Add Blueprint, network for Template-vRO7

<< back to main article

Sign-into vRA as account with permissions to create / publish blueprints, add items to catalog.

Click Design

New Blueprint

I adjusted “1 to 60 days” option


Drag vSphere Machine on canvas


Select Build Information,

Change to Linked Clone in Action field


Select the “….”


A popup window will appear

Select Template-vRO7


Select Network and Security


Drag existing network to canvas


Select network profile

In our example, it’s internal network


Select Network on Blueprint

Follow steps in picture


Close Blueprint

Make sure Publish



Steve Schofield

Add Script to Template-vRO7 VM

<< back to main article

After the vRO OVF  is deployed and running.  Open the VM in VMRC (VMware Remote Console), login.  I add a bash shell script to the template vRO will execute to adjust network settings passed by vRA.  Once the script is added, permissions are adjusted, take a snapshot

Open VMRC, login as root


In VI, craate a file named placed on the root folder.   The file can be located in any folder, we just chose the root folder.


Type settings listed in the image, or copy and paste from listed below


Type command to give vRO the ability to execute the script

Chmod 755 /

Notice perms after adjusting



  • Shutdown VM
  • Take a single snapshot



Code from step 3

mv /etc/HOSTNAME /etc/HOME.original
echo $1 >> /etc/HOSTNAME
mv /etc/sysconfig/networking/devices/ifcfg-eth0 /etc/sysconfig/networking/devices/ifcfg-eth0.original
echo “DEVICE=eth0” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “BOOTPROTO=’static'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “STARTMODE=’auto'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “TYPE=Ethernet” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “USERCONTROL=’no'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “IPADDR=’$2′” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “NETMASK=’$3′” >> /etc/sysconfig/networking/devices/ifcfg-eth0
mv /etc/sysconfig/network/routes /etc/sysconfig/network/routes.original
echo “default $4 – -” >> /etc/sysconfig/network/routes
mv /etc/resolve.conf /etc/resolve.conf.original
echo “nameserver $5” >> /etc/resolve.conf
echo “nameserver $6” >> /etc/resolve.conf
echo “domain $7” >> /etc/resolve.conf
echo “search $7” >> /etc/resolve.conf
service network restart


Steve Schofield

Make sure Data Collection is working within vRA

<< back to main article

This is a short step.  There are a few assumptions

  • A connection to vCenter where Template-VRO7 is deployed
  • The vRA / vRO has connectivity and permissions to same vCenter where the Template was deployed
  • Reservations, Business groups and other items are setup
  • The Template-vRO7 vm deployed with a single snapshot (for linked clones)

Sign into vRA with administration permissions, kick off a data collection


Look for a successful data collection, this will pull in the Template-VRO7 the blueprint will use.



Steve Schofield

Import vRO appliance

<< back to main article

To import vRO OVF, I connected directly to a host running 6.5, which is deployed in a cluster attached to a 6.5 vCenter.  I ran into an SSL cert issue when trying to import through vCenter (HTML or Web client)

As a workaround, I imported directly to a VMHost running 6.5, browse to https://vmhostname/, login as root.  You’ll able to use the host client, which is HTML 5 based.

Go to Virtual Machines, right click and select Create / Register VM.  


Select Deploy a virtual machine from an OVF or OVA file, browse where the OVF file is located


Name Template-vRO7


Select which Datastore where the OVF will be deployed.


Accept License agreement (of course there is an EULA)


Select Network (vlan 16 in our example) and Disk Provisioning (Thin)


Additional settings.  The values in the image are settings I used, when the VM is being provisioned by vRA, there is a vRO workflow that executes a script on the host to adjust settings passed from vRA. The step executing the script is covered in another article


Review Settings and deploy the OVF


Power on the VM, there are adjustments to the machine.


