check-circle-line exclamation-circle-line close-line

vRealize Orchestrator Appliance 7.3 | 16 May 2017 | Build 5521409

Check frequently for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New in vRealize Orchestrator 7.3

vRealize Orchestrator 7.3 introduces a number of improvements, bug fixes, and extends the automated configuration with new options:

  • Integration with Single Sign-On (SSO) through vRealize Automation or vSphere authentication.
  • Improved configuration of Control Center, including an initial configuration wizard.
  • Role-based access to Control Center as opposed to the unrestricted root access in earlier versions.

The redesigned vRealize Orchestrator vCenter Server plug-in is now included in the vRealize Orchestrator platform. The new vCenter Server plug-in has the following features:

  • Simplified maintenance and faster troubleshooting, compared to the earlier versions of the plug-in.
  • Improved performance thanks to an optimized communication with the vSphere Server instances and changes in the caching schema.
  • Maximum compatibility of the scripting API and content compatibility with the vSphere products with version 5.5 and later.
  • Support for Storage Policy Based Management (SPBM) and Storage Monitoring Service (SMS) endpoints.

For more information on the changes in the vCenter Server plug-in for vRealize Orchestrator 7.3 and potential compatibility issues with earlier versions of the plug-in, see What's New in the New vCenter Server Plug-In.

The vRealize Orchestrator Dynamic Types plug-in 1.3.0 includes two new features.

  • Added support for custom DynamicType properties that are persistent in the configuration.
  • Introduced an improved caching mechanism that supports configuring timeout settings per object.

Feature and Support Notice

  • The following feature has reached its End of Life and is no longer available or supported in vRealize Orchestrator.
    • LDAP authentication

  • The following features are deprecated in vRealize Orchestrator and are scheduled for removal in future releases.
    • Support for Microsoft SQL Server and Oracle Database as external database servers.
    • Support for SNMPv3.
  • The vCenter Single Sign-On Legacy authentication mode has been replaced by the vSphere authentication method.
  • The following workflows of the vRealize Automation plug-in are deprecated and will not work with vRealize Automation plug-in 7.3.
    • Create a Management Endpoint
    • Delete a Management Endpoint
    • Delete a Connection Credential
    • Create a Connection Credential

Deploying the VMware vRealize Orchestrator Appliance 7.3

VMware vRealize Orchestrator 7.3 is available as a preconfigured virtual appliance.

The Orchestrator Appliance is distributed as an OVA file. It is prebuilt and preconfigured with Novell SUSE Linux Enterprise Server, PostgreSQL, and it can be deployed with vCenter Server 5.5 and later.

The Orchestrator Appliance is a fast, easy to use, and more affordable way to integrate the VMware cloud stack, including vRealize Automation and vCenter Server, with your IT processes and environment.

Upgrading to vRealize Orchestrator 7.3

For instructions about deploying and using the Orchestrator Appliance, see Upgrading and Migrating VMware vRealize Orchestrator.

NOTE: Upgrading vRealize Orchestrator Appliance from version 5.5.x to 7.3 is not supported. You must upgrade your vRealize Orchestrator Appliance 5.5.x to 6.0.x first.

Important: For security reasons, the password expiry of the root account of the Orchestrator Appliance is set to 365 days. To increase the expiry time for an account, log in to the Orchestrator Appliance as root, and run the following command:

passwd -x number_of_days name_of_account

To make your Orchestrator Appliance root password last forever, run the following command:

passwd -x 99999 root

Plug-Ins Installed with vRealize Orchestrator 7.3

The following plug-ins are installed by default with vRealize Orchestrator 7.3:

  • vRealize Automation Center Infrastructure Administration Plug-In 7.3.0
  • vRealize Automation Plug-In 7.3.0
  • vRealize Orchestrator vCenter Server Plug-In 6.5.0
  • vRealize Orchestrator Mail Plug-In 7.0.1
  • vRealize Orchestrator SQL Plug-In 1.1.4
  • vRealize Orchestrator SSH Plug-In 7.0.2
  • vRealize Orchestrator SOAP Plug-In 2.0.0
  • vRealize Orchestrator HTTP-REST Plug-In 2.2.2
  • vRealize Orchestrator Plug-In for Microsoft Active Directory 3.0.6
  • vRealize Orchestrator AMQP Plug-In 1.0.4
  • vRealize Orchestrator SNMP Plug-In 1.0.3
  • vRealize Orchestrator PowerShell Plug-In 1.0.11
  • vRealize Orchestrator Multi-Node Plug-In 7.3.0
  • vRealize Orchestrator Dynamic Types 1.3.0
  • vRealize Orchestrator vCloud Suite API (vAPI) Plug-In 7.3.0
  • vRealize Orchestrator Plug-In for vRealize Automation 7.3.0

Internationalization Support

vRealize Orchestrator 7.3 provides a multi-language support for Control Center and supports internationalization level 1 for the Orchestrator client.

