vRealize orchestrator rest request using HoK token

I have created example about how to make a vRO Rest API request in powershell utilizing HoK (Holder of Key) token. It’s pretty much raw version. It’s not nice 😉 it depends on vsphere SDK libraries, as i did not have much time to make it work without them. The New-webserviceproxy can’t handle the soap security headers, so i am using the dlls from the SDK to make this possible. Feel free to make better version, and share. I saw a lot of people looking for invoking vro rest api methods using the hok token.
It would not be possible to write it without help of Chris Dent, Sushil Kavi, so many thanks to them for helping me out with making this example possible 😉

vRealize Orchestrator sdkConnection list vcenters

So i am slowly starting to work with vRO. Today i was trying to obtain my vcenter that is connected inside the vcPlugin.
Before i go further, set of tools that i am using for this moment is. vCO-CLI + something to write script (in my case its visual studio code).
So whatever i will try i can quickly test if it works inside vRO.
vCO-CLI at this moment does not work with vRO 8.x series, so i have 1 vro 7.6 for this purpose.
Also one will probably need api explorer.

function check(obj) {
return obj[this[0]] == this[1];
myvcsdkconnection = (VcPlugin.allSdkConnections.filter(check,["name","https://vc001.greg.labs:443/sdk"]))[0]

I wrote myself a filter function for array, that i can reuse it lateron for other things , not just that particular sdkconnections.
I am not going into explaining how does this work, simply because i just started learning javascript myself 😉 so for me some things are not 100% clear for now.


So our VcPlugin (btw, you have to be careful with typing, everything is case sensitive, if you have vco-cli, use tab a lot), has allSdkConnections array that hold our vcenters in the plugin. Right now i am just guessing most of the things, since i am learning, but this will be important when one will be working with more than one VC, or will be executing things against particular VC, and not just random one. So in order to start from the right vc, we can filter that array to find our correct VC. You probably checked VcPlugin, and saw method like findSdkConnectionForUUID, this would find the vc based on instannceuuid, but what if you would want to find vc by name,id, whatever property…

vco :136> VcPlugin.findSdkConnectionForUUID('31d0f5fc-069d-4d7b-b0da-7dcb71b37f67')
=> DynamicWrapper (Instance) : [VcSdkConnection]-[class com.vmware.o11n.plugin.vsphere_gen.SdkConnection_Wrapper] -- VALUE : vc001.greg.labs

vco :137> (VcPlugin.allSdkConnections.filter(check,["instanceUuid","31d0f5fc-069d-4d7b-b0da-7dcb71b37f67"]))[0]
=> DynamicWrapper (Instance) : [VcSdkConnection]-[class com.vmware.o11n.plugin.vsphere_gen.SdkConnection_Wrapper] -- VALUE : vc001.greg.labs

vco :102> VcPlugin.allSdkConnections.filter(check,["id","vc001.greg.labs"])
=> DynamicWrapper (Instance) : [VcSdkConnection]-[class com.vmware.o11n.plugin.vsphere_gen.SdkConnection_Wrapper] -- VALUE : vc001.greg.labs

So since we have now stored our vcenter connection we can move forward.

vrealize orchestrator javascript

As per
javascript used is
Mozilla Rhino 1.7R4 JavaScript engine



The javascript language has to be ECMASCRIPT 5/ES5,
so no multiline strings, no ‘let’, no ‘map’, no for i of etc…

vrealize orchestator cluster and sending snmp traps

When having a vRO cluster with X nodes, one has to send snmp trap to all the vrealize orchestrator nodes. You can’t send those trap to load balancer cluster FQDN since its for example round robin there, and it might / might not work. When you have vRO cluster then once the policy for snmp is running, or a workflow listen for snmp traps is running, then this is actually taking place on 1 vRO node. If you have 3 nodes, then only 1 node is listening for snmp traps, hence we can’t send snmp traps towards vro cluster fqdn. There will be no situation where you would send 1 trap to each vro node, and each node would receive it, only 1 node is listening for traps.