Step 1 complete


Steve Schofield

Publish vRealize Orchestrator OVF as a catalog offering in vRA 7.2


When I started with VMware vRealize Automation (vRA), one of the key items to learn is vRealize Orchestrator (aka vRO).   As with any new technology, I like to have a stand-alone environment to try things.

vRA does not support deploying OVF’s out of the box.  I wanted to make a catalog offering for vRO so I could try things over and over.  This exercise helped me learn vRA better as well as making vRO available for a few technicians who will be developing vRO workflows.  Here is a set of articles I used to create a catalog item.  Any questions, let me know at

Disclaimer, with any VMware product, their licensing can vary.  I encourage you to check with your VMware rep with any questions.


Steve Schofield

vRA 7.2 helper install scripts

Click to get scripts on Github

Names of scripts

  • install-prereq-iaas-web-mgr-vRA72.ps1
  • install-prereq-dem-vRA72.ps1


I support VMware vRealize Automation in my current role.  When installing the product, it has gotten vastly better than previous versions.   The helper script were written for version 6 (known as vCAC).  One of the scripts was published by Brian Graf, and is great for machines hosting the IaaS web roles, manager service.  I added a second script for DEM worker role machines.  My implementation uses an Enterprise HA install.   I have four windows servers (two for IaaS web and manager service roles, two for DEM / Agent). 

I’ve use the scripts to help speed the install wizard.  vRA 7.2 has a “Run / Fix” for pre-req’s on windows machines.  When I setup my IaaS windows machines, I’ll also run the helper scripts beforehand.  (And take a snapshot).   When going through the install wizard, the pre-req checker step goes faster. Here is the screen I’m talking about.  I’ve done Medium Enterprise and Minimal installs.


Copy all files to C:\Temp


Thanks Brian Graf for publishing the original script.


Steve Schofield

VMware vRealize Automation limited user permission “additions”

I’ve been implementing vRA 7.1 HA install.  There are many facets to the install and one of the items VMware publishes is a vCenter “bind” account with necessary permissions.   Here is the article.

Three permissions for two items different scenarios.  Besides the permissions mentioned in the article,

  1. To run vRO workflows and “Run programs in Guest” operations

There following permission are needed

  • VirtualMachine > GuestOperations > Execute

2.  To use Code Stream “Houdini Management Pack”, required two permissions to run capture vSphere templates

  • vApp > Import
  • VirtualMachine > Provisioning > MarkAsTemplate

When troubleshooting, manually log into vCenter being used by vRA as your “bind” ID and test operations.

Hope this helps!


My first official shell script

Here is my first official shell script, had to share!  I’m a VMware vRealize Automation administrator, some of the use cases I’m developing are simple.  As I get more comfortable with the product and how to use it, my hope is share more blog entries.  Hope this sparks some ideas!

Here is my scenerio.

  • Deploy a template, add a script called ./ on the guest
  • Make a snapshot
  • Add Blueprint in vRA, make a catalog item and entitlement
  • Make a subscription to a workflow,
  • have a workflow to retrieve data from the vRA payload
  • Run a program in-guest and pass the data adding the network.
  • Watch the magic happen!

My first official shell script

This happened to be on a vRealize Orchestrator appliance

mv /etc/HOSTNAME /etc/HOMENAME.original
echo $1 >> /etc/HOSTNAME

mv /etc/sysconfig/networking/devices/ifcfg-eth0 /etc/sysconfig/networking/devices/ifcfg-eth0.original
echo “DEVICE=eth0” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “BOOTPROTO=’static'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “STARTMODE=’auto'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “TYPE=Ethernet” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “USERCONTROL=’no'” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “IPADDR=’$2′” >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “NETMASK=’$3′ >> /etc/sysconfig/networking/devices/ifcfg-eth0
echo “BROADCAST=’$4′” >> /etc/sysconfig/networking/devices/ifcfg-eth0

mv /etc/sysconfig/network/routes /etc/sysconfig/network/routes.original
echo “default $5 – -” >> /etc/sysconfig/network/routes

#This is the syntax of the script, test on the reference machine before integrating vRA / #./addnetwork ‘hostname’ ‘ipaddr’ ‘netmask’ ‘broadcast’ ‘gateway’

vRealize Automation certificate script to generate PEM files

I’ve been learning vRealize Automation 7 installs over the last few months.   I developed a script and associated xml config files to create necessary PEM files needed during vRA install.  For an Enterprise install, at least two certificates are required (medium install in my case).  This blog post doesn’t cover vRA install.  Check out Eric Shanks articles here along with VMware docs for install questions.

