Hello,

  i think i do not understand how clustering works in vRO 7.6, or i am doing something wrong with configuring , i read the manual couple of times and still nothing.

I have 3 nodes : vro761,vro762,vro763,  in which the vro761 is the lead. The load balancer is configured with : vrocluster7.greg.labs

If i open the vrocluster7.greg.labs webiste, i can be served via vro763.greg.labs for example, but the link on the page to the client shows always the lead i have chosen at the setup stage. So it points to vro761. This works as long as the vro761 is up and running.

If the vro761 goes down, then i can't open the html5 client since the 761 is down. If i would type url myself and type: vro762.greg.labs:8281, the link to the client still points to 761 the leader.

It is not like in the vro8, where the actual link always points to the LoadBalancer FQDN.

Are we supposed to change the FQDN of the host in the control center on the leader before joining the other nodes to the leader ? In 8.0.1 documentation there is a step like this, but not in 7.6 documentation.

I don't know, maybe i think of the clustering here in the wrong way. Why do we need in this case the load balancer ?

I also noticed that if i would use the old java client, i can always use vro762,vro763,vro761 how i want to connect, will always works. Also, i can use there the LoadBalancer FQDN , and LB will always forward the java client to the working node, and that works ok.

At the above screenshot, the cluster in sync mode has noticed that node 761 is down, and he moved master role to 762. But all the links are pointing to the 761 node. So when i open the website vrocluster7.greg.labs and click the client html5 link i get : website not reachable.

So is there some explanation for this behavior  ? Is it by design that it is not possible to use any other html5 client besides the leader after cluster is formed , or i am doing something wrong here?

For the control center this is not happening, everything there is working using LB FQDN: vrocluster7.greg.labs is being served via vro762, while vro761 is actually down. I can still click the link to control center i will be served website content.

One other question, have you noticed that the VAMI certificate has doubled domain strings ?

IF you will check the main website, its certificate is in correct format. I have installed it using the OVA import. The normal / the beggining website for client or at 8281, has properly CN value.

Thank you

Hello,

has anyone any idea if i missed something ? I have done as in the documentation, went to cluster :5480 VAMI page, click cluster and delete 1 replica node 761.

Everything went find, and node was removed, but when connecting to cluster via the control center, in the cluster check pane, it still shows the node that was removed. I have rebooted everything , and this is still the case. Have i missed something ?

Hello,

I'm trying to create a workflow to get a list of VMs restarted by HA.

Below script is working as expected in the meaning that is getting the list of VMs but at the last point when it should exit the last "for" is literally breaking the vRO.

for each (var vm in allVMs){

     var beginTime = new Date();

     //Set the Start Date where we chose to parse the events

     beginTime.setHours(beginTime.getHours()-24));

     //Create Event Specifications

     var vcEventFilterSpec = new VcEventFilterSpec();

     var spec = new VcEventFilterSpec();

     var vcEventFilterSpecByTime = new VcEventFilterSpecByTime();

     vcEventFilterSpec.time = vcEventFilterSpecByTime;

     vcEventFilterSpecByTime.beginTime = beginTime;

     //Filter by the Type ID of HA Event

     spec.eventTypeId = ["com.vmware.vc.ha.VmRestartedByHAEvent"];

     spec.entity = new VcEventFilterSpecByEntity();

     spec.entity.entity = vm;

     spec.entity.recursion = VcEventFilterSpecRecursionOption.self;

     spec.time = vcEventFilterSpecByTime;

     var events = vm.sdkConnection.eventManager.queryEvents(spec);

     //For each VM we query VM restart Event on the last 24 hours

     for each (var ev in events) {

          //System.log(ev);

          System.debug("VM: " + ev.vm.name);

          System.debug("Hostname: " + ev.host.name);

          System.debug("Cluster: " + ev.computeResource.name);

          System.debug("Date: " + ev.createdTime);

          restartLogs.push(ev);

      }

}

After this error message the vRO service is stopped and a big core.java file is dumped on the disk.

vRO76:/storage/ext/core # ls -altrh

total 1.6G

drwxr-xr-x 3 root root     4.0K Mar 21  2019 ..

drwxrwxr-x 2 root coredump 4.0K Apr 11 20:57 .

