Using vRealize Orchestrator with CloudControl

Beginning with HyTrust CloudControl version 5.5, you can use vRealize Orchestrator (vRO) to manage vCenters that are protected by CloudControl. vRO is a general purpose IT automation product that allows you to automate various operations in a VMware vSphere data center.

CloudControl supports the following VMware vCenter Server versions with vRO version 7.2.0 and 7.3.0:

6.5 U1
6.5.0
6.0 U3

6.0 U2
6.0 U1
6.0.0

vRO Access

To access your CloudControl protected vCenters, supply the CloudControl PIP, username, and password in the 'Create vCenter instance' workflow in the vRealize Orchestrator Client. You must also configure vRO to use vSphere Authentication with the Platform Service Controller instance that contains the vCenter.

For protected vCenters accessed via vRO, CloudControl manages the following:

All vCenter policy definitions.
All audit logs for administration actions.
RBAC Authorization.

For example, if you start a workflow to create a VM with vRO, CloudControl authorizes and logs the action.

vRO Connection Methods

By default, vRO allows you to choose which connection method you'd like to use to connect to the vCenter instances.

Connection Method	Description
Share a unique session	Creates only one connection to vCenter using the user credentials used to add vCenter in vRO. All operations performed on this vCenter will use same connection no matter what user is logged in to the vRO client. We recommend that you do not use this method. CloudControl will receive, authorize, and log all of the actions as if they are from the same user, which provides no RBAC benefits.
Session per user	Creates a new connection to vCenter server for each individual user. We recommend that you use this method.

Connection Method

Description

Share a unique session

Creates only one connection to vCenter using the user credentials used to add vCenter in vRO. All operations performed on this vCenter will use same connection no matter what user is logged in to the vRO client.

We recommend that you do not use this method. CloudControl will receive, authorize, and log all of the actions as if they are from the same user, which provides no RBAC benefits.

Session per user

Creates a new connection to vCenter server for each individual user.

We recommend that you use this method.

Limitations

CloudControl only supports the vRO client, not the vRO WCS plugin.
If you are in CloudControl Demo mode, the 'session per user' method does not function correctly. Because there is no authentication enabled, you will receive multiple log messages from CloudControl stating that authorization has failed.
All users that log in to vRO must have the System.Anonymous and System.Read privileges. Without these privileges, vRO will show the vCenter as unusable, and you will receive multiple DENY messages from CloudControl.