VMware vCloud Automation Center® 220.127.116.11 Release Notes
vCloud Automation Center 18.104.22.168 | 14 April 2015 | Builds vCloud Automation Center 1768531, Identity Appliance 1942139
What's in the Release Notes
The release notes cover the following topics:
The OpenSSL library of the Identity Appliance components is updated to version openssl-1.0.1h to address CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470. Also, SUSE Linux Enterprise Server (SLES) 11 64-bit template of Identity Appliance is updated to version openssl-0.9.8za to address CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470.
For information about supported host operating systems, databases, and Web servers, see the vCloud Automation Center Support Matrix.
The 22.214.171.124 installation files available on the vCloud Automation Center product download page is intended to be installed as a new deployment.
Note: After upgrading the vCloud Automation Center virtual appliance from 6.0.1 to 126.96.36.199 or 188.8.131.52 version, the IaaS installation page displays the label of the IaaS installation and service pack downloads with version 6.0.1.
If you intend to deploy 184.108.40.206 as an upgrade to your 6.0.1 or 220.127.116.11 virtual appliance, the patch upgrade and upgrade instructions are available from your virtual appliance. When you log in to your 6.0.1 or 18.104.22.168 deployment, you are informed that an upgrade is available. If you confirm the request to continue, you are redirected to the 22.214.171.124 upgrade page.
Note: You can only upgrade to 126.96.36.199 from 6.0.1 or 188.8.131.52 version. Upgrade from any other version to 184.108.40.206 is not supported.
Upgrading vCloud Automation Center from 6.0.1 to 220.127.116.11
If you are upgrading vCloud Automation Center from 6.0.1 to 18.104.22.168 version, you must upgrade the vCloud Automation Center virtual appliance and the Identity virtual appliance. You are not required to upgrade IaaS components, but it is recommended to use the 32-bit and 64-bit vCloud Automation Center Windows Guest Agents and the vCloud Automation Center PE Builder components because they have been updated to use OpenSSL 1.0.1g. While these components previously embedded OpenSSL 1.0.1c, they were not vulnerable to the Heartbleed issue, and hence you are not required to recreate any templates that were created by using these components. Going forward, it is recommended to use the updated versions of these components to avoid any confusion on whether or not these newly created templates are vulnerable to the Heartbleed issue.
Upgrading vCloud Automation Center from 22.214.171.124 to 126.96.36.199
If you are upgrading vCloud Automation Center from 188.8.131.52 to 184.108.40.206 version, you must upgrade only the Identity virtual appliance.
The upgrade procedure is similar to upgrading vCloud Automation Center from 6.0 to 6.0.1. For information about upgrading and configuring vCloud Automation Center after upgrade, see Upgrading vCloud Automation Center from 6.0 to 6.0.1.
Note: If you do not follow the upgrade and configuration of vCloud Automation Center post upgrade processes mentioned in the vCloud Automation Center documentation, you can lose settings of external PostgreSQL database and clustering on the vCloud Automation Center appliance.
For additional prerequisites and installation instructions, see vCloud Automation Center Installation and Configuration.
To access the full set of vCloud Automation Center documentation, see
VMware vCloud Automation Center Documentation.
The following documentation change is needed in the Change the Reservation of a Virtual Machine topic in the Tenant Administration documentation:
A fabric administrator can change the reservation of a virtual machine. This ability is useful when a virtual reservation moves to a new storage path that is not available in its current reservation.
You cannot change the machine’s current compute resource, but you can move it to any reservation on that compute resource, including one belonging to a different business group. You must be a business group manager of the original and the target business groups to use this function.
A fabric administrator can change the reservation of a virtual machine. This ability is useful when a virtual machine moves to a new storage path that is not available in its current reservation.
You can change the machine’s current compute resource. You can also move it to any reservation on that compute resource, including one belonging to a different business group. You must be a business group manager of the original and the target business groups to use this function.
Following are the known issue for 220.127.116.11 release
Windows Session Authentication login fails on Internet Explorer
If you use Windows session authentication for login purpose on Internet Explorer, login fails and an error null is displayed.
Workaround: Restart the vCloud Automation Center virtual appliance. After restart, login is successful.
In Internet Explorer 8, user name does not get auto-populate when you click the check box Use Windows session authentication
Workaround: Deselect the check box and select the check box again.
Problem with resizing of window in Internet Explorer 8
If you use Internet Explorer 8 to log into the vCloud Automation Center console, some of the tabs does not resize to full screen and appear in a box.
