Configuring vCenter Orchestrator

Article by Michael Poore (@mpoore)

vCenter Orchestrator (vCO) is a no charge extra for vCenter Server owners. In fact the binaries are installed alongside vCenter Server itself.

This post covers what you need to configure vCO and start to use it. It's based on the GA release of vCenter 5.0. (Of course I should point out that other orchestration products are available.)


If you've met the pre-requisites for vCenter Server, you've also met them for vCO. If you've installed vCenter Server, the vCO client and server binaries are already present on your vCenter server. The only thing left to do before configuring vCO is to start the ‘VMware vCenter Orchestration Configuration” service (by default it's configured to start manually).


(Optionally you can change the startup type to Automatic but it's not mandatory.)

To save yourself some pain later, if you're running vCenter and vCO on the same server make sure you give it at least 4GB memory or vCO won't start. If vCO is on its own the server can cope with less.

Give yourself a pat on the back. So far, so easy.


Point a browser at port 8282 on the server (so that's http://localhost:8282 if you're at the server's console – note that by default the Configuration interface will not respond to remote connections). There's also a start menu shortcut if you'd prefer. You should see a login page.


The default login for this interface is user: vmware and password: vmware. The status page that you then see shows the version and status of vCO. At this stage the status is unknown because we haven't configured it yet.


The red triangles on the menus to the left indicate incomplete configuration items. This might make you think that vCO is not the easiest thing to configure out of the box. True, there's a fair bit to do but none of it is that difficult.

We might as well start at the top and keep going. As you progress though it's worth keeping an eye on the “Validation Results” pane at the bottom. It will provide some feedback on configuration errors and omissions as you go.



Select “Network” from the left-hand menu. Most of the options can be left at their defaults.


The major changes to be made are IP address selection and DNS name entry. If there's only one IPv4 address on the server, the choice should be easy. (Note that vCO doesn't support IPv6.) The configurator will pick up the DNS name associated with the IP address if your DNS is setup correctly. If not, you can always change it manually. If you're happy with your choices, just apply the changes.


As you should now see, we have a green dot for “Network”. We're not finished there though. There's a second tab for SSL certificates which you will probably need to visit.


The SSL tab enables you to import SSL certificates that will be needed for vCO to talk securely with any vCenter Servers you may want it to use and with Active Directory if you're using that.


To import a certificate, simply enter the DNS name of the server that the certificate belongs to. For instance, I have entered “” as my vCenter server. If you're using vCO on the same server as vCenter then you could enter “localhost” here instead.


Click the “Import” link to complete the action.


If you're going to use an SSL connection to LDAP (below) you need to import a certificate for that.

Once done importing certificates, restart the vCO Configuration service using the following link on the “Startup Options” page.



The LDAP server choices here are Active Directory, eDirectory or Sun Java System Directory Server. I already have AD so I'm going to use that.


To configure AD as your LDAP server you need to do some planning and have the following information to hand:

  1. A primary LDAP host (best practice is to use a resolvable name rather than an IP address).
  2. Optionally, a second LDAP host
  3. The Active Directory domain Base DN (e.g. dc=vspecialist,dc=co,dc=uk)
  4. Optionally a port and whether or not to use SSL (I'm not using SSL in this example)
  5. A user name and password for vCO to use to connect to AD (it is preferable to use the username format user@domain)
  6. A base distinguished name (DN) for user lookups (e.g. cn=Users,dc=vspecialist,dc=co,dc=uk)
  7. A base distinguished name (DN) for group lookups (e.g. cn=Users,dc=vspecialist,dc=co,dc=uk)
  8. A DN for a group in AD containing users who will have administrative access to vCO (e.g. cn=grp_vCOAdmins,cn=Users,dc=vspecialist,dc=co,dc=uk)

All of the objects listed above should exist already and keep scrolling down to make sure that you've put everything in. Note that the Group in 8 (above) should have at least one member.

One complaint that I have about this window is that if you click on the “Use SSL” or “Use Global Catalog” checkboxes then the configuration (complete or not) is submitted and vCO tries to validate it.

If everything is entered correctly and, present and configured then you will again get a nice green dot.


So many applications, so many databases. Everything needs a database these days.

Oracle and MS SQL (including SQL Express) will work. If you're using vCO for production use then make sure to avoid SQL Express if you can.

The first stage of configuring a database is to select which type you'll be using. In this case I selected “SQLServer”. The rest of the configuration options are then displayed.


The vCO Configuration interface will not create a database for you. It must exist already. In the screenshot above, I've entered details of the database that I configured for vCO to use. In my lab SQL is installed locally on the vCenter Server (also the vCO server). Best practice for production environments is to have your database server separate from vCenter and from vCO. The user I'm using has no special SQL server rights but it does hold the “db_owner” role on the database. The user is also a SQL user and not an AD domain user (hence the Domain field is blank).

Once the details are in, you have to click the link to set it up (it's still blank at this point).


If all's well, you get another green dot. They're stacking up now!


Server Certificate

If this is your first use of vCO you're likely not going to have a certificate database already.


The best course of action is to click the first link, “Create certificate database…”. You'll then be prompted to create a certificate for the vCO server itself.


Obviously, use your own values 🙂


Once upon a time vCO used to require its own license – at least the first time I set it up I'm sure it did. Now though, the only thing you have to do is connect vCO to a licensed vCenter server. (Remember I said vCO was no cost to vCenter Server owners.)


The tab for plugin licenses can be ignored for the time being.


Bizarrely you have to skip “Startup Options” for now even though it's the next menu item. That is because the default plugins are not yet installed.


Scroll down to see them all if you want but they're checked by default. Enter the name and password of a user in the vCO Admin group defined earlier and apply the changes.

You don't get to see any obvious confirmation except for a green dot against “Plug-ins”. Interestingly though, the “Startup Options” dot also goes green.


Plugin Configuration

You can configure all of the plugins (Mail, SSH, vCenter Server) straight away if you want. Or you can skip ahead, get the service running and come back. The main one I wanted to make sure was configured correctly was “vCenter Server”.


After selecting the tab to add a new vCenter server, I entered the relevant details as above.

The configuration screen then shows the added server:


Startup Options

Finally we can go back there as we have an important step to complete. The default plugins need to be installed and although the vCO Configuration service is running, vCO itself is not yet running as a service.


First, click on the “Install vCO server as service” link.


Next click “Start service”.


Keep hitting refresh until it says “Running”.

Final Steps

There are a couple of things to finish off with:

  1. Configure the Mail and SSH plugins.
  2. Decide whether you want the Configuration Server to run permanently or not and amend the service configuration.
  3. Change the default password for the Configuration interface.

This last task can be accomplished from under the General section and on the “Change Password” tab.


Then it's finished. You can launch the client on the vCenter / vCO server or install the client on your local desktop. It's started from the Start Menu.


vCO takes a little while to configure but the results can be worth it.