-rw------- 1 vco  vco      3.1G Apr 11 20:57 core.java.5245

I tried with version 7.1, 7.2 and 7.6. No special vRO customization. Just out of the box. Same results on all versions.

Can somebody give me a clue? It's just a vRO bug?

Thanks.

Hi,

We have about 3000 VMs spread over 2 vCenters.

We created an Orchestrator workflow that searches a particular VM.

But this takes about 30 seconds.

We have used following search methods:

vms = System.getModule("com.vmware.library.vc.vm").getAllVMsMatchingRegexp(".*" + pattern + ".*");

and

var xpath = "xpath:name[starts-with(.,'"  + pattern + "')]";
vms = VcPlugin.getAllVirtualMachines(null , xpath);

But these are both too slow.

Is there an other method for searching VMs in multiple vCenters? (Without knowing in advance in which vCenter the VM is located)

Thanks in advance!

Jonathan

I really don't want everything tagged with web-root, why is it required? 

Just noticed that when I duplicate an action, tags are not kept on 8.0, duplicating a workflow copies the tags.

Thanks

I am working on a plugin with a package workflow, while I can get the export working from maven, I does not seem to export tags.  Since I can not create directory/tree structures any longer in the HTML client, everything is now just lumped together in web-root.   How do I export the tags, or have the directory/tree structure like was avaiable in 7.x, which seems to automagicly get turned into tag if I import something from the 7.x packages. 

Thanks in advance. 

Hi

The actual situation

Uur students access Linux training VMs via RDP.

Currently I am rolling these VMs out via a script.

In the future

I would like to realize this via a vrO workflow which I would like to offer as xaas in vrA.

Creating 20 multiple linked clones is not a problem, but I can't manage to assign every machine a static ip from a specific pool.

It`s crucial that the VMs have the same range of Ip address after every roll out.

Do you have an idea how I can solve this problem?

Thanks a lot for the support

Christoph | vrO beginner

Hi guys,

I've upgraded a standalone vRO to 8.1. I was expecting to see the option to choose the scripting language of a scriptable task. When I click the Runtime option I only have JavaScript. Is there any additional configuration that needs to be done to use Phyton, PowerCli, NodeJS?

Thank you.

Hello Community,

I am actually building a new workflow with an csv as input.

Unfortunately when debugging the workflow:

Error 500, OK.

Is anyone facing similar issues, or any ideas?

thx and kind regards

Hello,

I am currently trying to create a workflow to deploy two virtual machines from an image, and make a network connection between the two machines (Local network, no internet, only two devices connected to each other).

I have managed to create the two machines, but I am a little bit stuck on how to create a standard switch between the two, I find the documentation is a bit unclear on that: what I currently manage is to create a Standard switch using the workflow "Create standard virtual switch", which has three inputs (host, name and nuber of Ports). That seems to be not sufficient, as I understand, for the switch to actually be visible, I need a portgroup, right? So I use the Workflow "Add port group in standard virtual switch", and this one I find complicated, becuse it has so many input parameters, none of which I find suitable to connect the switch I created. Which parameter do I have to pass, is it "name"? And which of the other parameters need to be filled, which are optional? Can anybody provide a sample?

Next, how can I connect one of the virtual NICs of my VC:VirtualMachine to one of the ports of the switch? Is there a suitable workflow for that too, or do you have a scripting example to shoe how to connect?

Any hints would be very helpful, thank you!

How Password is stored in vrealize orchestrator, what kind of encrytpion is used and how many bits of encryption is used in VRO

Hi,

Is it possible to run "run script in VM guest" workflow in parallel?

For example I have a workflow which creates an A record in DNS virtual server, while creating a new server.

If I create two servers one after other, the first creates the DNS record, however the second fails because the first creation does not finish to return the output and exit code before the second begins.

There is a way to check if the "run script in VM guest" workflow is running in specific vm before running another tread of "run script in VM guest" workflow?

Thanks!

Hello,

i am trying to obtain a HoK token that is required by vRO in order to utilize the vRO Rest api. I have downloaded the SDK , and used the java sample trying to obtain the HoK

VC 6.7 latest update , 2 in 1 PSC and VC on the same appliance.