vRealize Orchestrator 7.6 8.1 load balancer using haproxy

So far i tried f5 big ip ltm VE (failed due to limitations), kemp loadmaster VE(all ok – 1 month trial), and now i switched in my lab to haproxy.
All you have to do is a machine with haproxy + some ip interfaces on it, in my case i have 3 nodes for vro 8.1 and 3 nodes for 7.6, monitors/checks are set as per guide.
Bring your interfaces online and edit your haproxy.cfg to reflect your ips:
in my case is the vip for vro 8.1 cluster
and is the vip for vro 7.6 cluster

frontend vro
mode tcp
default_backend vro81pool

backend vro81pool
mode tcp
balance leastconn
option httpchk GET /health
http-check expect status 200
server vro811 check port 8008
server vro812 check port 8008
server vro813 check port 8008

frontend vro768281
mode tcp
default_backend vro76pool8281

backend vro76pool8281
mode tcp
balance source
option httpchk GET /vco/api/healthstatus
http-check expect string RUNNING
server vro761 check port 8281 check-ssl verify none
server vro762 check port 8281 check-ssl verify none
server vro763 check port 8281 check-ssl verify none

frontend vro768283
mode tcp
default_backend vro76pool8283

backend vro76pool8283
mode tcp
balance source
option httpchk GET /vco-controlcenter/docs/
http-check expect status 200
server vro761 check port 8283 check-ssl verify none
server vro762 check port 8283 check-ssl verify none
server vro763 check port 8283 check-ssl verify none

vRealize Orchestrator 8.1 3 node cluster setup

vRealize orchestrator 8.1 3 node cluster setup

I have recoded a session from my destop while deploying 3 node vRealize orchestrator 8.1 cluster. I have no idea why the video editor moving some parts of the video  :/ It looks in 2-3 moments like it took some part of it, and put it to wrong part of timeline, no clue. I hope it’s not that much of confusion there so i just left it like that. In general you will understand the concept anyway. Next time i will see, maybe i will buy a proper video editor.

Ok i have done the video editing again in new software , still learning 😉 it has some green bottom layer, not sure why, but at least it ok with timeline.

One part that i missed in that recording was on how to enable the rest api  login with credentials ,  so in order to enable it , edit file:

/data/vco/usr/lib/vco/app-server/conf/vmo.properties on each node and add

in each node of your cluster and add at the end:

com.vmware.o11n.sso.basic-authentication.enabled = true



vRealize Orchestrator 8.1 is out and is still having issues with SNMP receiving traps

I have installed 8.1 vRealize Orchestrator cluster with 3 nodes . When you read the documentation and you will ask yourself a question do i really need 3 nodes instead of 2, then the answer is yes, you need 3 nodes to install it, that’s what i was told by VMware support, although the documentation uses word ‘recommended 3 nodes’. Anyway… so you replaced your certificates, cluster is installed, and you try to do snmp trap towards it, and it fails. The workflow that listens for trap on all devices is just waiting…

So again you have to do the trick with the snmp port (by default its the 4000 udp to your orchestrator unless you changed it).

As described here:


you when you have 3 node cluster, you have to do this on 3 vro servers.

After this is completed, you have to go to your load balancer and add new rules for port 4000 udp as well.


without adding new service on port 4000 udp, the cluster would still not receive the trap. After this, your cluster will receive the snmp traps without a problem.

for this 4000 udp service, you can also put for monitor 8008 /health i suppose, i mean if vro is down then the snmp should be also not available.

1 other thing to mention, your certificate for vro8 cluster should be composed with CN of LB fqdn, not the leading node. I think i read it in some book that this owuld have to be CN of first node, but i was told by the VMware support today, that in CN i should put the cluster LB FQDN.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = NoordHolland
localityName = Amsterdam
organizationName = HomeLabs
commonName = vrocluster81.greg.labs
[ req_ext ]
subjectAltName = @alt_names
DNS.1 = vro811.greg.labs
IP.1 =
DNS.2 = vro812.greg.labs
IP.2 =
DNS.3 = vro813.greg.labs
IP.3 =
DNS.4 = vrocluster81.greg.labs
IP.4 =