VCF9 Automation - Adding external Orchestartor

Jun 11, 2025 VCF9 vRO VCFA
Share on:

How to install and configure an external Orchestator for your VCFA Organization

Table of Contents

Tenancy and Embedded Orchestrator

VCF Automation comes with tenancy built-in, called Organizations. The default Provider Consumption org tenant is not meant to be used by user workloads (disabled by default). The system administrator is advised to create a new organization to consume IT services.

The appliance(s) running VCFA include an embedded Orchestrator component, just like the Aria Automation 8 version. However, the embedded Orchestrator is tied to the Provider Consumption org, so any additional organization require an external Orchestrator instance configured for Automation extensibility.

Installing an External Orchestator instance

Follow the official documentation to download and configure a standalone Orchestrator instance. At the time of writing this blog post only Orchestrator 8.18 documentation is available (VCF9 is still BETA), but make sure to download and install Orchestrator 9.x.

Until 9.0 released, follow the 8.18 install guide: Download and Deploy the Automation Orchestrator Appliance

Login to the appliance and configure authentication. Provide the System Administrator username (admin), the VCFA URL (https://vra.vcf.lab) and the tenant name (automation) you want to connect the external appliance.

1root@vro [ ~ ]# vracli vro authentication set -p tm -f -k -u admin -hn https://vra.vcf.lab --tenant automation
2Enter credentials for authentication (could be API token, Bearer Token, Password):
3The authentication provider has been successfully registered.

(In case an error message appears with validation error, try a possible fix described here: VCF9 Operations Orchestartor - bootstrap fix)

Restart Orchestrator application.

1root@vro [ ~ ]# kubectl rollout restart deployment vco-app -n prelude
2deployment.apps/vco-app restarted

Watch the application restarted.

1root@vro [ ~ ]# watch kubectl -n prelude get pods -l=app=vco-app

It will show starting:

1Every 2.0s: kubectl -n prelude get pods -l=app=vco-app                                                                                                           vro.vcf.lab: Sun Jun  8 17:58:28 2025
2NAME                      READY   STATUS     RESTARTS   AGE
3vco-app-94cf5ffb9-kx9mm   0/2     Init:1/2   0          12s

Restart completed, pods are ready:

1Every 2.0s: kubectl -n prelude get pods -l=app=vco-app                                                                                                           vro.vcf.lab: Sun Jun  8 18:12:00 2025
2NAME                      READY   STATUS    RESTARTS      AGE
3vco-app-94cf5ffb9-kx9mm   2/2     Running   1 (33s ago)   13m

Publish Orchestrator Rights Bundle

To togin to VCFA Provider Management, choose system for organization name at your VCFA login URL to use Provider Management org.

Login with your System Administrator user created at install time (we used admin here).

Publish the Rights bundle to the organization at Administration / Access Control / Rights Bundles.

Enable it to the pre-created organization (our org is automation).

Login to Organization

The System Administrator user can login to any tenant and do initial configuration. First navigate to Infrastructure / Organizations page, and click on the organization name.

Click on Launch Organization Portal link.

Add Integration

Now within our automation tenant let's setup external Orchestartor. Navigate to Administer / Connections / Integrations, and click Add Integration.

Choose Orchestrator as integration type.

Provide a name and URL of the external appliance.

Accept certificate.

Credentials (we configured on the Orchestartor appliance earlier) are accepted.

After adding and reopening the integration, data collection starts.

Logging into Orchestrator

Navigate to the external Orchestartor URL at least once to load the webservice certificate. Our System Administrator user can login now. (This step may or may not be required.)

Now navigate to the Orchestrate tab of VCFA, it loads the integrated Orchestrator instance.

Role Based Access Control

The Organization Administrator has all the privileges to use (administer) the Orchestrator instance associated. If we log out with the user System Administrator, we can login to our tenant with the local user of the organization (Organization Administrator). Click on Change Organization on VCF Automation login page, and type the name of your tenant (for us, it is automation). Then login with tenant admin user.

We have configured LDAP as identity source (Administer / Identity Providers / LDAP), so we can add additional organization users. Let's configure Orchestrator access to a regular organization user.

First we create a new role at Administer / Access Control / Roles / New.

At Users tab we can import LDAP users. Let's search for the user and add Organization User and Orchestrator Admin (custom) role.

We have switched off "Inherit roles from groups" as it prevents the user to login to the organization. This is a BETA version bug that will be fixed in the released product.

Let's login with the imported user. user1 can use Orchestrator.

Summary

The main steps again:

  • Create an organization
  • Deploy an external Orchestrator
  • Setup Orchestrator authentication
  • Publish Rights Bundle
  • Add integration into org
  • RBAC setup