I tried to do the same what was described in this post:

vCO api and Authentication

D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS>build.bat

Adding vim25.jar.....

1 File(s) copied

compiling samples.....

Generating compiled samples jar.....

Cleaning up.....

Generating javadocs.....

Build complete.....

D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS>goto EOF

D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS>run.bat com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample https://vc001.greg.labs:7444/ims/STSService administrator@vsphere.local VMware1!

JAVAHOME not defined. Must be defined to run java apps.

Done.

D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS>set JAVAHOME=C:\Program Files\Java\jdk1.8.0_251

D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS>run.bat com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample https://vc001.greg.labs:7444/ims/STSService administrator@vsphere.local VMware1!

Aquiring a HoK token by using user credentials, use the pre-generated private key and certificate

Loading X509 Certificate from D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\java\JAXWS/cert/sdk.crt...

Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 500: null

        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:266)

        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:217)

        at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)

        at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)

        at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)

        at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)

        at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)

        at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)

        at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)

        at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)

        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)

        at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)

        at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)

        at com.sun.proxy.$Proxy39.issue(Unknown Source)

        at com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample.getToken(AcquireHoKTokenByUserCredentialSample.java:234)

        at com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample.main(AcquireHoKTokenByUserCredentialSample.java:282)

Done.

Any idea what went wrong , or what is the proper way to obtain the HoK token ?

if i would run the url in browser https://vc001.greg.labs:7444/ims/STSService  , i also get internal server error 500.

also tried the dotnet version same result

:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\AcquireHoKTokenByHoKTokenSample\bin\Debug>AcquireHoKTokenByUserCredentialSample.exe  https://vc001.greg.labs:7444/ims/STSService administrator@vsphere.local VMware1!

System.ServiceModel.ProtocolException: Typ zawartości text/html;charset=utf-8 komunikatu odpowiedzi nie zgadza się z typem zawartości powiązania (text/xml; charset=utf-8). Jeśli używasz niestandardowego kodera, upewnij się, czy metoda IsContentTypeSupported jest zaimplementowana poprawnie. Pierwsze 820 bajtów odpowiedzi to: "<!doctype html><html lang="en"><head><title>HTTP Status 500 - Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 - Internal Server Error</h1></body></html>". ---> System.Net.WebException: Serwer zdalny zwrócił błąd: (500) Wewnętrzny błąd serwera.

   w System.Net.HttpWebRequest.GetResponse()

   w System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   --- Koniec śladu stosu wyjątków wewnętrznych ---

Server stack trace:

   w System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)

   w System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   w System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

   w System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)

   w System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   w System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   w System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

   w System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   w System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   w vmware.sso.STSService_PortType.Issue(IssueRequest request)

   w vmware.sso.STSService_PortTypeClient.vmware.sso.STSService_PortType.Issue(IssueRequest request)

   w vmware.sso.STSService_PortTypeClient.Issue(RequestSecurityTokenType RequestSecurityToken)

   w AcquireHoKTokenByUserCredentialSample.AcquireHoKTokenByUserCredential.GetToken(String[] args) w D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\AcquireHoKTokenByUserCredentialSample\AcquireHoKTokenByUserCredential.cs:wiersz 107

Wyjątek nieobsłużony: System.ServiceModel.ProtocolException: Typ zawartości text/html;charset=utf-8 komunikatu odpowiedzi nie zgadza się z typem zawartości powiązania (text/xml; charset=utf-8). Jeśli używasz niestandardowego kodera, upewnij się, czy metoda IsContentTypeSupported jest zaimplementowana poprawnie. Pierwsze 820 bajtów odpowiedzi to: "<!doctype html><html lang="en"><head><title>HTTP Status 500 - Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 - Internal Server Error</h1></body></html>". ---> System.Net.WebException: Serwer zdalny zwrócił błąd: (500) Wewnętrzny błąd serwera.

   w System.Net.HttpWebRequest.GetResponse()

   w System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   --- Koniec śladu stosu wyjątków wewnętrznych ---