Workaround: Double-click the title bar of the Internet Explorer.
Unable to differentiate between the different destroy approval policies
After navigating to Administration > Approval Policies and clicking + icon, the different destroy action approval policy types are not classified according to the type of the endpoint.
Workaround: Perform the following steps.
- Login to the vCloud Automation Center appliance.
- Run the following queries on the PostgreSQL database of vCloud Automation Center.
update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy vCD vApp)' where description = 'Destroy a vCloud Director vApp.';
update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Virtual Machine)' where description = 'Destroy a virtual machine.';
update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Multi-Machine)' where description = 'Destroy a multi-machine service.';
update approvalpolicytype set name='Service Catalog - Resource Action Request (Destroy Cloud Machine)' where description = 'Destroy a cloud machine.';
No message to restart the Identity virtual appliance after upgrade
Workaround: Restart the Identity virtual appliance after upgrade for identity virtual appliance to work properly.
- Order of upgrade for vCloud Automation Center and Application Director or IT Business Management, Standard Edition
If you are using vCloud Automation Center with VMware Application Director or VMware IT Business Management Standard Edition, you must ensure that all products are at the same patch level. Install the vCloud Automation Center upgrade before you install upgrades for Application Director or IT Business Management Standard Edition.
- Unable to publish a blueprint from Application Director to vCloud Automation Center catalog by using vCloud Automation Center 18.104.22.168 version
If you upgrade to vCloud Automation Center 22.214.171.124 version and then try to publish a blueprint from vCloud Automation Center catalog, an error message An unexpected error has occurred. Please contact you system administrator is displayed. This problem does not occur for new registration of Application Director with vCloud Automation Center 126.96.36.199 version.
Workaround: Unregister Application Director 6.0.1 from vCloud Automation Center 188.8.131.52 and then register Application Director again with vCloud Automation Center.
- Modifications made to postgresql.conf are lost after upgrade to 184.108.40.206
Any modifications that you have made to the storage/db/pgdata/postgresql.conf file is lost post upgrade. Only the VA on which the database is installed will be able to access it by using the localhost.
Workaround: Make a copy of the postgresql.conf prior to upgrade and recreate it after upgrade. After you have recreated the file, restart postgres.
Names of custom menu operations display incorrectly on Entitlements page and Actions menu
When you register a new menu operation that was created by using vCloud Automation Center Designer, the display name for the new menu option appears in the Blueprint page, but the workflow name (for example, WF Machine Menu 1), rather than the display name, appears in the Entitlements page and the Actions menu in the catalog.
vCloud Automation Center does not support multiple hosts in the system with the same name
Workaround: Ensure that all host names are unique.
Data collection updates hosts based upon the host name. If two endpoints have identically named hosts, there will be contention between the endpoints over ownership of the host.
- Advanced Service Designer conditions are not applied to or triggered for fields that contain a defined default value
When creating a conditional constraint between fields in Advanced Service Designer, the constraint is not triggered if there is a defined default value to be used when none of the conditions is met. Because of this, some auto-calculated fields are not populated with their expected values. This behavior manifests somewhat differently depending on whether a field is added in the vCloud Orchestrator presentation or in Advanced Service Designer.
- Conditions added over fields from vCloud Orchestrator presentation:
Conditions with specified default value are not applied to fields. When a set of expressions are specified as condition for a field parameter, they won't take an effect if default value is defined for use in case none of expressions is met.
Workaround: Set the conditional constraint directly in the vCloud Orchestrator presentation.
- Conditions added over fields that are created in Advanced Service Designer:
Conditions are not triggered if the vCloud Orchestrator presentation has not dependent fields. When creating a conditional constraint between Advanced Service Designer added fields they will take an effect only if the vCloud Orchestrator presentation has dependent fields.
Workaround: Create the fields and their conditional constraint directly in the vCloud Orchestrator presentation.
- For machines provisioned by vCloud Automation Center, an Advanced Service Designer resource action can only be attached for vSphere and vCloud Director vApps machines
In Advanced Service Designer, service architects can expose vCenter Orchestrator workflows as catalog items. They can also create resource actions to define the post-provisioning actions that the consumers of the catalog items can perform on the items they provision, as well as on provisioned vSphere virtual machines and vCloud Director vApps and machines inside vApps. For related information, see Create and Publish an Action to Take a Snapshot in the Advanced Service Design guide.
