected on deployment (topology) diagram

Disks that were added using vRO workflows or ABX with vRA APIs at the time of initial provisioning are also reflected on the deployment design canvas. All current day 2 actions are available for these disks.

Support for Microsoft Azure Disk Encryption Set

The Microsoft Azure disk encryption set supports:

  • Disk Encryption feature for Microsoft Azure independent disks (independent managed disks) in vRA
  • Disk encryption feature for Day 2 action "Add Disk"

Property group enhancements (vRO, secrets)

Property groups can now:

  • Use vRO workflows for dynamic external values to define properties
  • Bind secrets to property groups in order to reuse multiple secrets

Shared IP range for multiple networks

It is now possible for vRA to assign same IP range coming from internal or external IPAM to multiple networks.

Provider Events triggered upon tenant resource CRUD

Events in the provider organization enable the provider to trigger subscriptions and write in the CMDB etc. (or for billing purposes). These events are only for resources that the provider must have visibility into. No deployment level events are triggered in the provider org, for tenant deployments.

Support for Snapshot management of Microsoft Azure disks

The Microsoft Azure disk snapshot management now supports:

  •    Disk Snapshot Enumeration
  •    Day 2 action for deleting Disk Snapshot from Machine
  •    Compatibility for Managed Disk Snapshot – Resource Group, Encryption set, Network policy, Tags as parameters

Before You Begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.4 product documentation.

For information on vRealize Orchestrator 8.4.2 features and limitations, refer to the vRealize Orchestrator 8.4.2 Release Notes.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API to a version before, you might encounter a change in an API response. As a best practice, use the apiVersion variable to lock your API to the version you want to use. For example:

  • To lock your APIs to the vRealize Automation 8.4.1 APIs, use apiVersion=2021-05-25
  • To lock your APIs to the vRealize Automation 8.4.2 APIs, use apiVersion=2021-06-22

If left unlocked, your API requests will default to the latest version which is apiVersion=2021-06-22.

For information on how to lock you APIs to a specific version, see the "API Versioning" section of the vRealize Automation 8.4 API Programming Guide.

Service Name Service Description API Updates and Changes
ABX Create or manage actions and their versions. Execute actions and flows. No change

This is a new service running inside approval container

Find resource usage metrics at org, user and project level.

No change
Approval Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned No change
Blueprint Create, validate, and provision blueprints or cloud templates.

New parameters:

  • POST /blueprint/api/blueprint-integrations/terraform/create-blueprint-from-mapping
    New param: apiVersion
    The version of the API in yyyy-MM-dd format (UTC).
  • POST /blueprint/api/blueprint-integrations/terraform/create-blueprint-mapping
    New param: apiVersion
  • GET /blueprint/api/blueprint-integrations/terraform/get-configuration-source-commits
    New param: apiVersion
  • GET /blueprint/api/blueprint-integrations/terraform/get-configuration-source-tree
    New param: apiVersion

  • GET /blueprint/api/blueprint-integrations/terraform/get-configuration-sources
    New param: apiVersion

  • POST /blueprint/api/blueprint-integrations/terraform/versions
    New param: apiVersion

  • GET /blueprint/api/blueprint-integrations/terraform/versions/{versionId}
    New param: apiVersion

  • PATCH /blueprint/api/blueprint-integrations/terraform/versions/{versionId}
    New param: apiVersion

  • POST /blueprint/api/blueprint-requests/{requestId}/actions/cancel
    Param removed: force
    type: boolean
    Force cancellation of in progress tasks


Object changes

  • TerraformVersion

    New property: authenticationType
    type: string
    The type of authentication for the download url

    New property: username
    type: string
    The user name for basic authentication

    New property: password
    type: string
    The password for basic authentication

  • Property

    New property: dynamicEnum
    type: string
    Path that can be used to retrieve permissible values

    New property: dynamicDefault
    type: string
    Path that can be used to retrieve single permissible default value

CMX When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces. No change
Content Gateway
(content service)
Connect to your infrastructure as code content in external content sources such as SCM Providers and VMware Marketplace. No change
Custom Forms (form-service) Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services. No change


Access deployment objects and platforms or blueprints that have been deployed into the system.

No change

IaaS Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner. No change
Migration This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup No change

Provide visibility and isolation of provisioned resources for users with a project role.

No change
Relocation Define policy and plans for bringing existing VMs from any cloud under management.