Server stack trace:

   w System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)

   w System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   w System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

   w System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)

   w System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   w System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   w System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

   w AcquireHoKTokenByUserCredentialSample.AcquireHoKTokenByUserCredential.GetToken(String[] args) w D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\AcquireHoKTokenByUserCredentialSample\AcquireHoKTokenByUserCredential.cs:wiersz 119

   w AcquireHoKTokenByUserCredentialSample.AcquireHoKTokenByUserCredential.Main(String[] args) w D:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\AcquireHoKTokenByUserCredentialSample\AcquireHoKTokenByUserCredential.cs:wiersz 151

I want to create one folder under configuration tab in VRO using script and want to create configuration elements under that folder , I am able to create configuration element using script but not able to create a folder using script , not able to find any action for that.

any help will be appreciated.

I am getting too many authentication failure error when i run workflow in vRealize Orchestrator (Run SSH Command) and try to connect with Public key for (other user other than root) user in VMware HOL Lab

Step which i perform for  (other user other than root) user:-

1. Generate Key Pair

2. Register vCO public key on host

3. Run SSH Command

Get too many authentication failure error:

Kindly Help me to resolve this issue

Step which i perform for root user:-

1. Generate Key Pair

2. Register vCO public key on host

3. Run SSH Command

able to execute success fully with root user

Hello everyone,

I've upgraded vRA and vRO from v7.3.1 to v7.6 and we have only one little problem.

Links to download the legacy client didn't works from the homepage of vRO.

Before the upgrade, these link worked fine.

Did you already have this kind of problem in your side ?

Thanks a lot

Jonathan

Hi,

have any one experience how to subscribe to HPe Oneview SCMB?

Hello,

i am having difficulties sending REST query to vRO , (8.1) . On the

/vco/api/docs/index.html#!/workflow45controller/getAllWorkflowsUsingGET

it is written that:

Single Sign-On Authentication

If Orchestrator is configured with the vCenter Single Sign-On (SSO) server, you need a principal holder-of-key (HoK) token to access system objects in Orchestrator through the REST API.

The HoK token is passed as a request Authorization header element. The value must be gzip, base64
encoded string.

So in my understanding i should add the Authorization header:

    $header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }

    Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

So  i have obtained the HoK token utilizing for this moment SDK examples :

Function ConvertTo-GZipString () {

    [CmdletBinding()]

    Param(

      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]

      $String

    )

     Process {

      $String | ForEach-Object {

        $ms = New-Object System.IO.MemoryStream

        $cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)

        $sw = New-Object System.IO.StreamWriter($cs)

        $sw.Write($_)

        $sw.Close()

        [System.Convert]::ToBase64String($ms.ToArray())

      }

    }

    }

    Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\VMware.Binding.WsTrust.dll'

    Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\STSService.dll'

    $certificatetobeadded = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

    $certificatetobeadded.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)

        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;

        [VMware.Binding.WsTrust.SamlTokenHelper]::SetupServerCertificateValidation()

        $signingCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

        $signingCertificate.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)

        $service = [VMware.Binding.WsTrust.SamlTokenHelper]::GetSTSService('https://vc001.greg.labs:7444/sts/STSService','administrator@vsphere.local','VMware1!',$signingCertificate)

        $token = [VMware.Binding.WsTrust.SamlTokenHelper]::GetHokRequestSecurityTokenType()

        $token.SignatureAlgorithm = [vmware.sso.SignatureAlgorithmEnum]::httpwwww3org200104xmldsigmorersasha256

        $response = $service.Issue($token)

        $responsetoken =  $response.RequestSecurityTokenResponse.RequestedSecurityToken

        #This part has to be gziped and into base64

        $responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"

        $encodedANDgzippedtoken = ConvertTo-GZipString -String $responsetokenInsideXML

        $header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }

        Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

    and i end up with bad request

PS C:\Users\Grzesiek>     Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

Invoke-WebRequest : Created with Sketch.

