vRealize orchestrator 7.6 8.0.1 cluster fails with f5 big ip ltm ve trial edition

I have tried to deploy vRealize Orchestrator 7.6 and 8.0.1 in a 3 node cluster having f5 bigip ltm virtual edition in trial license. Cluster was deployed but for some reason it did not look ok . I mean it was sort of working, it’s just that sometimes it was not being able to deploy itself using deploy.sh, sometimes it did, sometimes website was not opening sometimes it did. It was taking really long to open website, for example if you had an instance of vro opened, it would take 10 seconds to load workflows, or if you would open a workflow it would take 10 seconds to open a scripting pane on a scripting task. It took me some time to understand who/what is causing this. Problem was with my f5 installation in trial.
I have redone the setup using a KEMP loadmaster later on, no issues here, although there is document that would explain how to do the LB on it for vRO, i managed to configure it and it works really nice, really fast, reliable. Later on i will try to make a video from that process as well.

https://docs.vmware.com/en/vRealize-Automation/8.0/load-balancing/GUID-EF308394-0EAC-4588-8B98-1EA564950890.html

https://support.f5.com/csp/article/K15831

cat /var/log/ltm | grep Bandwidth

tmctl -d blade tmm/if_shaper

It would be nice if VMware support would also mention about this not only in the vRA documentation. In trial edition f5 is hitting bandwidth bottleneck thus making it almost impossible for the vro cluster to operate.

vRealize Orchestrator 8.0.1 installation fails with “Bad Gateway”

If you tried to install fresh vRO 8 and get Bad Gateway , have a look if you are affected by the password issue/bug.
x5

if you would login to your vRO appliance, you could see messages about bad password
kubectl -n prelude logs vco-app- -c install-rpms

you get you vco-app-(pod name) by checking
kubectl get pods –all-namespaces | grep vco-app
prelude vco-app-f74ddf657-2m54n
so you pod name is “vco-app-f74ddf657-2m54n” in that case

so in this case you would check your logs using
kubectl -n prelude logs vco-app-f74ddf657-2m54n -c install-rpms

if this is the same issue, you should see similar things to
Start vRO initial install and configuration

Preparing... ########################################

find: ‘/usr/lib/vco/app-server/deploy/’: No such file or directory
You are required to change your password immediately (password expired)
groupadd: PAM: Authentication token is no longer valid; new one required
useradd: group 'vco' does not exist
error: %prein(vco-server-8.0.1.1576058314-15282010.noarch) scriptlet failed, exit status 6
error: vco-server-8.0.1.1576058314-15282010.noarch: install failed
find: ‘/usr/lib/vco/configuration/webapps/’: No such file or directory
You are required to change your password immediately (password expired)
groupadd: PAM: Authentication token is no longer valid; new one required
useradd: group 'vco' does not exist
error: %prein(vco-controlcenter-8.0.1.1576058314-15282010.noarch) scriptlet failed, exit status 6
error: vco-controlcenter-8.0.1.1576058314-15282010.noarch: install failed
You are required to change your password immediately (password expired)
groupadd: PAM: Authentication token is no longer valid; new one required
useradd: group 'vco' does not exist
passwd: user 'vco' does not exist
Updating / installing...
warning: user vco does not exist - using root
warning: group vco does not exist - using root

Give it a try KB: https://kb.vmware.com/s/article/76870
It helped in my case (manual installation).

Select as many ips as possible inside 255 characters string

Imagine you have a lot of ips in array, but you want to divide them per 255 characters slices.  We join all them using a comma, and them replace comma by a semicolon

$ip4=1..30 | ForEach-Object { “192.168.1.$_” }
$ip4
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7
192.168.1.8
192.168.1.9
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.18
192.168.1.19
192.168.1.20
192.168.1.21
192.168.1.22
192.168.1.23
192.168.1.24
192.168.1.25
192.168.1.26
192.168.1.27
192.168.1.28
192.168.1.29
192.168.1.30
$ip4 -join ‘,’
192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9,192.168.1.10,192.168.1.11,192.168.1.12,192.168.1.13,192.168.1.14,192.168.1.15,192.168.1.16,192.168.1.17,192.168.1.18,192.168.1.19,192.168.1.20,192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24,192.168.1.25,192.168.1.26,192.168.1.27,192.168.1.28,192.168.1.29,192.168.1.30

$ip4 -join ‘,’ -replace ‘(\G.{216,255}),’,’$1;’
192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9,192.168.1.10,192.168.1.11,192.168.1.12,192.168.1.13,192.168.1.14,192.168.1.15,192.168.1.16,192.168.1.17,192.168.1.18,192.168.1.19,192.168.1.20;192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24,192.168.1.25,192.168.1.26,192.168.1.27,192.168.1.28,192.168.1.29,192.168.1.30
$ip4 -join ‘,’ -replace ‘(\G.{216,255}),’,’$1;’ -split ‘;’ |%{‘Next result’;$_}Next result
192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9,192.168.1.10,192.168.1.11,192.168.1.12,192.168.1.13,192.168.1.14,192.168.1.15,192.168.1.16,192.168.1.17,192.168.1.18,192.168.1.19,192.168.1.20
Next result
192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24,192.168.1.25,192.168.1.26,192.168.1.27,192.168.1.28,192.168.1.29,192.168.1.30

We are aiming for the commas

We will replace a comma with our first group from the match and put a semicolon. Then we will be splitting strings on semicolons  since we know that at position of the semicolon was the position that could hold the maximum amount of ips in 255 char string area.

And let’s say we are interested only first two batches in case we got more than 30 ips
$ip4 -join ‘,’ -replace ‘(\G.{216,255}),’,’$1;’ -split ‘;’
192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9,192.168.1.10,192.168.1.11,192.168.1.12,192.168.1.13,192.168.1.14,192.168.1.15,192.168.1.16,192.168.1.17,192.168.1.18,192.168.1.19,192.168.1.20
192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24,192.168.1.25,192.168.1.26,192.168.1.27,192.168.1.28,192.168.1.29,192.168.1.30,192.168.1.31,192.168.1.32,192.168.1.33,192.168.1.34,192.168.1.35,192.168.1.36,192.168.1.37,192.168.1.38,192.168.1.39
192.168.1.40,192.168.1.41,192.168.1.42,192.168.1.43,192.168.1.44,192.168.1.45,192.168.1.46,192.168.1.47,192.168.1.48,192.168.1.49,192.168.1.50,192.168.1.51,192.168.1.52,192.168.1.53,192.168.1.54,192.168.1.55,192.168.1.56,192.168.1.57,192.168.1.58
192.168.1.59,192.168.1.60,192.168.1.61,192.168.1.62,192.168.1.63,192.168.1.64,192.168.1.65,192.168.1.66,192.168.1.67,192.168.1.68,192.168.1.69,192.168.1.70,192.168.1.71,192.168.1.72,192.168.1.73,192.168.1.74,192.168.1.75,192.168.1.76,192.168.1.77
192.168.1.78,192.168.1.79,192.168.1.80

$first,$second,$null = $ip4 -join ‘,’ -replace ‘(\G.{216,255}),’,’$1;’ -split ‘;’

Puts first batch to $first, second batch to $second and the rest goes to null.
This will work also with ipv6, the replace part of regex is greedy, so in case you will be working with ip6 and later with ip4, it will still find the maximum amount of ips. that’s why it has 216-255 instead of 240-255

Gist:

PSTypenames for a string object

PS C:\> $myobj = ‘2222’
PS C:\> $myobj.pstypenames
System.String
System.Object
PS C:\> $myobj.pstypenames.add(‘Greg’)
PS C:\> $myobj.pstypenames
System.String
System.Object
PS C:\> [psobject]$myobj2=’2222′
PS C:\> $myobj2.pstypenames.add(‘Greg’)
PS C:\> $myobj2.pstypenames
System.String
System.Object
Greg

 

You have to cast them to PSO first, as it was explained to me on #powershell-help that the string PSO do not propagate members, hence you have to make it manually

Download EJBCA certificate with powershell

i came up with this today

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

you can look up the thumbprint to compare which one it is
get-childitem Cert:\CurrentUser\My

$superadmin = get-childitem Cert:\CurrentUser\My\YOUR_SUPERADMIN_CERT_HASH
invoke-webrequest -Uri "https://infralab.local:32768/ejbca/publicweb/webdist/certdist?cmd=lastcert&installtobrowser=&subject=CN%3dgregu.host.com&format=chain&hidemenu=false" -method "Get" -Certificate $superadmin

what's left is to generate the cert order via csr. this just just downloading the already made cert.