Unregister onboarded machine

POST /relocation/api/wo/unregister-machine


  • resourceLink. A link to the onboarded machine to unregister.
Catalog Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items. No change
Catalog Service (Policies) Interact with policies created in Service Broker. No change
Code stream all pipeline-service These API provide access to Code Stream services. No change
Identity Service A list of identity, account and service management APIs.
Added GET /csp/gateway/am/api/services/clients/{id}

Get OAuth2 client by passed ID.

Customers that upgraded to vRealize Automation 8.4 using the new upgrade bundle might see errors during scale out (similar to patched environments). As mentioned in KB 79105, the ova bundle is hosted on my.vmware.com.

vIDM 3.3.3 does not support IWA (Integrated Windows Authentication) with an embedded Linux connector. vRA 8.x Customers using LDAP or IWA with the external Windows connector are not impacted. For more details refer to KB 82013.

Support for Azure VMware Solution and Google Cloud VMware Engine

vRealize Automation Cloud is tested and certified to work with VMware's hosted cloud solutions on Microsoft Azure and Google Cloud Platform, called Azure VMware Solution (AVS) and Google Cloud VMware Engine (GCVE), respectively.  Workloads running on AVS or GCVE are now managed by vRealize Automation Cloud after setting up vCenter and NSX-T cloud accounts. For more information, refer to Azure VMware Solution documentation and Google Cloud VMware Engine documentation.

Upgrading to vRealize Automation 8.4.2

Using VMware vRealize Suite Lifecycle Manager, you can upgrade your vRealize Automation 8.x instance to 8.4. For more information, see Upgrading vRealize Suite Lifecycle Manager and vRealize Suite Products.

Resolved Issues

  • When FIPS mode is enabled, Code Stream pod restarts in high load conditions.

    When a high number of concurrent pipelines are run with FIPS mode enabled, Code Stream pods are restarted because the memory consumption exceeds the preset limit of 2.5GB.


  • Deployments fail for blueprints that contain compute tags longer than 256 characters or a key larger than 128 characters

    Deployments fail if a blueprint contains compute tags longer than 256 characters or a key longer than 128 characters.

  • Attempting to accept keys for minions results in a key acceptance job stuck in the "Queued" state in the Activity Tab and the keys are not successfully accepted.

    A regression in this release has been discovered that prevents minion keys from being accepted via the SaltStack Config UI.

    Workaround:Keys may be accepted on each individual salt-master, either by logging into the salt-master and accepting the keys with `salt-key` on the CLI, or via a `cmd.run` job targeted at a minion running on the master.

Known Issues

The following known issues are present in this release.
  • New Upgrading from vRealize Automation 8.4.x to 8.4.2 might fail while trying to initialize pods after VA reboot

    If the vRealize Migration Assistant role is mapped to an administrator role, upgrading from vRA 8.4.x to 8.4.2 might fail while trying to initialize pods after VA reboot. 

    Workaround: Before performing the upgrade, delete all assignments of  "vRealize Automation Migration Assistant" roles to groups. After upgrade is completed, add the assignments back.

  • vRA deployment fails to initialize on new setups from Easy Installer

    vRA deployment (single or clustered) fails to initialize on new setups from Easy Installer or vRealize Suite LCM
    The error shown in LCM is LCMVRAVAVACONFIG590003

    Workaround: Retry cluster initialization from within vRealize Suite LCM.

  • Unable to access the onboarding page.

    Navigating to the onboarding page in Cloud Assembly->Infrastructure might cause a 302 status code. This can happen if you have been logged in for a long time.

    Workaround: Log out and then log back in.

  • When a vCenter cloud account is updated to add a data center, the resources from this data center are not immediately available for use.

    Changes made to regions (data centers) for a vCenter cloud account do not take immediate effect and require data collection to run.

    Workaround: Wait for the next data collection to complete successfully. Data collection runs approximately every 10 minutes.

  • PowerShell tasks appear to be stuck

    When there is no active session PowerShell tasks appear to be stuck. This behavior is seen because the PowerShell process responsible to run the user script is held by Windows system process WmiPrvSE.

    Workaround : Login to the system and keep an active session. Lock the screen instead of completely logging out.

  • vRO represents Array types as complex types with only one column, rather than a field whose "type.isMultiple" is true.

    When adding a workflow which has an array input and consequently customizing its form, do not change the ID of the column in the Values tab of the data grid. The default value must stay set at _column-0_ . Conversely, you can change the label of the column (which is visible in the UI when adding values to the datagrid).