Regarding certificates, there a few articles that kind of cover creating PEM files.  When completing the install wizard requires the following:

  • PEM file with necessary root / intermediate / certificate in one file,
  • Private Key in another file

The script and associated XML files give flexible to create necessary certificates.  In my case, I’m doing an Medium install, two certificates are required.

  • One PEM file for vRA appliances
  • One PEM file for Iaas / Manager web sites

A medium enterprise install has two vRA appliances and two windows servers hosting Iaas Web and Manager service.   I use SAN (subject alternative names) certificates.


#1 - A working internal certificate authority is setup
#2 - A template in your CA setup provides Client and Server authentication
#3 - OpenSSL has been downloaded and placed in C:\OpenSSL
#4 - Account running commands in script has appropriate rights on template in CA
#5 - Each OpenSSL configuration has been configured with appropriate DNS names (script creates this dynamically with input from XML files)

	[String] $ConfigurationFile = $(throw "Please specify the configuration file for the Content move.`r`nExample:`r`n`tGet-MachineLookup.ps1 -ConfigurationFile `"E:\Directory\ChangeThisPath.xml`"")

switch (Test-Path $ConfigurationFile)
	True {Write-Host "Using $ConfigurationFile For Script Variables"
		$P = [xml](Get-Content $ConfigurationFile)
	False {Write-Host "$ConfigurationFile Not Found For Script Variables - Quitting"

#Get Properties and assign to local variables from XML file
[string]$certPath = $P.Configuration.Properties.certPath
[string]$subjAltName = $P.Configuration.Properties.subjAltName
[string]$commonName = $P.Configuration.Properties.commonName

[string]#OpenSSL config settings
[string]$openSSLCFGfileName = $P.Configuration.Properties.openSSLCFGfileName
[string]$countryName = $P.Configuration.Properties.countryName
[string]$stateOrProvinceName = $P.Configuration.Properties.stateOrProvinceName
[string]$localityName = $P.Configuration.Properties.localityName
[string]$organizationName = $P.Configuration.Properties.organizationName
[string]$organizationalUnitName = $P.Configuration.Properties.organizationalUnitName

[string]#General variables
[string]$CertificateTemplateName = $P.Configuration.Properties.CertificateTemplateName
[string]$CertificateKeyLength = $P.Configuration.Properties.CertificateKeyLength
[string]$RootCA = $P.Configuration.Properties.RootCA
[string]$OpenSSLPath = $P.Configuration.Properties.OpenSSLPath
[string]$OpenSSLRootDir = $P.Configuration.Properties.OpenSSLRootDir
[string]$CertPassword = $P.Configuration.Properties.CertPassword

