VMware vCloud Automation Center® Release Notes

vCloud Automation Center | 1 MAY 2014 | Builds vCloud Automation Center 1768531, Identity Appliance 1748175

What's in the Release Notes

The release notes cover the following topics:

What's New

The release contains several fixes to release 6.0.1.

System Requirements and Installation

For information about supported host operating systems, databases, and Web servers, see the vCloud Automation Center Support Matrix.

The installation executable available on the vCloud Automation Center product download page is intended to be installed as a new deployment.

Note: After upgrading the vCloud Automation Center virtual appliance from 6.0.1 to or version, the IaaS installation page displays the label of the IaaS installation and service pack downloads with version 6.0.1.

Upgrading vCloud Automation Center

If you intend to deploy as an upgrade to your 6.0.1 virtual appliance, the patch upgrade executables and upgrade instructions are available from your virtual appliance. When you log in to your 6.0.1 deployment, you are informed that an upgrade is available. If you confirm the request to continue, you are redirected to the upgrade page.

Note: You can only upgrade to from 6.0.1 version. Upgrade from any other version to is not supported.

  • You must upgrade the vCloud Automation Center virtual appliance and Identity virtual appliance.
  • You are not required to upgrade IaaS components, but it is recommended to use the 32-bit and 64-bit vCloud Automation Center Windows Guest Agents and the vCloud Automation Center PE Builder components because they have been updated to use OpenSSL 1.0.1g. While these components previously embedded OpenSSL 1.0.1c, they were not vulnerable to the Heartbleed issue, and hence you are not required to recreate any templates that were created by using these components. Going forward, it is recommended to use the updated versions of these components to avoid any confusion on whether or not these newly created templates are vulnerable to the Heartbleed issue.

The upgrade process is similar to upgrading vCloud Automation Center from 6.0 to 6.0.1. It is recommended to apply this upgrade from a security perspective. If you have applied the hotfix, released on 4/18, http://kb.vmware.com/kb/2076869, it is still recommended to upgrade to For information about upgrading and configuring vCloud Automation Center after upgrade, see Upgrading vCloud Automation Center from 6.0 to 6.0.1.

Note: If you do not follow the upgrade and configuration of vCloud Automation Center post upgrade processes mentioned in the vCloud Automation Center documentation, you can lose settings of external PostgreSQL database and clustering on the vCloud Automation Center appliance.

For additional prerequisites and installation instructions, see vCloud Automation Center Installation and Configuration.


To access the full set of vCloud Automation Center documentation, see VMware vCloud Automation Center Documentation.

Known Issues

Following are the known issue for release

  • Unable to differentiate between the different destroy approval policies
    After navigating to Administration > Approval Policies and clicking + icon, the different destroy action approval policy types are not classified according to the type of the endpoint.
    Workaround: Perform the following steps.
    1. Login to the vCloud Automation Center appliance.
    2. Run the following queries on the PostgreSQL database of vCloud Automation Center.

    3. update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy vCD vApp)' where description = 'Destroy a vCloud Director vApp.';
      update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Virtual Machine)' where description = 'Destroy a virtual machine.';
      update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Multi-Machine)' where description = 'Destroy a multi-machine service.';
      update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Cloud Machine)' where description = 'Destroy a cloud machine.';

  • Problem with resizing of window in Internet Explorer 8
    If you use Internet Explorer 8 to log into the vCloud Automation Center console, some of the tabs does not resize to full screen and appear in a box.
    Workaround: Double-click the title bar of the Internet Explorer.

  • No message to restart the identity virtual appliance after upgrade
    Workaround: Restart the identity virtual appliance after upgrade for identity virtual appliance to work properly.

  • Order of upgrade for vCloud Automation Center and Application Director or IT Business Management, Standard Edition
    If you are using vCloud Automation Center with VMware Application Director or VMware IT Business Management Standard Edition, you must ensure that all products are at the same patch level. Install the vCloud Automation Center upgrade before you install upgrades for Application Director or IT Business Management Standard Edition.

  • Unable to publish a blueprint from Application Director to vCloud Automation Center catalog by using vCloud Automation Center version
    If you upgrade to vCloud Automation Center version from 6.0.1 version and then try to publish a blueprint from vCloud Automation Center catalog, an error message An unexpected error has occurred. Please contact you system administrator is displayed. This problem does not occur for new registration of Application Director with vCloud Automation Center version.

    Workaround: Unregister Application Director 6.0.1 from vCloud Automation Center and then register Application Director again with vCloud Automation Center.

  • Modifications made to postgresql.conf are lost after upgrade to
    Any modifications that you have made to the storage/db/pgdata/postgresql.conf file will be lost when upgrading from 6.0.1 to Only the VA on which the database is installed will be able to access it by using the localhost.

    Workaround: Make a copy of the postgresql.conf prior to upgrading from 6.0.1 to and recreate it after upgrade. After you have recreated the file, restart postgres.

  • Names of custom menu operations display incorrectly on Entitlements page and Actions menu
    When you register a new menu operation that was created by using vCloud Automation Center Designer, the display name for the new menu option appears in the Blueprint page, but the workflow name (for example, WF Machine Menu 1), rather than the display name, appears in the Entitlements page and the Actions menu in the catalog.

  • vCloud Automation Center does not support multiple hosts in the system with the same name
    Data collection updates hosts based upon the host name. If two endpoints have identically named hosts, there will be contention between the endpoints over ownership of the host.

    Workaround: Ensure that all host names are unique.
  • Advanced Service Designer conditions are not applied to or triggered for fields that contain a defined default value
    When creating a conditional constraint between fields in Advanced Service Designer, the constraint is not triggered if there is a defined default value to be used when none of the conditions is met. Because of this, some auto-calculated fields are not populated with their expected values. This behavior manifests somewhat differently depending on whether a field is added in the vCloud Orchestrator presentation or in Advanced Service Designer.

    • Conditions added over fields from vCloud Orchestrator presentation:
      Conditions with specified default value are not applied to fields. When a set of expressions are specified as condition for a field parameter, they won't take an effect if default value is defined for use in case none of expressions is met.
      Workaround: Set the conditional constraint directly in the vCloud Orchestrator presentation.

    • Conditions added over fields that are created in Advanced Service Designer:
      Conditions are not triggered if the vCloud Orchestrator presentation has not dependent fields. When creating a conditional constraint between Advanced Service Designer added fields they will take an effect only if the vCloud Orchestrator presentation has dependent fields.
      Workaround: Create the fields and their conditional constraint directly in the vCloud Orchestrator presentation.

  • For machines provisioned by vCloud Automation Center, an Advanced Service Designer resource action can only be attached for vSphere and vCloud Director vApps machines
    In Advanced Service Designer, service architects can expose vCenter Orchestrator workflows as catalog items. They can also create resource actions to define the post-provisioning actions that the consumers of the catalog items can perform on the items they provision, as well as on provisioned vSphere virtual machines and vCloud Director vApps and machines inside vApps. For related information, see Create and Publish an Action to Take a Snapshot in the Advanced Service Design guide.

  • Logging in as the IaaS administrator with incorrect UPN format credentials fails with no explanation
    If you attempt to log in to vCloud Automation Center as an IaaS administrator with UPN credentials that do not include the @yourdomain portion of the user name, you are logged out of SSO immediately and redirected to the login page with no explanation.

    Workaround: The UPN entered must adhere to a yourname.admin@yourdomain format, for example if you log in using jsmith.admin@sqa.local as the user name but the UPN in the Active Directory is only set as jsmith.admin, the login will fail. To correct the problem change the userPrincipalName value to include the needed @yourdomain content and retry login. In this example the UPN name should be jsmith.admin@sqa.local. This information is provided in the log file in the log/vcac folder.

