check-circle-line exclamation-circle-line close-line

vRealize Orchestrator Appliance 7.0.1 | 15 Mar 2016 | Build 3571217

Check frequently for additions and updates to these release notes.

Release Notes last updated on 29 Mar 2017.

What's in the Release Notes

The release notes cover the following topics:

What's New in vRealize Orchestrator 7.0.1

vRealize Orchestrator 7.0.1 is a patch release that introduces a number of improvements, bug fixes, and resolves an important issue. See Resolved Issues.

Feature and Support Notice

The features listed below are deprecated in vRealize Orchestrator 7.0.1 and scheduled for removal in future releases. None of the deprecated features should be used as part of any vRealize Orchestrator based solution.

  • LDAP authentication

Note: vRealize Orchestrator only has TLSv1.1 and TLSv1.2 enabled by default. For information about enabling SSLv3 and TLSv1 for outgoing HTTPS connections explicitly, see Enable TLSv1 for outgoing HTTPS connections in vRealize Orchestrator 6.0.4 and 7.0.x manually (KB 2144318).

Deploying the VMware vRealize Orchestrator Appliance 7.0.1

VMware vRealize Orchestrator 7.0.1 is available as a preconfigured virtual appliance. The appliance significantly reduces the time and skills required to deploy vRealize Orchestrator and provides a low-cost alternative to a traditional Windows-based installation.

The Orchestrator Appliance is distributed as an OVF file. It is prebuild and preconfigured with Novell SUSE Linux Enterprise Server, PostgreSQL, and In-Process ApacheDS LDAP, and it can be used with vCenter Server 5.5 and later.

The Orchestrator Appliance functionality is suitable for any use case from lab evaluation to large-scale production, when an external database is used. The appliance offers the flexibility to use either the prebuilt directory services and database, or Single Sign-On based authentication, provided by vRealize Automation and vSphere 6.0, and external database servers like Oracle or Microsoft SQL.

The Orchestrator Appliance is a fast, easy to use, and more affordable way to integrate the VMware cloud stack, including vRealize Automation and vCenter Server, with your IT processes and environment.

Upgrading to vRealize Orchestrator 7.0.1

For instructions about deploying and using the Orchestrator Appliance, see Installing and Configuring VMware vRealize Orchestrator.

Important: For security reasons, the password expiry of the root account of the Orchestrator Appliance is set to 365 days. To increase the expiry time for an account, log in to the Orchestrator Appliance as root, and run the following command:

passwd -x number_of_days name_of_account

To make your Orchestrator Appliance root password last forever, run the following command:

passwd -x 99999 root

Plug-Ins Installed with vRealize Orchestrator 7.0.1

The following plug-ins are installed by default with vRealize Orchestrator 7.0.1:

  • vRealize Orchestrator vCenter Server Plug-In 6.0.2
  • vRealize Orchestrator Mail Plug-In 7.0.1
  • vRealize Orchestrator SQL Plug-In 1.1.4
  • vRealize Orchestrator SSH Plug-In 7.0.1
  • vRealize Orchestrator SOAP Plug-In 2.0.0
  • vRealize Orchestrator HTTP-REST Plug-In 2.0.1
  • vRealize Orchestrator Plug-In for Microsoft Active Directory 2.0.7
  • vRealize Orchestrator AMQP Plug-In 1.0.4
  • vRealize Orchestrator SNMP Plug-In 1.0.3
  • vRealize Orchestrator PowerShell Plug-In 1.0.8
  • vRealize Orchestrator Multi-Node Plug-In 7.0.0
  • vRealize Orchestrator Dynamic Types 1.1.0
  • vRealize Orchestrator vCloud Suite API (vAPI) Plug-In 1.0.0

Internationalization Support

vRealize Orchestrator 7.0.1 supports internationalization level 1. Although Orchestrator is not localized, it can run on non-English operating systems and supports non-English text.

How to Provide Feedback

Your active feedback over the next few weeks is appreciated. Provide your feedback by:

  • Support Requests (SRs)
  • Orchestrator Discussion Forum

Support Requests

File all issues that you find as Support Requests (SRs), even if you report them to VMware by other means.

You can find the VMware Support's commitment to SRs filed by customers and instructions on how to file an SR at

Include log files in your SRs. To gather log files and configuration from Orchestrator:

  1. Go to Control Center at https://orchestrator_server_ip_address:8283/vco-controlcenter.
  2. Log in as root.
  3. Click Export Logs.
  4. Click Export logs.
  5. Save the generated ZIP file.
  6. Upload the saved ZIP file to VMware Support.

Earlier Releases of vRealize Orchestrator

Features and issues from earlier releases of vRealize Orchestrator are described in the release notes for each release. To review release notes for earlier releases of vRealize Orchestrator, click one of the following links:

Resolved Issues

vRealize Orchestrator 7.0.1 resolves the following issues:

  • CVE-2015-7547 glibc getaddrinfo() stack-based buffer overflow

    The issue is resolved in this release.

  • You cannot copy or paste elements in a workflow schema while editing a workflow

    The issue is resolved in this release.

  • Visual binding does not work, when using the Orchestrator client in Mac OS
    When editing workflows and using visual binding on Mac OS, you cannot bind parameters or attributes to other parameters of a scriptable task, action, or workflow.

    The issue is resolved in this release.

  • Deeply nested objects are not converted to the correct type.

    The issue is resolved in this release.

  • You cannot mark the Orchestrator's own SSL certificate as trusted
    You cannot add the Orchestrator server SSL certificate to the Orchestrator trust store.

    The issue is resolved in this release.

  • Missing logs, variables, and workflow run information in the Orchestrator client
    If you use Orchestrator with an Oracle database and debug workflows, the workflow logs, variables, and state data might not reliably sync with the Orchestrator client.

    The issue is resolved in this release.

  • The Orchestrator Client is unable to verify already trusted certificates and requires a user confirmation.
    When a certificates is signed by CA Orchestrator Client fails to follow certificate chain.

    The issue is resolved in this release.

  • After upgrading to Orchestrator 7.0.x, permission sets are lost if you are using local openLDAP authentication
    After you upgrade or migrate Orchestrator to version 7.0.x, the default user groups of the local openLDAP authentication provider are with different names. This causes permissions and user interaction answer groups to be lost.

    The issue is resolved in this release.

  • Registered hosts in the SOAP plug-in are not visible after migration or an upgrade
    After you migrate or upgrade Orchestrator to version 7.0.x, registered hosts in the SOAP plug-in are not shown in the inventory of the Orchestrator Client or the inventory located at https://orchestrator_host:8281/vco/api/inventory/SOAP.

    The issue is resolved in this release.

  • After migration to Orchestrator 7.0.x some plug-ins might be downgraded
    When you migrate to Orchestrator 7.0.x, some of the default plug-ins might be downgraded to the plug-ins in the source Orchestrator version that you migrate from. This only occurs to plug-ins that have the same version in the source Orchestrator and Orchestrator 7.0.x but a higher build number in Orchestrator 7.0.x.

    For example, if you migrate from Orchestrator 6.0.3 to Orchestrator 7.0.x. Some of the default plug-ins in Orchestrator 6.0.3 have the same versions as the plug-ins in Orchestrator 7.0.x. The build numbers of the 7.0.x plug-ins are higher than the build numbers of the 6.0.3 plug-ins. However, during the migration, the plug-ins in Orchestrator 6.0.3 override the plug-ins of Orchestrator 7.0.x and as a result they are downgraded.

    The issue is resolved in this release.

Known Issues

The known issues are grouped as follows:

Installation Issues

  • The wrong Orchestrator version is displayed in the vSphere client.
    After you upgrade Orchestrator to version 7.0.1, the vSphere client displays it as version 7.0.

  • The Orchestrator service cannot recover after a back up and restore procedure.
    When you back up and restore Orchestrator, the server is not accessible from vRealize Automation with a Unable to establish a connection to vCenter Orchestrator server error. This results into Orchestrator being unable to start, while having a STARTED status, missing tasks and policies, and workflows that must be re-run.

    Workaround: Re-create the missing scheduled tasks and policies, re-run the scheduled workflows that did not start, and restart the Orchestrator service.

Configuration Issues

  • The vRealize Orchestrator SQL plug-in cannot connect to a MySQL database.
    When you run the Add a database workflow fails against a MySQL database, the workflow fails with a The driver 'com.mysql.jdbc.Driver' for 'MySQL' database cannot be found! error message.

    NOTE: The support for MySQL databases was removed in vRealize Orchestrator 7.0.

    Workaround: To enable support for MySQL database, you must install the JDBC driver for MySQL on the Orchestrator platform.