How to Provide Feedback

Your active feedback is appreciated. Provide your feedback by using one of the following methods:

  • Support Requests (SRs)
  • Orchestrator Discussion Forum

Support Requests

File all issues that you find as Support Requests (SRs), even if you report them to VMware by other means.

You can find the VMware Support's commitment to SRs filed by customers and instructions on how to file an SR at

Include log files in your SRs. Follow the steps to gather log files and configuration from Orchestrator:

  1. Go to Control Center at https://orchestrator_server_ip_address:8283/vco-controlcenter.
  2. Log in as an administrator.
  3. Click Export Logs.
  4. Click Export logs.
  5. Save the generated ZIP file.
  6. Upload the saved ZIP file to VMware Support.

Earlier Releases of vRealize Orchestrator

Features and issues from earlier releases of vRealize Orchestrator are described in the release notes for each release. To review release notes for earlier releases of vRealize Orchestrator, click one of the following links:

Resolved Issues

vRealize Orchestrator 7.3 resolves the following issues:

  • NEW! In the new vCener Server plug-in, boolean XPath expressions are applied on every element of a collection, instead of the entire collection.
    When the XPath expression that you use contains operators that are specific to collections, the returned results are incorrect. For example, in the expression xpath:name[contains(.,'vm1')], the filter is applied to every element and the expression does not return any result.
  • Custom event schema elements do not work in an Orchestrator cluster.
    Resuming a workflow run based on a Wait for custom event schema element does not work when the Orchestrator server is configured in a cluster. The custom event schema elements work only on single Orchestrator nodes.
  • The database keystore becomes unreadable after an import or migration from a different Orchestrator instance.
    When importing or migrating an Orchestrator configuration that includes the passwordencryptor.key file, the imported passwordencryptor.key file replaces the existing one on the target server. As a result, the keystore cannot be read, because its password is encrypted with the original .key file.
  • The task scheduler does not run when the Orchestrator server and the Orchestrator client use different time zones.
    If your Orchestrator client uses a time zone that is different from UTC, the Orchestrator server always interprets the scheduled time in UTC for any scheduled task and the task does not run at the designated time.
  • Orchestrator does not support importing a mail server certificate to Trusted certificates when the used port requires issuing the STARTTLS command.
    When you import a mail server SSL/TLS certificate by using the Import from URL option and the URL contains SMTP port 587, the import fails with an Error! IOException. Message: 'Unrecognized SSL message, plaintext connection?' error message.
  • System.log does returns the name of the workflow and the current date instead of an empty array or an empty string.
    When a scriptable task of a workflow contains either System.log([]) or System.log("")., the system log is not empty but includes the name of the workflow and the current date.
  • A workflow run fails with a Cannot execute workflow : Unable to authenticate with OAuthToken! The token is expired. error message.
    When a wokflow contains a scriptable task that uses the execute() method to start several subworkflows, and waits for these subworkflows to complete, the workflow token expires and the workflow run fails.
  • The REST API client does not encode and decode space characters correctly.
    When querying scripting actions by their fully qualified names with the REST API client, the space characters are incorrecly encoded as %2B or a plus (+) character. As a result, the request fails with an Script module not found error message.
  • The Orchestrator scripting engine cannot catch an exception if invalid Module properties are used.
    When you use the System.getModule() method to invoke a Module object and the name of the module is not valid, the scripting engine cannot catch the NullPointerException that is retuned, if the Module name points to a non-existing object.
  • The vRealize Orchestrator Plug-In for Site Recovery Manager 6.1.1 and 6.1.2 does not work with vRealize Orchestrator 7.2.
    The Local Site text box disappears from the configuration workflows of the Site Recovery Manager plug-in 6.1.1 and 6.1.2 after the The field is mandatory message has appeared.
  • The Orchestrator plug-in for vSphere Web Client does no support vSphere Web Client integration 6.5.
    Using the Orchestrator plug-in for vSphere Web Client with vSphere 6.5 produces TypeError: Error #1009 errors.
  • You cannot edit the input parameter type field when editing a workflow if the Orchestrator client has been active for more than 20 minutes.
    If you have been working with the Orchestrator client for more than 20 minutes and you start editing a workflow, you can no longer modify the type of an input parameter.
  • The vRealize Orchestrator SQL plug-in shows the database password in plain text format.
    When you run the Add a database workflow to configure a remote database, the workflow run token displays the password you have provided to connect to the database in a plain text format.
  • The OAuth token expires before the check for expiring token runs and provides a renewed token.
    The token expiration check runs every 10 minutes and some of the existing tokens expire before the token lifetime monitor can renew them.
  • Message filtering in event broker subscription does not work. Any message to any queue triggers all of the subscriptions.
    When you have multiple event broker queues, each of them having a different subscription and policy in vRealize Orchestrator, if one of the queues receives a message, all subscriptions are triggered.
  • The Orchestrator Appliance stops working and Too many open files exceptions are recorded in the server log.
    The CPU utilization of the Orchestrator Appliance reaches 100% and becomes unresponsive due to Tomcat server sessions remaining in a CLOSE_WAIT state.
  • vRealize Orchestrator becomes unresponsive if you run a workflow that uses a REST host.
    The workflow run fails with an Uninitialized Uninitialized keystoreUninitialized keystore exception.
  • The values of objects of type SecureString are included in packages that are exported from the Orchestrator client.
    Packages that are exported from the Orchestrator client include objects ot type SecureString, such as passwords and passphrases.
  • The HTTP-REST plug-in reaches the hard-coded maximum number of 16 simultaneous connections.
    When you use the HTTP-REST plug-in, if you reach the maximum threshold of simultaneous connections, an Cannot execute the request: ; Timeout waiting for connection from pool message appears.