  • Chrome browser incorrectly handles comma symbol when used as a decimal delimiter
    When working in a locale in which the comma symbol, rather than the period symbol, is used as a decimal value delimiter, Chrome browsers incorrectly parse numeric values that contain decimals.

    Workaround: To avoid this problem, do not use a comma symbol as a decimal value delimiter or else use a different and supported browser.

  • After patch upgrade, machines might need to be re-entitled
    When the upgrade is installed, the entitlement for the action Connect by Using Virtual Desktop is removed for virtual machines.

    Before you install, note places where this entitlement is used and use that list to re-entitle actions after version is installed. The entitlement can be restored by a tenant administrator or business group manager. For more information, see the Installation and Configuration guide.

  • The message displayed when a VM import fails is ambiguous
    When a business group manager with fabric administrator rights attempts to import a machine and if there is a failure during import, the machine will not be deleted from the hypervisor. However, the user events would say "Machine name: has been destroyed!". In this situation, the machine is only destroyed in vCloud Automation Center; the VM remains viable on the hypervisor.
  • Updated endpoint configuration workflows package available for Advanced Service Designer
    An updated com.vmware.asd.endpoints.configuration.package is supplied, and needed, for Advanced Services Designer with vCloud Automation Center The package contains updated endpoint configuration workflows. For an embedded vCenter Orchestrator, the configuration package is automatically applied on the vCenter Orchestrator during upgrade. If a new external vCenter Orchestrator is added after upgrade, the correct version of the package is automatically imported. However, for all external vCenter Orchestrators, you must upload the package manually to the vCenter Orchestrator after saving the server configurations. The version value for each workflow in the package is of a higher incremental value than the workflows supplied in vCloud Automation Center 6.0.

    Workaround: For all external vCenter Orchestrators (configured before upgrade), manually save the current configuration after upgrade completion; the new package version is automatically uploaded. Log in to the tenant as a tenant administrator and select Administration > Advanced Services > Server Configuration. If the Use an external Orchestrator server option is selected, click Update.

  • Number maximum value and String maximum length conditions are not populated from vCenter Orchestrator in the Advanced Service Designer form
    When a service architect creates a blueprint form in Advanced Service Designer and loads a vCenter Orchestrator workflow that contains either a number field with an associated maximum value condition or a string field with an associated maximum length condition, the restrictions applied to these fields do not appear in the Constraints tab on the blueprint.

    Workaround: The service architect should re-enter the constraints manually as follows:

    1. Click the Edit option for the input parameter.
    2. Click the Constraints tab.
    3. Insert a restriction for the Maximum value: (for a number parameter) or Maximum length: (for a string parameter) options.
  • Upgrading from vCloud Automation Center 6.0.1 to resets the specified external vCenter Orchestrator to the embedded vCenter Orchestrator
    When the system administrator (administrator@vsphere.local) configures an external vCenter Orchestrator, the configuration is erroneously reset to the embedded vCenter Orchestrator after the upgrade process completes.

    Workaround: Reconfigure the vCenter Orchestrator configuration after upgrade to enable the correct external vCenter Orchestrator.

  • Opening the Infrastructure tab fails when the administrator is a member of several hundred groups
    When using Active Directory and SSO, an IaaS administrator who is a member of many groups might be unable to display the Infrastructure tab. Attempting to do so may yield one of the following errors:
    • Bad Request - Request Too Long - HTTP Error 400. The size of the request headers is too long.
    • Service Unreachable - A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404.

  • Workaround: The resolution is to increase the token limitations as in the following example.

    1. Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use the following guideline:

    Kerberos MaxTokenSize = 1200 + 40d + 8s (bytes)

    This formula uses the following values:

    • d -- The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
    • s -- The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
    • 1200 -- The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length and client name.