  • License re-configuring is not supported.

    After configuring vRealize Automation with the Enterprise license, the system can not be re-configured to use the Advanced License.

  • vRealize Automation 8 does not support Internet Explorer 11

    You cannot use Internet Explorer 11 with vRealize Automation 8.

    Workaround: Use a different browser instead of Internet Explorer 11.

  • BP Canvas is not refreshed after custom resource has been changed or deleted.

    If you delete a custom resource, the change is not propagated to the Blueprint canvas immediately.

    Workaround: The Canvas has a cache mechanism, which can be updated after using refresh button, next tot he search pane.

  • Create different custom resources with the same vRO object type is not supported

    In vRA 7.X it was possible to create different custom resources for the same type. This allowed users to define a different set of create / delete / operate actions for the same vRO type with creating different custom resource types. In vRA 8.x We do not support a case where same vRO_Type can be leveraged from different custom resources. 

  • vRO workflow is not executed through catalog when there is empty input with reference type

    Null pointer exception appears on attempt to request  vRO Workflow with and empty value for the Workflow input with a reference type.

    Workaround: Set a default value for the reference type or make the field mandatory.

  • Unsuccessfully provisionined custom resource can't be deleted from a deployment

    When you request a custom resource, if the workflow run that creates the resource fails, a resource in the deployment service is still created (since we are replying to the initial request with a STARTED status which in turn creates the resource in deployment). This resource cannot be deleted since it doesn't contain the metadata that is added upon successful provisioning of the resource in vRO.

    Workaround: Right after the first attempt to delete the custom resource, a dialog appears which asks you whether you want to force deletion. Say yes to force its deletion.

  • Custom Resource Name is not propagated correctly to the deployment view list

    When you create a custom resource based on vRO_Type, you usually use a comprehensive display name. Currently this display name is not available in the Deployment view. The resource, which appears in the deployment is identified only by its type.

  • Available option to set time zone from vCenter Machine Console window

     Undefined behavior when user sets time zone from vCenter Machine Console window

    Workaround: Don't change the time zone.

  • Tenant Names with different cases are treated the same way

    A tenant named vmware and another one named VMware are seen as the same.

    Workaround: Tenants in vRA 8.x are based on hostnames since hostnames are case insensitive the tenant names are also case insensitive. This means that a tenant named VMware is the same as VMWARE or vmware or any other combination cases. The tenant name capitalization may vary and may not be preserved across the application.

  •  vRO Workflow presentation with an OGNL expression does not render properly when used as a custom day2 operation in vRA.

    Custom Resource Actions with workflows that have OGNL constraints in their presentation may not render properly and it may not be possible to populate all required fields.

  • Cost\Price functionality does not work with shared infrastructure multi-tenancy

    The pricing functionality might report inaccurate results when configured to a multi-tenant deployment where tenants can share infrastructure resources. This is because pricing does not recognize multi-tenancy. The price is calculated only for the org for which vROPs is added and deployments are created. 

  • Deployments with an existing network fail during allocation on vSphere / NSX-v cloud accounts when DRS is disabled on the vSphere cluster.

    When selecting an NSX-V network in the network profile and requesting a deployment with an existing network, the deployment fails during allocation with the message: "Unable to find a common placement for compute...with the network configuration...". This occurs when the vCenter contains clusters with DRS disabled.

    Workaround: Enable DRS on the cluster and include the cluster in the vRA cloud zone, or select a vSphere network in the network profile.

  • Service broker forms do not populate default values set in vRO workflow input

    When vRO workflow has a string input set with default value ,it does not get automatically propagated in the request form when starting the workflow from service broker.

    Workaround: Set the given default value using service broker Custom forms.

  • Service Broker cannot import vRO workflows that have actions in valueList for a string field

    Schema for string field that contains valueList populated by an action cannot be parsed and imported in Service Broker

  • Pulling Docker Images Behind Proxy requires additional configuration

     The ABX service pulls container images from publicly available Internet repositories. If vRA is deployed on an isolated network that does not allow outbound traffic to public sites, a HTTP proxy must be configured. While vRA 8 enables proxy configuration via its CLI, the workflow does not include an automatic setup for the docker service.

     Workaround: Such configuration should be made separately. KB article to be determined.

  • Complex objects with type anyOf are not supported in cloud template request forms

    If the form contains anyOf property for a complex object, anyOf will be visualized as a string dropdown instead of different sets of constrains to validate the input.

