vCloud Director Service Library – Change AD Password

vCloud Director version 9.1 introduced the ability to easily create custom services and display them in the new user interface as tiles under Service Library. The services are created in vRealize Orchestrator as workflows and then presented to tenants or system administrators with simple categorization.

The screenshot below shows the Service Library with Backup and User Management categories and some services that I created for demonstration.

The actual feature is not very well documented so I will show on one simple (but useful) example how to implement it.

I am going to create Change LDAP Password service tile. While vCloud Director UI allows changing passwords for local users, users that are imported from integrated LDAP cannot change their password via vCloud Director UI so adding such service actually makes sense.

  • Set up vRealize Orchestrator: as system admin log in into the provider H5 UI (https://<vcd-UI>/provider) and set up connection to external vRealize Orchestrator server (that obviously must be installed and configured first). Note that for this example we will not need any custom plugins. Content Libraries > Library Administration > Service Management > vRO Servers
  • Set up Service Categories in the next menu.
  • Make sure that users have access to the Service Library. This is controlled with new rights under section Additional Services. I have added all three rights to the global Organization Administrator role and also to all existing organizations. You can obviously add them to also less privileged roles. This must be done via vCloud API.
  • Prepare the workflow in the vRealize Orchestrator (vRO). I assume the reader already knows how to create generic vRO workflows so I will not go into too much detail. You must configure the built in Microsoft Active Directory plugin with the Add an Active Directory server configuration workflow.
  • In very high level, the workflow execution will consist of the following steps:
  1. Presentation window to collect Password and confirmPassword values and compare them for validation. Note that I did not succeed using SecureString variables (vCloud Director seems to not support them) and had to use simple string type which results in password being visible on the screen.
  2. Next we will get some custom properties from vCloud Director. You can use four of them: _vcd_orgName, _vcd_orgId, _vdc_userName (sic!) and _vcd_isAdmin. In my Active Director I have the following OU structure for each org:
    Each vCloud Director organization has its own OU under VCD organization unit. The OU name matches the Organization name.
    To get the custom properties you need to create custom action (in my case Load VCD Inputs with the following script):
    As can be see from above screenshot, I only need _vcd_orgName to find the OU and _vdc_userName to find the user account in AD.
  3. The next step is built in getOrganizationUnitFromOrganizationUnit action that can be found under  As inputs I am supplying value equal to the container of my parent (VCD) OU and the org name as string. The output is the organization OU.
  4. Now we can find the user object based on org OU and username string. This is done with getUserFromContainer action (again from
  5. As mentioned in the beginning I was forced to use String type variable for the password, but the change password action requires Secure String. This simple action will provide the conversion.
  6. The last step is to change the password with setUserPassword action (found in
  • Now we can save the workflow and give it a proper description that will be visible to tenants.
  • Back in vCloud Director we can now in the provider UI import the workflow into Service Library. This is done at: Content Libraries > Services > Service Library > Import. Simple wizard will ask for target library (category), source vRO and the workflow.
  • Once a workflow is imported it can be Published to system admins, all or subset of tenants. Find the workflow tile and select Manage.

That is all. Test as tenant logged in with LDAP account in the new H5 UI.

Observe and troubleshoot the workflow execution in vRO.


Embedding vCloud Availability Portal into vCloud Director UI

Some time ago I blogged about the possibility to link to vCloud Availability Portal directly from vCloud Director UI (here and here). This was done by inserting custom links into the vCloud Director Flex UI.

vCloud Director 9.x tenant HTML5 UI provides much richer possibilities to embed additional links, pages and full websites. My colleague Kelby Valenti wrote two whitepapers and one blog post how to do so.

Extending VMware vCloud Director User Interface Using Portal

ExtensibilityExtending VMware vCloud Director User Interface Using Portal Extensibility – Ticketing Example

Publishing vCloud Director User Interface Extensions

VMware also already released one service that integrates its UI into vCloud Director – vRealize Operations Tenant App.

In the below screenshot you can see VCD UI extended with five new sections that appear as additional menu options next to Datacenters, Libraries and Administration:

Stub Module – default example included in the UI Extensibility SDK providing static page example (Terms of Service, etc.).

Operations Manager – above mentioned vRealize Operations Tenant App

Blog – this blog embedded as iframe.

Documentation – Static page with links to vCloud Director documentation.

The last module is the vCloud Availability 2.0 portal – the subject of this article:

It is also embedded using iframe.

I am attaching the source files so you can download and adapt them for your purposes. You will also need the SDK and I recommend deployment automation created by Kelby as described in his blog post listed above.