Known Issues

The known issues are grouped as follows:

Installation Issues

  • The Orchestrator service cannot recover after a back up and restore procedure.
    When you back up and restore Orchestrator, the server is not accessible from vRealize Automation and an Unable to establish a connection to vCenter Orchestrator server error appears. This results in Orchestrator being unable to start, while having a STARTED status, missing tasks and policies, and workflows that must be re-run.

    Workaround: Re-create the missing scheduled tasks and policies, re-run the scheduled workflows that did not start, and restart the Orchestrator service.

Configuration Issues

  • If you click the Save Changes button on the Configure Authentication Provider page without making any changes to the authentication settings, you can no longer access Control Center.
    On the Configure Authentication Provider page in Control Center, if you resave the authentication parameters that are already configured, without having changed them, an An error occurred during OAuth2 operation. Please contact your administrator to resolve the issue. { "error": "invalid_request", "error_description": "Must provide a valid redirect uri." } error message appears, and Control Center is no longer accessible.
  • During the installation of a plug-in in Control Center, an error message appears.
    When you install a plug-in from the Manage Plug-Ins page in Control Center, a Plug-in 'name_of_the_plug-in' (plug-in_file_name) is not compatible with the current platform version. Supported platform versions are ''. Clicking on the 'Install' button will install it anyway error message appears. You can safely disregard this error and proceed with the installation of the plug-in.
  • The vRealize Orchestrator SQL plug-in cannot connect to a MySQL database.
    When you run the Add a database workflow against a MySQL database, the workflow fails with a The driver 'com.mysql.jdbc.Driver' for 'MySQL' database cannot be found! error message.

    NOTE: The support for MySQL databases was removed in vRealize Orchestrator 7.0.

    Workaround: To enable support for MySQL database, you must install the JDBC driver for MySQL on the Orchestrator platform.

    1. Download the latest JDBC driver for MySQL from
    2. Extract the downloaded archive.
    3. In the extracted folder, locate the mysql-connector-java-x.x.x.jar file, where x.x.x is the current subminor version.
    4. Copy the mysql-connector-java-x.x.x.jar to the /usr/lib/vco/app-server/lib directory on the Orchestrator server.
    5. Change the ownership of the mysql-connector-java-x.x.x.jar file.
    6. chown vco:vco mysql-connector-java-x.x.x.jar

    7. Change the permissions of the mysql-connector-java-x.x.x.jar.
    8. chmod 644 mysql-connector-java-x.x.x.jar

    9. Restart the Orchestrator server service.
    10. service vco-server restart

  • Orchestrator authentication configuration might become invalid, if the authentication provider certificate changes or regenerates.
    When the SSL certificate of the vRealize Automation or vSphere instance that is configured as an authentication provider in Control Center is changed or regenerated, the Orchestrator authentication configuration becomes invalid and the Orchestrator server cannot start.

