Resetting the Embedded vRealize Orchestrator 7.x configuration on a vRealize Automation 7.x appliance
Article ID: 326101
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Provide instructions to reset the vRO registration back to vRA to ensure the embedded instance is communicating between both VMware products.
Symptoms:
Symptoms:
- An embedded instance of vRealize Orchestrator (vRO) 7.x is failing to properly register back to vRealize Automation (vRA) 7.x's Component Registry and displays a blank registration status within the Virtual Appliance Management Interface (VAMI) on the vRA appliance
- A recent certificate change may have occurred
- A previous attempt to unregister the Authentication provider from vRO's Control Center interface utilizing the "?advanced" URL was performed.
- When logging into vRA 7.x the following error is seen under the Administration > Server Configuration tab:
Unable to find vCO endpoint in the Registry
- The Authentication Provider page within vRO's Control Center displays the following error:
Error! { "error": "invalid_request", "error description": "Cannot generate token: " }
- The vRO primary log file, server.log displays a similar error to the above.
Environment
VMware vRealize Orchestrator 7.x
VMware vRealize Automation 7.x
VMware vRealize Automation 7.x
Cause
- A number of circumstances within a datacenter, to include outages or scheduled maintenance can lead to misconfigurations within the embedded vRO 7.x instance if documentation is not properly followed: Update Embedded vRealize Orchestrator to Trust vRealize Automation Certificates or if the "?advanced" URL within the Authentication Provider page was used to remove the Authentication provider that is the embedded VMware Identity Manager (vIDM) 3.x instance hosted on the vRA appliance.
Resolution
- On the primary vRA node, delete the line with the original vco solution user contained within /etc/vcac/solution-users.properties, example: vco=vco-8f2-kob_2w.
Note: This will force a new vco solution user creation later.
- Stop the vRO service on all vRA nodes:
service vco-server stop && service vco-configurator stop
- Delete the vco registration id on all vRA nodes:
rm /etc/vco/app-server/vco-registration-id
- On the primary vRA node, delete all vco VAMI service registrations:
vcac-config service-delete --service-name vco
- On the primary vRA node, reconfigure the vRO Control Center authentication:
/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh reset-authentication
- On the primary vRA node, reconfigure the vRO Server service:
vcac-vami vco-service-reconfigure
- Wait until the vRO server is fully started.
- If some of the vRA services on the vRA primary node are marked as NOT AVAILABLE, run the following:
service vcac-server restart
- Once all VAMI services on the primary vRA node are marked as REGISTERED, re-join the replica node to the cluster again - from the replica node VAMI > Cluster page.
Note: Stop at Step #9 if the Secure Configuration Guide has not been implemented.
Note: For environments in which the Secure Configuration Guide has been implemented, Step #9 may fail on the Replica rejoin operation. Continue to Step #10.
Note: For environments in which the Secure Configuration Guide has been implemented, Step #9 may fail on the Replica rejoin operation. Continue to Step #10.
- Copy over the /etc/vco/app-server/vco-registration-id file from the primary to the replica node
- Update the vco solution user on the replica node within /etc/vcac/solution-users.properties.
Note: The new vco solution user was taken from the primary node /etc/vcac/solution-users.properties after Step #6.
- Run the following command on the primary node:
/usr/lib/vco/tools/configuration-cli/bin/vro-configure.sh export --vraSync --path /tmp/vco-config
- Copy over the /tmp/vco-config to the replica node.
- Import the vco config manually to the replica node:
chmod -f a+rw /tmp/vco-config
/usr/lib/vco/tools/configuration-cli/bin/vro-configure.sh import --type vra_sync --path /tmp/vco-config
Note: If the vco service is now registered within the VAMI, but o11n-gateway is not, confirm the environment hardening documentation is fully followed by re-applying the steps provided within the Secure Configuration Guide.
/usr/lib/vco/tools/configuration-cli/bin/vro-configure.sh import --type vra_sync --path /tmp/vco-config
Note: If the vco service is now registered within the VAMI, but o11n-gateway is not, confirm the environment hardening documentation is fully followed by re-applying the steps provided within the Secure Configuration Guide.
Additional Information
Impact/Risks:
- These instructions reset the out-of-the-box configuration for an embedded vRO 7.x instance running on a vRA appliance. Ensure there are valid backups and / or snapshots before proceeding.
- These instructions will not reconfigure any external vRO instances and may cause impact to these registrations.
Feedback
Yes
No
Powered by