    2. Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the MaxTokenSize registry value (reference http://support.microsoft.com/kb/263693). If you need to change the Kerberos MaxTokenSize value, modify the following registry entry:

    MaxTokenSize, REG_DWORD,
    <value> (the recommended value for the MaxTokenSize registry entry is 65535 decimal or FFFF hexadecimal)

    3. Determine and set the correct HTTP maximum request size for your deployment by using the following guideline, where T is the Kerberos MaxTokenSize as set above:

    MaxFieldLength = (4/3 * T bytes) + 200
    MaxRequestBytes = (4/3 * T bytes) + 200

    Set MaxFieldLength and MaxRequestBytes to the calculated values, as in the following example where they are set to the permitted maximum value:

    MaxFieldLength DWORD 65534
    MaxRequestBytes DWORD 16777216

    For related information about issues with Kerberos authentication when a user belongs to many groups, see the following support notes:

  • Email template customization behavior has changed and extraneous templates are unusable
    In vCloud Automation Center 6.0 or later, only notifications generated by the IaaS component can be customized by using the email template functionality from earlier versions.

    Workaround: You can use the following XSLT templates:

    • ArchivePeriodExpired
    • EpiRegister
    • EpiUnregister
    • LeaseAboutToExpire
    • LeaseExpired
    • LeaseExpiredPowerOff
    • ManagerLeaseAboutToExpire
    • ManagerLeaseExpired
    • ManagerReclamationExpiredLeaseModified
    • ManagerReclamationForcedLeaseModified
    • ReclamationExpiredLeaseModified
    • ReclamationForcedLeaseModified
    • VdiRegister
    • VdiUnregister

    These templates are located in the \Templates directory under the server installation directory, typically %SystemDrive%\Program Files x86\VMware\vCAC\Server. The \Templates directory also includes XSLT templates that are no longer supported. These templates cannot be modified and will be removed from the directory in a future release. For more information about configuring notifications, see Configuring Notifications in VMware vCloud Automation Center Documentation.

  • Requirement for .NET 4.5 does not extend to .NET 4.5.1
    .NET 4.5.1 is not currently supported. While system requirements state that .NET 4.5 is required, they should also explicitly state that vCloud Automation Center release 6.0, 6.0.1, and do not support .NET 4.5.1.

  • Access to embedded vCloud Orchestrator server impacted by changes to its administration group
    When the administration group of the embedded vCloud Orchestrator server is changed, the server can no longer be used in embedded mode.

  • Workaround:Use basic authentication to configure the vCloud Orchestrator server as an external server.

  • IP ranges in routed network profiles are listed as allocated when no IP addresses are in use
    If a multi-machine blueprint contains the routed external network profile but not an assignment for the routed network to component network adapters, machines will provision successfully but an IP range from the routed network profile will be allocated and not actually in use.

  • Approval requests result in an error when the approver is not a member of any business group or is a member of a different business group
    If an approval request is sent to a user who is not a member of the same business group as the requester, or is not a member of any business group, an Exception has been thrown error occurs when the approver clicks View Request on the Approval page. However, the approver should be able to see the request.
  • Workaround: Ensure that the approver has a manager, support, or user role assignment in the same business group as that of the requester.

  • Unable to dispose of multi-machine service when orphaned NSX edge is using network
    If an NSX edge is not registered in the vCloud Automation Center environment (probably due to an NSX error), and if that edge is using the external network associated with the routed gateway of a multi-machine service, then an attempt to dispose of that service will fail with multiple AppServiceDisposeVM workflow timeouts.

  • Workaround: Delete the orphaned edge in the NSX environment. After you delete the edge, all AppServiceDisposeVM workflows complete and the multi-machine service is destroyed.

  • The guest agent does not check for a certificate if a PEM file already exists in the VRMGuestAgent directory
    By design, a guest agent does not check for certificates if a PEM file exists nor does it refresh the certificates in the PEM file. This is to ensure that the Guest Agent only takes work items from a trusted source.