Some notes:

  • The actual link to the portal is in the src/main/vcav.component.ts file. In my case it is https://portal.proxy.cpsbu.local so replace it with the correct link for your environment.
  • For security reasons the vCloud Availability portal prohibits being rendered in browser frame by setting  X-Frame-Options header to DENY. To work around this limitation I am replacing the header with X-Frame-Options: ALLOW-FROM <VCD-url> on the existing load balancer that is load balancing my two vCloud Availability Portal nodes as well as redirecting external port 443 to appliances’ port 8443. This is done with NSX Edge Gateway, SSL termination and the following application rule:
  • The link to the portal is also passing the vCloud Director session authentication token for Single Sign-On. Note that however in the current release (2.0.1) this functionality is broken.


vCloud Availability – Updated Whitepaper

I have updated my vCAT-SP vCloud Availability whitepaper to reflect changes that came with vCloud Availability 2.0 and vSphere 6.5/6.7.

It can be downloaded from the vCAT-SP site from the Storage and Availability section. The direct link to PDF is here. You will know you have the latest document if you see June 2018 date on the title page.

Edit highlights:

  • Installer Appliance section
  • Tenant and Provider portal sections
  • PSC section update
  • Supported Org VDC Topologies
  • Application Network Design
  • Network Bandwidth Requirements
  • Monitoring updates
  • Updates and Upgrades section
  • Monitoring with vRealize Operations

vCloud Availability – Cloud Proxy with Multiple NICs

Cloud Proxy is important component of vCloud Availability solution that sits in DMZ and tunnels replicated traffic in and out of the provider’s environment. For deep dive on the traffic flows see this older article. Cloud Proxy is very similar to vCloud Director cell, it runs on Linux VM, can be multihomed with internet and management facing interfaces.

By default, Cloud Proxy uses its primary network interface both for to-the-cloud (port 443) and from-the-cloud (port 31031) traffic. When multihoming is used, it might be beneficial to move the listener of the from-the-cloud traffic to the internal interface. This can be accomplished by adding the following line to the $VCLOUD_HOME/etc/ file, with the IP address of the internal interface. =

After restarting the cell, the listener will be moved the the new IP address.

Here is example from my lab:

Cloud Proxy with two NICs:

[root@vcd-01a ~]# ifconfig
eno16780032: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt; mtu 1500
inet netmask broadcast
inet6 fe80::250:56ff:fe3f:969 prefixlen 64 scopeid 0x20&lt;link&gt;
inet6 fdba:dd06:f00d:a400:250:56ff:fe3f:969 prefixlen 64 scopeid 0x0&lt;global&gt;
ether 00:50:56:3f:09:69 txqueuelen 1000 (Ethernet)
RX packets 45153159 bytes 11625785984 (10.8 GiB)
RX errors 0 dropped 1118 overruns 0 frame 0
TX packets 52432329 bytes 14266764397 (13.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens224: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt; mtu 1500
inet netmask broadcast
inet6 fe80::570a:1196:4322:521f prefixlen 64 scopeid 0x20&lt;link&gt;
inet6 fdba:dd06:f00d:a400:3495:c013:e72:cc58 prefixlen 64 scopeid 0x0&lt;global&gt;
ether 00:50:56:37:03:81 txqueuelen 1000 (Ethernet)
RX packets 4409 bytes 279816 (273.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 2691 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Before the edit:

[root@vcd-01a ~]# netstat -an|grep 31031
tcp6 0 0 :::* LISTEN

After the edit and cell restart:

[root@vcd-01a ~]# netstat -an|grep 31031
tcp6 0 0 :::* LISTEN

vRealize Business for Cloud API Authentication

vRealize Business for Cloud (vRBC) can be used to meter vSphere, NSX and vCloud Director endpoints. I have struggled a bit to obtain necessary metering data via API due to very brief documentation, so let me describe step by step how to do so.

Although vRBC supports local accounts, this is only for testing purposes. In production you should always use VMware Identity Manager (VIDM) authentication. VIDM appliance deployment is not hard and the integration with vRBC is quite simple through vRBC VAMI UI.

Now to use vRBC API you first need to obtain authentication token from VIDM. Go to vRBC appliance and from /usr/local/tomcat/itbm-server/conf/  retrieve and client.secret values.

These values are used to retrieve the authentication token from VIDM. You will get it with:

POST https:// <vidm-IP> /SAAS/API/1.0/oauth2/token?grant_type=client_credentials

and provide the BASE64 encoded credentials in Authorization header.

Now copy the access_token from the response and use it in your API call to retrieve metering reports from vRBC: