5.5.1
Table Of Contents
- Installing and Configuring VMware vCenter Orchestrator
- Contents
- Installing and Configuring VMware vCenter Orchestrator
- Updated Infromation
- Introduction to VMware vCenter Orchestrator
- Orchestrator System Requirements
- Hardware Requirements for Orchestrator
- Hardware Requirements for the Orchestrator Appliance
- Operating Systems Supported by Orchestrator
- Supported Directory Services
- Browsers Supported by Orchestrator
- Orchestrator Database Requirements
- Software Included in the Orchestrator Appliance
- Level of Internationalization Support
- Setting Up Orchestrator Components
- Installing and Upgrading Orchestrator
- Download the vCenter Server Installer
- Install Orchestrator Standalone
- Install the Orchestrator Client on a 32-Bit Machine
- Install the Client Integration Plug-In in the vSphere Web Client
- Download and Deploy the Orchestrator Appliance
- Upgrading Orchestrator 4.0.x Running on a 64-Bit Machine
- Upgrading Orchestrator 4.0.x and Migrating the Configuration Data
- Upgrade Orchestrator Standalone
- Updating Orchestrator Appliance 5.5.x
- Upgrading Orchestrator Appliance 5.1.x and Earlier to 5.5.x
- Upgrade an Orchestrator Cluster
- Uninstall Orchestrator
- Configuring the Orchestrator Server
- Start the Orchestrator Configuration Service
- Log In to the Orchestrator Configuration Interface
- Configure the Network Connection
- Orchestrator Network Ports
- Import the vCenter Server SSL Certificate
- Selecting the Authentication Type
- Configuring the Orchestrator Database Connection
- Server Certificate
- Configure the Orchestrator Plug-Ins
- Importing the vCenter Server License
- Selecting the Orchestrator Server Mode
- Start the Orchestrator Server
- Configuring vCenter Orchestrator in the Orchestrator Appliance
- Configuring Orchestrator by Using the Configuration Plug-In and the REST API
- Configure Network Settings by Using the REST API
- Configuring Authentication Settings by Using the REST API
- Configure the Database Connection by Using the REST API
- Create a Self-Signed Server Certificate by Using the REST API
- Managing SSL Certificates Through the REST API
- Importing Licenses by Using the REST API
- Additional Configuration Options
- Change the Password of the Orchestrator Configuration Interface
- Change the Default Configuration Ports on the Orchestrator Client Side
- Uninstall a Plug-In
- Activate the Service Watchdog Utility
- Export the Orchestrator Configuration
- Import the Orchestrator Configuration
- Configure the Maximum Number of Events and Runs
- Import Licenses for a Plug-In
- Orchestrator Log Files
- Configuration Use Cases and Troubleshooting
- Configuring a Cluster of Orchestrator Server Instances
- Registering Orchestrator with vCenter Single Sign-On in the vCenter Server Appliance
- Setting Up Orchestrator to Work with the vSphere Web Client
- Check Whether Orchestrator Is Successfully Registered as an Extension
- Unregister Orchestrator from vCenter Single Sign-On
- Enable Orchestrator for Remote Workflow Execution
- Changing SSL Certificates
- Back Up the Orchestrator Configuration and Elements
- Unwanted Server Restarts
- Orchestrator Server Fails to Start
- Revert to the Default Password for Orchestrator Configuration
- Setting System Properties
- Disable Access to the Orchestrator Client By Nonadministrators
- Disable Access to Workflows from Web Service Clients
- Setting Server File System Access for Workflows and JavaScript
- Set JavaScript Access to Operating System Commands
- Set JavaScript Access to Java Classes
- Set Custom Timeout Property
- Modify the Number of Objects a Plug-In Search Obtains
- Modify the Number of Concurrent and Delayed Workflows
- Where to Go From Here
- Index
The first two lines in the default js-io-rights.conf configuration file allow the following access rights:
-rwx /
All access to the file system is denied.
+rwx /var/run/vco
Read, write, and execute access is permitted in the /var/run/vco directory.
Rules in the js-io-rights.conf File
Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can
override the previous lines.
In the default js-io-rights.conf configuration file, the second line partially overrides the first line because
c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies
access to the rest of the file system under c:/.
The default configuration allows workflows and the Orchestrator API to write to the c:/orchestrator
directory, but nowhere else.
IMPORTANT You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf
file. However, doing so represents a high security risk.
Set Server File System Access for Workflows and JavaScript
To change the parts of the server file system that workflows and the Orchestrator API can access, modify the
js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow attempts to
access the Orchestrator server file system.
If the js-io-rights.conf file does not exist on your Windows system, you can manually create it with the
default contents. You can create manually the file only on Windows systems. For more information, see
“Manually Create the js-io-rights.conf File on Windows Systems,” on page 115.
Orchestrator has read, write, and execute rights to a folder named orchestrator, at the root of the server
system.
NOTE To locate the js-io-rights.conf on the Orchestrator Appliance, log in to the Orchestrator Appliance
Linux console as root and navigate to the /etc/vco/app-server directory.
Procedure
1 Create the c:/orchestrator folder at the root of the Orchestrator server system.
2 Navigate to the folder that contains configuration files on the Orchestrator server system.
Option Action
If you installed Orchestrator with
the vCenter Server installer
Go to
install_directory\VMware\Infrastructure\Orchestrator\app-
server\conf.
If you installed the standalone
version of Orchestrator
Go to install_directory\VMware\Orchestrator\app-server\conf.
3 Open the js-io-rights.conf configuration file in a text editor.
4 Add the necessary lines to the js-io-rights.conf file to allow or deny access to parts of the file system.
For example, the following line denies the execution rights in the c:/orchestrator/noexec directory:
-x c:/orchestrator/noexec
c:/orchestrator/exec retains execution rights, but c:/orchestrator/noexec/bar does not. Both
directories remain readable and writable.
Installing and Configuring VMware vCenter Orchestrator
114 VMware, Inc.