function CreateOpenSSLConfig([string]$Path, [string]$subjAltName, [string]$commonName)
	Add-Content -path $Path\$openSSLCFGfileName  -value "[ req ]"
	Add-Content -path $Path\$openSSLCFGfileName  -value "default_bits = 2048"
	Add-Content -path $Path\$openSSLCFGfileName  -value "default_keyfile = rui.key"
	Add-Content -path $Path\$openSSLCFGfileName  -value "distinguished_name = req_distinguished_name"
	Add-Content -path $Path\$openSSLCFGfileName  -value "encrypt_key = no"
	Add-Content -path $Path\$openSSLCFGfileName  -value "prompt = no"
	Add-Content -path $Path\$openSSLCFGfileName  -value "string_mask = nombstr"
	Add-Content -path $Path\$openSSLCFGfileName  -value "req_extensions = v3_req"
	Add-Content -path $Path\$openSSLCFGfileName  -value ""
	Add-Content -path $Path\$openSSLCFGfileName  -value "[ v3_req ]"
	Add-Content -path $Path\$openSSLCFGfileName  -value "basicConstraints = CA:FALSE"
	Add-Content -path $Path\$openSSLCFGfileName  -value "keyUsage = digitalSignature,  keyEncipherment,  dataEncipherment, nonRepudiation"
	Add-Content -path $Path\$openSSLCFGfileName  -value "extendedKeyUsage = serverAuth,  clientAuth"
	Add-Content -path $Path\$openSSLCFGfileName  -value "subjectAltName = $($subjAltName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value ""						  
	Add-Content -path $Path\$openSSLCFGfileName  -value "[ req_distinguished_name ]"
	Add-Content -path $Path\$openSSLCFGfileName  -value "countryName = $($countryName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value "stateOrProvinceName = $($stateOrProvinceName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value "localityName = $($localityName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value "0.organizationName = $($organizationName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value "organizationalUnitName = $($organizationalUnitName)"
	Add-Content -path $Path\$openSSLCFGfileName  -value "commonName = $($commonName)"

function CreateCertificate([string]$Path)
	[string]$certPathCMD = "$($OpenSSLPath) req -new -nodes -out $($Path)\vra-cert.csr -keyout $($Path)\vra-cert.key -config $($Path)\openssl.cfg"
	Add-Content -path "$($Path)\cmds.txt" -value $certPathCMD
	Invoke-Expression -Command $certPathCMD

	#Write RSA key
	[string]$certRSACMD = "$($OpenSSLPath) rsa -in  $($Path)\vra-cert.key -out  $($Path)\vra-cert.key"
	Add-Content -path "$($Path)\cmds.txt" -value $certRSACMD
	Invoke-Expression -Command $certRSACMD

	#Variables for CSR, Certificate and P7B
	$CSRPath = "$($Path)\vra-Cert.csr"
	$CertificatePath = "$($Path)\vra-Cert.cer"
	$p7bPath = "$($Path)\vra-Cert.p7b"

	#Call CA authority and retrieve certificates, p7bfile
	$certCMD = "$Env:SystemRoot\System32\certreq -attrib `"CertificateTemplate:$($CertificateTemplateName)`" -submit -config $RootCA $CSRPath $CertificatePath $p7bPath"
	Add-Content -path "$($Path)\cmds.txt" -value $certCMD
	Invoke-Expression -Command $certCMD 

	#This adds root CA and certificate to PEM files
	$ChainPEMFile = "$($OpenSSLPath) pkcs7 -in $($p7bPath) -print_certs -out $($Path)\chain.pem"
	Add-Content -path "$($Path)\cmds.txt" -value $ChainPEMFile
	Invoke-Expression -Command $ChainPEMFile

if(Test-Path -path $OpenSSLRootDir)
	#Create Path for config, files 
	New-Item -ItemType Directory -path $certPath -force

	#Create OpenSSL.cfg
	CreateOpenSSLConfig -Path $certPath -subjAltName $subjAltName -commonName $commonName 

	#Create CSR, Request Cert and create PEM file
	CreateCertificate -Path $certPath

XML Configuration File

<?xml version="1.0" encoding="UTF-8"?>
#1 - A working internal certificate authority is setup
#2 - A template is setup to provide Client and Server authentication
#3 - OpenSSL has been downloaded and placed in C:\OpenSSL
#4 - The account running commands below have appropriate rights on the template
#5 - Each OpenSSL configuration has been configured with appropriate DNS names
		<subjAltName>DNS: vravaprod, DNS:, DNS:, IP:, DNS:, IP:, DNS: vra1, DNS:vra2</subjAltName>
		<!--#OpenSSL config settings-->
		<!--#General variables-->
		<CertificateTemplateName>Copy of Web Server</CertificateTemplateName>