    Workaround: Import the new authentication provider certificate:

    1. Log in to Control Center as an administrator.
    2. Click Certificates.
    3. Click the Import on the Trusted Certificates tab.
    4. Load the SSL certificate from a URL or a file.
    5. Click Import.

  • The SOAP plug-in cannot connect through an authenticated proxy server.
    When you run the Add a SOAP host workflow, use a proxy server that does not require authentication.
  • The Orchestrator client does not run on versions of Java earlier than Java 8.
    You need Java 8 to run the Orchestrator client.
  • If you experience issues connecting to a SOAP or a REST host, or importing a certificate, you might have to explicitly enable certain versions of SSL or TLS.
    For information about this issue, see

    Workaround: For information about explicitly enabling SSLv3 and TLSv1 for outgoing HTTPS connections, see Enable TLSv1 for outgoing HTTPS connections in vRealize Orchestrator 6.0.4 and 7.0.x manually (KB 2144318).

  • vCenter Server objects not accessible in the vSphere Web Client.
    Orchestrator cannot access vCenter Server objects in the vSphere Web Client if the vCenter Server instance that you are attempting to access is registered in Orchestrator by IP address.

    Workaround: Register the vCenter Server instance by host name.

  • Connecting to an Oracle database by using TNSNames is not supported .
    You cannot use TNSNames to connect to an Oracle database. You can connect to an Oracle database by using an IP address or a DNS name.

    Workaround: See Add support for RAC and TNS configuration for Oracle 11g Database instances to vRealize Orchestrator (KB 1022828).

Client Issues

  • Duplicating a workflow always copies the version history of the original workflow, even through the Copy version history is set to No.
    The Duplicate workflow step transfers the events history from the original workflow to the copied workflow even when you select the No radio button for Copy version history during the duplication.
  • OGNL expressions of an input parameter run with every input parameter update
    When an input parameter includes an OGNL expression, which is bound to more than one input parameter, the OGNL expression runs every time any of the input parameters is updated, instead of running once, when all input parameters are updated. If the OGNL expression invokes a resource-consuming operation, for example data mining, the presentation might run slowly.
  • Problems handling non-ASCII characters in certain contexts.
    Using non-ASCII characters in input parameters results in incorrect behavior in the following situations:
    • If you run the SCP put or SCP get workflows from the SSH folder on a file with a name that contains non-ASCII characters, the workflow runs, but name of the resulting file on the destination machine is unreadable.
    • If you try to insert non-ASCII characters into attribute names, the characters do not appear. This issue occurs for workflow attributes and action attributes.
  • Using the Orchestrator client through Java WebStart if the Orchestrator Appliance is behind Network Address Translation (NAT) is not supported.

Miscellaneous Issues

  • NEW! When running the migration tool to export configuration from a vRealize Orchestrator 6.x Virtual Appliance, you receive an error message.
    During the migration from vRealize Orchestrator 6.x Virtual Appliance to vRealize Orchestrator 7.3, after you copy the migration tool from the target to the source Orchestrator server and run the script to export the configuration, the following error message appears:

    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See for further details.

    Workaround: You may safely ignore this message. Make sure that the archive is created in the /var/lib/vco folder and proceed with the migration.

  • When you have more than one Orchestrator instances in a cluster, the workflow tokens are visible only on the Orchestrator node on which the workflow has run.
  • The Storage VSAN workflows of the vCenter Server plug-in do not support adding Solid-State Drive (SSD) disks to an ESXi host.
    The Add disks to disk group and Remove disks from disk groups workflows do not support adding SSD disks as capacity disks to ESXi hosts.
  • The vCenter Server plug-in does not support policies.
    The vCenter Server plug-in for vRealize Orchestrator does not support using policies to monitor for events that are issued by the managed vCenter Server instance.
  • Compiling a custom model-driven plug-in fails if you use an extension method that contains lambda expressions.
    When you use model-driven to create plug-ins and you add extension methods to a certain extension, the plug-in does not compile if the extension method contains lambda expressions. The plug-in compilation fails with an error message, similar to the following: Caused by: java.lang.ArrayIndexOutOfBoundsException: 52789.

    Workaround: Do not use lambda expressions in the body of the extension methods.

  • The RESTOperation ID does not initialize properly if the REST host instance is created by using a Swagger spec.
    In the HTTP-REST plug-in, when the REST host instance is created by a Swagger spec, the RESTOperation ID does not initialize properly and the getOperation of the RESTHost object does not work.
  • The SOAP plug-in does not support mutual authentication with the SOAP host.
    The available authentication mechanisms support only one-way authentication.

  • The SSH plug-in cannot connect to a Cisco Adaptive Security Appliance (ASA) firewall.
    The SSH plug-in for vRealize Orchestrator 7.1 does not support connectivity to a Cisco Adaptive Security Appliance (ASA) firewall.
  • Restricted access to vCenter Server inventory can cause errors if you select Session per user.
    If you select the Session per user option when adding a vCenter Server instance to Orchestrator, attempting to access the vCenter Server inventory might result in some errors for a user with restricted access to inventory objects.
  • vCenter Server plug-in does not have valid credentials after upgrading from an Orchestrator version 6.0.2 or earlier.
    If you upgrade from an Orchestrator version before 6.0.3, the vCenter Server plug-in does not have valid credentials.

    Workaround: After upgrading Orchestrator, update the vCenter Server instance and configure a password for the user.

  • The Convert disks to thin provisioning workflow does not handle virtual machines with snapshots correctly and does not convert the thick-provisioned disks.
    On completion, the Convert disks to thin provisioning workflow reports that the thick-provisioned disks of virtual machines with snapshots are successfully converted to thin-provisioned, but they are not.

    Workaround: Do not include virtual machines with snapshots in the workflow.

  • Adding values to vCenter Server data object properties of the Array type is impossible.
    When Orchestrator runs scripts, the vCenter Server plug-in converts JavaScript arrays to Java arrays of a fixed size. As a result, you cannot add new values to vCenter Server data objects that take arrays as property values. You can create an object that takes an array as a property if you instantiate that object by passing it a prefilled array. However, after you instantiate the object, you cannot add values to the array.

    For example, the following code does not work:

    var spec = new VcVirtualMachineConfigSpec();
    spec.deviceChange = [];
    spec.deviceChange[0] = new VcVirtualDeviceConfigSpec();

    In the above code, Orchestrator converts the empty spec.deviceChange JavaScript array into the fixed-size Java array VirtualDeviceConfigSpec[] before it calls setDeviceChange(). When calling spec.deviceChange[0] = new VcVirtualDeviceConfigSpec(), Orchestrator calls getDeviceChange() and the array remains a fixed, empty Java array. Calling spec.deviceChange.add() results in the same behavior.

    Workaround: Declare the array as a local variable:

    var spec = new VcVirtualMachineConfigSpec();
    var deviceSpec = [];
    deviceSpec[0] = new VcVirtualDeviceConfigSpec();
    spec.deviceChange = deviceSpec;

Documentation and Help

The following items or corrections did not make it into the documentation for this release.

  • When you migrate an external Orchestrator server to the Orchestrator instance that is embedded in vRealize Automation, if the vRealize Automation has been migrated from an earlier version, before you start the Orchestrator server service and the Control Center service on the vRealize Automation Appliance, you must delete the trusted certificates from the database of the embedded Orchestrator instance.
    In documentation topic Migrate an External vRealize Orchestrator 7.x to vRealize Automation 7.3, after you migrate as described in Step 4, you must delete the trusted certificates from the database of the embedded Orchestrator.

    sudo -u postgres -i -- /opt/vmware/vpostgres/current/bin/psql vcac -c "DELETE FROM vmo_keystore WHERE id='cakeystore-id';"

  • Uninstalling a plug-in in vRealize Orchestrator does not work as described in documentation topic Uninstall a Plug-in.

    Workaround: Run the steps below to uninstall the plug-in. If you have more than one Orchestrator node in a cluster, run the steps on all nodes.

    1. Log in to the Orchestrator Appliance over SSH as root.
    2. Stop the Orchestrator server service and the Control Center service.

      service vco-server stop && service vco-configurator stop

    3. Open the /etc/vco/app-server/plugins/_VSOPluginInstallationVersion.xml file with a text editor and delete the line of code that corresponds to the plug-in that you want to remove.
    4. Under the /var/lib/vco/app-server/plugins directory, delete the .dar archives that contain the plug-in that you want to remove.
    5. Delete all records under from the VMO_VroConfiguration table in the Orchestrator database.

      For example, if you use Microsoft SQL Server, the delete statement is DELETE FROM [database_name].[dbo].[VMO_VroConfiguration].

    6. Start the Orchestrator server service and the Control Center service.

      service vco-server start && service vco-configurator start

    7. Delete the packages and folders that are related to the plug-in as described in Step 5 of documentation topic Uninstall a Plug-in.