    1. Download the latest JDBC driver for MySQL from
    2. Extract the downloaded archive.
    3. In the extracted folder, locate the mysql-connector-java-x.x.x.jar file, where x.x.x is the current subminor version.
    4. Copy the mysql-connector-java-x.x.x.jar to the /usr/lib/vco/app-server/lib directory on the Orchestrator server.
    5. Change the ownership of the mysql-connector-java-x.x.x.jar file.
    6. chown vco:vco mysql-connector-java-x.x.x.jar

    7. Change the permissions of the mysql-connector-java-x.x.x.jar.
    8. chmod 644 mysql-connector-java-x.x.x.jar

    9. Restart the Orchestrator server service.
    10. service vco-server restart

  • Orchestrator does not support importing a mail server certificate to Trusted certificates when the used port requires issuing the STARTTLS command.
    When you import a mail server SSL/TLS certificate by using the Import from URL option and the URL contains SMTP port 587, the import fails with an Error! IOException. Message: 'Unrecognized SSL message, plaintext connection?' error message.

    Workaround: Export the certificate to a PEM-encoded file and import it to Orchestrator manually.

    1. Use SSH to access the Orchestrator appliance and log in as root.
    2. Run the command:
    3. openssl s_client -connect -debug -starttls smtp

    4. Copy the Server certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and save it in a file.
    5. Import the certificate file to Trusted Certificates in Control Center, by using the Import from a PEM-encoded file option.

  • The SOAP plug-in cannot connect through an authenticated proxy server.
    When you run the Add a SOAP host workflow, use a proxy server that does not require authentication.

  • Updated timeout values of a REST Host take effect only after the Orchestrator server is restarted.
    When you run the Update a REST Host workflow to change the REST Host timeout configuration, you must restart the Orchestrator server for the changes to take effect.

    Workaround: Restart the Orchestrator server.

  • The Orchestrator client does not run on earlier to Java 8 versions.
    You need Java 8 to run the Orchestrator client.

  • If you experience issues connecting to a SOAP or a REST host, or importing a certificate, you might have to enable certain versions of SSL or TLS explicitly.
    For information about the problem, see

    Workaround: For information about enabling SSLv3 and TLSv1 for outgoing HTTPS connections explicitly, see Enable TLSv1 for outgoing HTTPS connections in vRealize Orchestrator 6.0.4 and 7.0.x manually (KB 2144318).

  • vCenter Server objects not accessible in the vSphere Web Client.
    Orchestrator cannot access vCenter Server objects in the vSphere Web Client if the vCenter Server instance that you are attempting to access is registered in Orchestrator by IP address.

    Workaround: Register the vCenter Server instance by host name.

  • Orchestrator authentication configuration might become invalid, if the authentication provider certificate changes or regenerates.
    When Orchestrator is configured to use vCenter Single Sign-On, if the certificate of the vCenter Single Sign-On server changes or regenerates, the Orchestrator authentication configuration becomes invalid and the Orchestrator server cannot start.

    Workaround: To work around this issue, import the new authentication provider certificate:

    1. Log in to Control Center as root.
    2. Click Certificates.
    3. Click the Import... button in the Trusted Certificates tab.
    4. Load the SSL certificate from a URL or a file.
    5. Click Import.
    6. Restart the Orchestrator server from the Startup Options page in Control Center.

  • Orchestrator does not work with forest and external trusts in Active Directory.
    Multiple domains that are not in the same tree but have a two-way trust, are not supported and do not work with Orchestrator. The only configuration supported for multi-domain Active Directory is domain tree. Forest and external trusts are not supported.

  • Support for TNSNames missing when you connect to an Oracle database.
    You cannot use TNSNames to connect to an Oracle database. You can connect to an Oracle database using an IP address or a DNS name.

    Workaround: Add support for RAC and TNS configuration for Oracle 11g Database instances to vRealize Orchestrator (KB 1022828).

Client Issues

  • Problems handling non-ASCII characters in certain contexts.
    Using non-ASCII characters in input parameters results in incorrect behavior in the following situations:
    • If you run the SCP put or SCP get workflows from the SSH folder on a file with a name that contains non-ASCII characters, the workflow runs, but name of the resulting file on the destination machine is garbled.
    • If you try to insert non-ASCII characters into attribute names, the characters do not appear. The issue occurs for workflow attributes and action attributes.

  • Use of the Orchestrator client through Java WebStart if the Orchestrator Appliance is behind Network Address Translation (NAT) is not supported.

  • The task scheduler does not run when the Orchestrator server and the Orchestrator client use different time zones.
    If your Orchestrator client uses a time zone that is different from UTC, the Orchestrator server always interprets the scheduled time in UTC for any scheduled task and the task does not run at the designated time.
  • Workaround: Always enter the time for the scheduled tasks in UTC.

Miscellaneous Issues

  • Specifying a root object for selecting a value in a presentation does not work.
    When a workflow contains a root object and you must define a value for this object, the Select (object_name) dialog box shows the entire Orchestrator plug-ins inventory, instead of filtering only the plug-in to which the selected root object belongs.

  • Custom event schema elements do not work in an Orchestrator cluster.
    Resuming a workflow run based on a Wait for custom event schema element does not work when the Orchestrator server is configured in a cluster. The custom event schema elements work only on single Orchestrator nodes.

  • The Send notification and Send notification to mailing list workflows fail when the configured SMTP port is 587.
    When you use the Send notification or the Send notification to mailing list workflows from the Mail Plug-in, the workflow run fails with an error Cannot send mail: 'Could not convert socket to TLS' Cause: 'unable to find valid certification path to requested target', even though the SSL/TLS certificate of the remote mail server is imported to Trusted Certificates.
  • Workaround: After you import the mail server SSL/TLS certificate, restart the Orchestrator server and run the workflow.

  • The SOAP plug-in does not support mutual authentication with the SOAP host.
    The available authentication mechanisms support only one-way authentication.

  • The SSH plug-in cannot connect to a Cisco Adaptive Security Appliance (ASA) firewall.
    The SSH plug-in for vRealize Orchestrator 7.0.1 does not support connectivity to a Cisco Adaptive Security Appliance (ASA) firewall.

  • Restricted access to vCenter Server inventory can cause errors if you select Session per user.
    If you select the Session per user option when adding a vCenter Server instance to Orchestrator, attempting to access the vCenter Server inventory might result in some errors for a user with restricted access to inventory objects.

  • vCenter Server plug-in does not have valid credentials after upgrading to Orchestrator 6.0.x or later.
    If you upgrade Orchestrator to 6.0.x or later, the vCenter Server plug-in does not have valid credentials.

    Workaround: After upgrading Orchestrator, update the vCenter Server instance and configure a password for the user.

  • vRealize Orchestrator displays the vCenter Server plug-in as unusable.
    After you upgrade vRealize Orchestrator to version 6.0.x or later, if you have not upgraded the Site Recovery Manager plug-in to version 6.0.0, the vCenter Server plug-in becomes unusable.

    Workaround: Upgrade the Site Recovery Manager plug-in to version 6.0.0 or disable the Site Recovery Manager 5.8.0 plug-in.

  • The Orchestrator configuration interface might not be accessible with Internet Explorer 11.
    If you are using Internet Explorer 11, you might be unable to log in to the Orchestrator configuration interface.

    Workaround: Install Internet Explorer version 11.0.11 or a recent version of Google Chrome or Mozilla Firefox.

  • The workflow token remains uncompleted, if a workflow has a slash in its name.
    If you have a workflow with a slash in its name, when you run the workflow, the workflow token might never change to completed, although the workflow itself has completed running.

    Workaround: Remove the slash from the name of the workflow.

  • The Convert disks to thin provisioning workflow does not handle virtual machines with snapshots correctly and does not convert the thick-provisioned disks.
    On completion, the Convert disks to thin provisioning workflow reports that the thick-provisioned disks of virtual machines with snapshots are successfully converted to thin-provisioned, when they are actually not.

    Workaround: Do not include virtual machines with snapshots in the workflow.

  • Adding values to vCenter Server data object properties of type Array is impossible.
    When Orchestrator runs scripts, the vCenter Server plug-in converts JavaScript arrays to Java arrays of a fixed size. As a result, you cannot add new values to vCenter Server data objects that take arrays as property values. You can create an object that takes an array as a property if you instantiate that object by passing it a prefilled array. However, after you have instantiated the object, you cannot add values to the array.

    For example, the following code does not work:

    var spec = new VcVirtualMachineConfigSpec();
    spec.deviceChange = [];
    spec.deviceChange[0] = new VcVirtualDeviceConfigSpec();

    In the above code, Orchestrator converts the empty spec.deviceChange JavaScript array into the fixed-size Java array VirtualDeviceConfigSpec[] before it calls setDeviceChange(). When calling spec.deviceChange[0] = new VcVirtualDeviceConfigSpec(), Orchestrator calls getDeviceChange() and the array remains a fixed, empty Java array. Calling spec.deviceChange.add() results in the same behavior.

    Workaround: Declare the array as a local variable, as follows:

    var spec = new VcVirtualMachineConfigSpec();
    var deviceSpec = [];
    deviceSpec[0] = new VcVirtualDeviceConfigSpec();
    spec.deviceChange = deviceSpec;