Logging in as the IaaS administrator with incorrect UPN format credentials fails with no explanation
If you attempt to log in to vCloud Automation Center as an IaaS administrator with UPN credentials that do not include the @yourdomain portion of the user name, you are logged out of SSO immediately and redirected to the login page with no explanation.
Workaround: The UPN entered must adhere to a yourname.admin@yourdomain format, for example if you log in using firstname.lastname@example.org as the user name but the UPN in the Active Directory is only set as jsmith.admin, the login will fail. To correct the problem change the userPrincipalName value to include the needed @yourdomain content and retry login. In this example the UPN name should be email@example.com. This information is provided in the log file in the log/vcac folder.
Chrome browser incorrectly handles comma symbol when used as a decimal delimiter
When working in a locale in which the comma symbol, rather than the period symbol, is used as a decimal value delimiter, Chrome browsers incorrectly parse numeric values that contain decimals.
Workaround: To avoid this problem, do not use a comma symbol as a decimal value delimiter or else use a different and supported browser.
After patch upgrade, machines might need to be re-entitled
When the 220.127.116.11 upgrade is installed, the entitlement for the action Connect by Using Virtual Desktop is removed for virtual machines.
Before you install 18.104.22.168, note places where this entitlement is used and use that list to re-entitle actions after version 22.214.171.124 is installed. The entitlement can be restored by a tenant administrator or business group manager. For more information, see the Installation and Configuration guide.
- The message displayed when a VM import fails is ambiguous
When a business group manager with fabric administrator rights attempts to import a machine and if there is a failure during import, the machine will not be deleted from the hypervisor. However, the user events would say "Machine name: has been destroyed!". In this situation, the machine is only destroyed in vCloud Automation Center; the VM remains viable on the hypervisor.
- Updated endpoint configuration workflows package available for Advanced Service Designer
An updated com.vmware.asd.endpoints.configuration.package is supplied, and needed, for Advanced Services Designer with vCloud Automation Center 126.96.36.199. The package contains updated endpoint configuration workflows. For an embedded vCenter Orchestrator, the configuration package is automatically applied on the vCenter Orchestrator during upgrade. If a new external vCenter Orchestrator is added after upgrade, the correct version of the package is automatically imported. However, for all external vCenter Orchestrators, you must upload the package manually to the vCenter Orchestrator after saving the server configurations. The version value for each workflow in the package is of a higher incremental value than the workflows supplied in vCloud Automation Center 6.0.
Workaround: For all external vCenter Orchestrators (configured before upgrade), manually save the current configuration after upgrade completion; the new package version is automatically uploaded. Log in to the tenant as a tenant administrator and select Administration > Advanced Services > Server Configuration. If the Use an external Orchestrator server option is selected, click Update.
- Number maximum value and String maximum length conditions are not populated from vCenter Orchestrator in the Advanced Service Designer form
When a service architect creates a blueprint form in Advanced Service Designer and loads a vCenter Orchestrator workflow that contains either a number field with an associated maximum value condition or a string field with an associated maximum length condition, the restrictions applied to these fields do not appear in the Constraints tab on the blueprint.
Workaround: The service architect should re-enter the constraints manually as follows:
- Click the Edit option for the input parameter.
- Click the Constraints tab.
- Insert a restriction for the Maximum value: (for a number parameter) or Maximum length: (for a string parameter) options.
- Upgrading from vCloud Automation Center 6.0.1 or 188.8.131.52 to 184.108.40.206 resets the specified external vCenter Orchestrator to the embedded vCenter Orchestrator
When the system administrator (firstname.lastname@example.org) configures an external vCenter Orchestrator, the configuration is erroneously reset to the embedded vCenter Orchestrator after the upgrade process completes.
Workaround: Reconfigure the vCenter Orchestrator configuration after upgrade to enable the correct external vCenter Orchestrator.
- Opening the Infrastructure tab fails when the administrator is a member of several hundred groups
When using Active Directory and SSO, an IaaS administrator who is a member of many groups might be unable to display the Infrastructure tab. Attempting to do so may yield one of the following errors:
- Bad Request - Request Too Long - HTTP Error 400. The size of the request headers is too long.
- Service Unreachable - A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404.
Workaround: The resolution is to increase the token limitations as in the following example.
1. Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use the following guideline:
MaxTokenSize = 1200 + 40d + 8s (bytes)
This formula uses the following values:
- d -- The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
- s -- The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
- 1200 -- The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length and client name.
2. Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (default size), you do not have to modify the
MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the
MaxTokenSize registry value (reference http://support.microsoft.com/kb/263693). If you need to change the Kerberos
MaxTokenSize value, modify the following registry entry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters<value> (the recommended value for the MaxTokenSize registry entry is 65535 decimal or FFFF hexadecimal)
3. Determine and set the correct HTTP maximum request size for your deployment by using the following guideline, where T is the Kerberos
MaxTokenSize as set above:
MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200
MaxRequestBytes to the calculated values, as in the following example where they are set to the permitted maximum value:
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216
For related information about issues with Kerberos authentication when a user belongs to many groups, see the following support notes:
- Email template customization behavior has changed and extraneous templates are unusable
In vCloud Automation Center 6.0 or later, only notifications generated by the IaaS component can be customized by using the email template functionality from earlier versions.
Workaround: You can use the following XSLT templates:
These templates are located in the \Templates directory under the server installation directory, typically %SystemDrive%\Program Files x86\VMware\vCAC\Server. The \Templates directory also includes XSLT templates that are no longer supported. These templates cannot be modified and will be removed from the directory in a future release. For more information about configuring notifications, see Configuring Notifications in VMware vCloud Automation Center Documentation.
Requirement for .NET 4.5 does not extend to .NET 4.5.1
.NET 4.5.1 is not currently supported. While system requirements state that .NET 4.5 is required, they should also explicitly state that vCloud Automation Center release 6.0, 6.0.1, 220.127.116.11, and 18.104.22.168 do not support .NET 4.5.1.
Access to embedded vCloud Orchestrator server impacted by changes to its administration group
When the administration group of the embedded vCloud Orchestrator server is changed, the server can no longer be used in embedded mode.
Workaround:Use basic authentication to configure the vCloud Orchestrator server as an external server.
- IP ranges in routed network profiles are listed as allocated when no IP addresses are in use
If a multi-machine blueprint contains the routed external network profile but not an assignment for the routed network to component network adapters, machines will provision successfully but an IP range from the routed network profile will be allocated and not actually in use.
- Approval requests result in an error when the approver is not a member of any business group or is a member of a different business group
If an approval request is sent to a user who is not a member of the same business group as the requester, or is not a member of any business group, an Exception has been thrown error occurs when the approver clicks View Request on the Approval page. However, the approver should be able to see the request.
Workaround: Ensure that the approver has a manager, support, or user role assignment in the same business group as that of the requester.
- Unable to dispose of multi-machine service when orphaned NSX edge is using network
If an NSX edge is not registered in the vCloud Automation Center environment (probably due to an NSX error), and if that edge is using the external network associated with the routed gateway of a multi-machine service, then an attempt to dispose of that service will fail with multiple AppServiceDisposeVM workflow timeouts.
Workaround: Delete the orphaned edge in the NSX environment. After you delete the edge, all AppServiceDisposeVM workflows complete and the multi-machine service is destroyed.
The guest agent does not check for a certificate if a PEM file already exists in the VRMGuestAgent directory
By design, a guest agent does not check for certificates if a PEM file exists nor does it refresh the certificates in the PEM file. This is to ensure that the Guest Agent only takes work items from a trusted source.
There are 2 options for configuring which server the guest agent trusts:
- The most secure option is for the administrator to populate the trusted PEM manually by putting the PEM of the trusted certificate in the template with the guest agent. If the server certificate changes for any reason (for example the old one expired, hostnames changed, or the original certificate was invalid) the administrator can manually rebuild the template with the PEM of the new trusted certificate.
- A more flexible, but less secure option, is for an administrator to allow the guest agent to automatically populate the trusted PEM on first use. To do this, the administrator would create a template with no PEM files in the VRMGuestAgent directory. The first time the guest agent starts, it downloads the certificate from the server it was configured to connect with and stores the resulting PEM in the VRMGuestAgent directory. Subsequently it will only accept work items from that server. If the server certificate expires, changes, or the agent was configured for the wrong server, new instances of the template will obtain the latest certificate from the server and always trust the first system they connect with.
Note that if you test your guest agent before creating the template, you must delete the downloaded PEM file from the VRMGuestAgent directory before creating the template to obtain the behavior of option 2. Otherwise the template will be created to only trust the server you tested against because it will have downloaded the PEM from that server.
The following issues have been resolved in vCloud Automation Center release 22.214.171.124.