    There are 2 options for configuring which server the guest agent trusts:

    1. The most secure option is for the administrator to populate the trusted PEM manually by putting the PEM of the trusted certificate in the template with the guest agent. If the server certificate changes for any reason (for example the old one expired, hostnames changed, or the original certificate was invalid) the administrator can manually rebuild the template with the PEM of the new trusted certificate.
    2. A more flexible, but less secure option, is for an administrator to allow the guest agent to automatically populate the trusted PEM on first use. To do this, the administrator would create a template with no PEM files in the VRMGuestAgent directory. The first time the guest agent starts, it downloads the certificate from the server it was configured to connect with and stores the resulting PEM in the VRMGuestAgent directory. Subsequently it will only accept work items from that server. If the server certificate expires, changes, or the agent was configured for the wrong server, new instances of the template will obtain the latest certificate from the server and always trust the first system they connect with.

    Note that if you test your guest agent before creating the template, you must delete the downloaded PEM file from the VRMGuestAgent directory before creating the template to obtain the behavior of option 2. Otherwise the template will be created to only trust the server you tested against because it will have downloaded the PEM from that server.

What's Been Fixed

The following issues have been resolved in vCloud Automation Center release

  • OpenSSL issue for Identity Appliance regarding CVE-2014-0160 Heartbleed vulnerability
    OpenSSL version for Identity Appliance has been upgraded to 1.0.1g.
  • The Business Group tab of vCloud Automation Center throws exceptions
    If the users try to access the Business Group tab of vCloud Automation Center, an exception Error has been caught, see event logs located on the vCAC server for detail or contact your system administrator for more information is displayed. A reboot of vCloud Automation Center is required to fix the issues for the affected users.

    This issue has been fixed in this release.

  • Timeout error is displayed in vCloud Automation Center Entitlements page
    Timeout occurs when you attempt to add groups to the Entitlements and an error message, Connection timeout. If the problem persists, contact your system administrator is displayed.

    This issue has been fixed in this release.

  • The On Behalf Of field does not work in the Service Catalog
    When you open a Tenant and navigate to Catalog and attempt to enter a username into the On Behalf Of field, the field is not updated and Loading message appears continuously.

    This issue has been fixed in this release.

  • Windows session authentication login fails and an error message is displayed because of VMware Client Integration Plug-in
    If you attempt to use the Windows session authentication feature, it fails and an error message Windows Session Authentication login as failed as a result of an error caused by the VMware Client Integration Plugin is displayed. This issue occurred in Google Chrome 31.0.1650.63, Internet Explorer 9, and Firefox 25.0.1.

    This issue has been fixed in this release for Google Chrome and Firefox browsers.

  • Unable to login when the UPN username does not match the SAMAccountName
    If you configure active directory over LDAP provider, and select one of the UPN suffix to be an alias of the provider, vCloud Automation Center does not convert the eUPN using the alias logic and the original UPN is the eUPN of the user account.

    This issue has been fixed in this release.

  • Active directory over LDAP provider is not returning vsphere.local groups for direct active directory user members
    If you login with the active directory user, which is part of vsphere.local\administrators group, vCenter Server is not visible as part of the inventory.

    This issue has been fixed in this release.

  • The vmidentity-firstboot of Windows based vCenter Server fails while trying to replicate with SSO in an embedded deployment
    The Identity Service does not throw an exception if domain state is not compatible with the currently configured native active directory. This prevents IDM from starting up, log in to vCenter Server fails, and browsing of IDP information fail, and the system gets into unusable state.

    This issue has been fixed in this release.

  • Native active directory times out when you try to see users in vCloud Automation Center
    When you try to add the identity store for whichever native active directory domain that you want to use, for example sqa.local or sqa2k8.local, then you need to add administrators. At this point, native active directory might display an error message Connection timed out.

    This issue has been fixed in this release.

  • Login to vCloud Automation Center fails when you try to login with SSO
    When you try to login to vCloud Automation Center virtual appliance with SSO, the login fails and an error message Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 10 is displayed.

    This issue has been fixed in this release.