    Workaround: Use Enum type instead of anyOf values.

  • After upgrading to vRealize Orchestrator or vRealize Automation 8.3, some resource elements in the vRealize Orchestrator Client might appear changed or reverted to an older version.

    After upgrading to vRealize Orchestrator or vRealize Automation 8.3, some resource elements in the vRealize Orchestrator Client might appear changed or reverted to an older version. This problem occurs with resource elements that were previously updated in the vRealize Orchestrator Client by using a different source file. After upgrading your vRealize Orchestrator or vRealize Automation deployment, these resource elements can be replaced by an older version. This is an intermittent issue.


    1. Log in to the vRealize Orchestrator Client.

    2. Navigate to Assets>Resources.

    3. Select the resource element affected by the problem.

    4. Select the Version History tab, and restore the element to the appropriate version.

    5. Repeat for all affected resource elements.

  • If vRA is upgraded from vRA 8.0/8.1/8.2 to 8.3 and AD is configured for a project, deployment fails with the error message: "Failed to successfully create Computer object in Active Directory".

    In the vRA 8.3, the AD scripts used to create active directory record are updated to support overriding relative DN from values set in blueprint. User has to re-validate the existing AD integration in vRA after upgrade to deploy the new scripts.

    Workaround: Revalidate the AD integration account in UI.

  • When exporting a package using Mozilla Firefox v84, the generated file has a .zip extension instead of .package and cannot be imported in vRO

    When you export a package with Firefox 84.0.2 on MacOS 10.15 the package is saved as a .zip file.


    • Use Google Chrome or a different version of Mozilla Firefox
    • Change the file extension from .zip to .package

    Note: In macOS, modify the file from the terminal, as the Finder application does not support changing the file format from a known format to an unknown.

  • Execution of local scripts on a virtual machine via a Workflow “Software-Install-Base” triggered by a vRealize Automation Custom Resource can cause the deployment to fail with an error “An Item with the same key has already been added: Key: LinkedView”.

    If the vRealize Automation Blueprint (or Cloud Template) is setup to execute local scripts via a Custom Resource that references the vRO Workflow “Software-Install-Base” which has a Dynamic Type:DynamicTypes:CustomScript.Script then the deployment fails.

    Workaround: Standup a SaltStack Server to run scripts locally on the machine or use another method of local script execution like cloud-init or ABX, or Code Stream.

  • After a single-node installation, the RaaS log shows the error: No such file or directory. Additionally, ctypes.util.find_library() did not manage to locate a library called '/var/lib/raas/unpack/_MEIuxtdsP/Cryptodome/Util/../Cipher/_raw_des.so'.

    This error only occurs at the time of installation and only shows up once in the log.

    Workaround: There is no impact to RaaS, so no additional action is necessary.

  • Machine creation API ignores scsiController and unitNumber provided to attach the disk to the machine being created.

    The API request POST /iaas/api/machines is used to create machines and uses the scsiController and unitNumber to attach the disk. Currently, this API creates the machine and attaches the disk but ignores the user input for scsiController and unitNumber.

    Workaround: Attach disk to the machine separately using the API request POST /iaas/api/machines/{id}/disks with the scsiController and unitNumber.

  • New vRealize Automation upgrade fails with error code LCMVRAVACONFIG90030 due to password expiration

    During upgrade, when the root password is set to non-expiring {color:#FF0000} or {color} has not been changed in over 365 days, the password is updated to expire immediately As a result LCM can not connect to vRA to check upgrade status and upgrade fails.

    Workaround:Workaround: Workaround: Workaround: Update the password before the upgrade.

  • New Configuring the IP Address RELEASED period does not work in a multi-tenant environment

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not tenant-aware. In a multi-tenant environment, where one or more tenants has configured an IP address timeout, only one timeout value is applied to all the tenants.

    This issue is being addressed and will be resolved in a future release.

    Workaround: None.

  • New Intermittent failure to deploy machine connected to an NSX-T network and contains tags

    The deployment fails with an error: "SecurityException: : : Failed to query unique virtual machine by external id: [UUID]".
    This occurs when vRA queries NSX for the machine in order to tag it on NSX and receives multiple records since the machine is migrated during vMotion.

    Workaround: Try to deploy again or disable vMotion.

check-circle-line exclamation-circle-line close-line
Scroll to top icon