401

Unauthorized

At line:1 char:5

+     Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/ ...

its the same if i would use curl, same 500 response.

my response token is:

PS C:\Users\Grzesiek> $responsetoken

saml2              : urn:oasis:names:tc:SAML:2.0:assertion

xsd                : http://www.w3.org/2001/XMLSchema

xsi                : http://www.w3.org/2001/XMLSchema-instance

ID                 : _1e9be9d7-4373-42e8-aedd-06ec641ab139

IssueInstant       : 2020-04-24T15:43:04.350Z

Version            : 2.0

Issuer             : Issuer

Signature          : Signature

Subject            : Subject

Conditions         : Conditions

AuthnStatement     : AuthnStatement

AttributeStatement : AttributeStatement

i am doing on it the innerxml to get its only content: so it will lose the <assertion/>

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_1e9be9d7-4373-42e8-aedd-06ec641ab139" IssueInstant="2020-04-24T15:43:04.350Z" Version="2.0">

this is how one person wrote in 2015 on communities:

vco REST API Holder of key Authirization

---

<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://vc001.greg.labs/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1e9be9d7-4373-42e8-aedd-06ec641ab139"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd xsi" /></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>5rhKEqFgSYVWNf/IpH7gS8wYpgrqM+SlD35J5gEJuSM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>djyiCrb5qRO/sVuyoTY1RYXaYmVRPATGfrxEq2On3Xvy3lgJNAkL1B8xMoUJVgR+MacsUkNfsZq9

C3Xv1Bjbt33g2M/67jPdDMukacewJb+Z74aNnefpm2rfjGyTIQDleLrkNmfYKbSnjibaQD5vdFnM

Gtek0xyU0tJ9xAh62E37Lo5t/BquK937V9728XoDm4HpDtdnKbWTyCFxVyTMDYEqGCZab6EKg34/

qpG3CQGMtTmbuukBUeg/0f/TriN7J37K66iBYPmgYjVAwEXHi8+7+z0oMZVjYHc/lX0KiQoMhVrH

AZnv1Ap5nwzj70cmT7Hlm96RlJCELNPZrhPMxw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID4DCCAsigAwIBAgIJANdMtoAW5aUMMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX

MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC

VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE

CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwODEzMDM0NFoXDTMwMDQwMzEzMTMyOFowGDEW

MBQGA1UEAwwNc3Nvc2VydmVyU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsr

a6jZWSCizugfGEeN5Iz5fWgzC2vVuL6J+9ebV1BwE2Bgr3ChNvlmzus2JiDg6kDz4tZycbDA19gA

vehBS2NqSBZ0SyzgoOzJ5Bs0DE1W+ioYNfEGpy3gTCJlY8jVFBa8LcufMqG8wIpCZWFlWDvBw0e6

wJpDc9RSjRJVHkaR5y6AdywguoxDwUEr9RJ5PtJjZmmwGrATrY2vnLtyAnx0iyZGIx3UbefU9iST

/+7aeZBP6yR0uU+s3F4fwVmuz6BzMLMc81vjgmaxg7qwh5wt/YVy4VVRJYXRqwsu7E/lDpTNV3Yp

YISRzWMZbjoCin/DcxxaHrrYooIfh+CbKgECAwEAAaOBrTCBqjALBgNVHQ8EBAMCBeAwGgYDVR0R

BBMwEYIPdmMwMDEuZ3JlZy5sYWJzMB0GA1UdDgQWBBRyMwoD+dL3IoqH+N+g/B1AV227yTAfBgNV

HSMEGDAWgBS01WuusSM93H3h7isEjnHyUEA2njA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKG

I2h0dHBzOi8vdmMwMDEuZ3JlZy5sYWJzL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQBF

LekY/AP7Hiai776sbJmYDX5DGcJWkX907a3BIZRMOoZ2GeMEY4rYAKv3AAW1QnIDaQ+fd+nVHVhA

7YRBEp8KtSXtQFMevfBBZQ64s44KRD0/WkD2HGBNwXKV9mVUm+GTRjOJcTAaQPPou2+5mOq6f7y2

59gzuZM4aJ0Hy3SnhpxkkWlJ9nvGBBrP7+OEA3W9nabGDTfPdKXVDK1ggNYpPOoEPD74ENvrK+fU

MH/yUvJ6zLzK4PVtDPL5HTBLvxWRiaVgsCLefytycvNEnt0255CvzKJsDlXGbCMZO7nKlS82vZb8

htVdLIMO8x3YLvMC4Mk1qfviQPzSuWgycJl0</ds:X509Certificate><ds:X509Certificate>MIIEFzCCAv+gAwIBAgIJANH5UJnkekg0MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX

MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC

VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE

CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwNTEzMTMyOFoXDTMwMDQwMzEzMTMyOFowgZYx

CzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv

Y2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPdmMwMDEuZ3Jl

Zy5sYWJzMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB

DwAwggEKAoIBAQC4TCic5/6ZmpFPKzsrYqUR6aTFn37P3ulXvyvtX+yv9xXwGPRYHDKUBwEDjPHA

u1fcpqzOfd00R4hoXroLV30WfIrVf7UGmm9E90/rMH40o8hoVjdm2nid5oaI/vV2OZkOpK7ujYIa

4B2NdnFPKAVlqowhw7i62sJxHXYYXBSvhyIFryf6KP5OSqY9k/UbEFA5nQ3b1K0sa5pm4IXxGz+d

enddYNSVrtgLXqFpVa3CR7/TPPtZiMcaiyExJlu1Rm3UK5fNFAIuZ6DZ/LxVQF1mSNXL/vXjRE5j

IhOIeqM+/MV/W8dxAKjbwuOMeU/vFOOj0p+9Dqpm/VvDj4mXy3CxAgMBAAGjZjBkMB0GA1UdDgQW

BBS01WuusSM93H3h7isEjnHyUEA2njAfBgNVHREEGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAO

BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAjZgx

Y4lnpKvNqKG4zF6+wLYe/nz+wCORBpc9gmwvadLAkLlKFIHGzG1dLOYqmxo4XcX4ns6ps5tVWCkX

Sv28CfydogrbI+rnQtrW0m5sBfqVfY7ZVaX6LJubHT1YLWxyX8qcly7zuOYU3B9sUNXm3rVD8yst

96A6DFTlF4kcmV7cdcW2euMTI1mL+apfk7A5nhDTyeP8AvutVP05disMiXSxl1fQ0WRHqvyfVlsj

eSgJ2txvQxh0l9yGIJxpe0HwwrEj85AF12ucsaJlaCn4PE0ws92AyqL1HTZF6t4oZPyomPZwCwXS

CEs/eampyal6zDlwRXnTIGx/EkiXW6T2Kg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpjCCAo6gAwIBAgIIdDaiH1O+Y8kwDQYJKoZIhvcNAQELBQAwWzEPMA0GA1UEAwwGSG9tZUNB

MQwwCgYDVQQLDANERVYxEDAOBgNVBAoMB0hvbWVMYWIxEjAQBgNVBAcMCUFtc3RlcmRhbTEUMBIG

A1UEBhMLTmV0aGVybGFuZHMwHhcNMjAwNDIyMTAxMDU2WhcNMjIwNDIyMTAxMDU2WjBUMQ0wCwYD

VQQDDARncmVnMQwwCgYDVQQLDANERVYxETAPBgNVBAoMCEhvbWVMYWJzMRUwEwYDVQQHDAxOb29y

ZEhvbGxhbmQxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOlH

DF+fMj8xfUgIktpGYVYQPfDZMKfMQxKXZMDKD1xRBuyb6XaoHHJfYq31w5VlwUhSMPg4KQMiOWtO

1EKV0ZUEGDa1Taztln/jBTEVu/qkgN+uRJ64YpJXB0gmsDZ/c370d/q0KBi/S69bdsUpL65vOx52

k3CmWkF+glUYySGwwbmto9i/bjiMH3GtIV5j63voW2DSbOiHJmdLknbI+czLtswFXuq1MaCaZIeT

YIkm7GEgc5CX7uxliguVfJ8IywvhLln/y0DeTmoigf94tL2ZkMzMg5cQCScbIylCU6Yez6uyABk+

mZ1+7OpwIlBT5z0+T4Kcgjb9oKIjB34YVQIDAQABo3UwczAdBgNVHQ4EFgQUDDkA4i35d4VN82ln

PY/GTkMQwCgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSktFaEKhbEStrCbJLH9GlcSwuJljAO

BgNVHQ8BAf8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAAXr

AeIU1mnKiZqDjHzhLqD47fE+wnZAO5VcZFDmYSDZ5UcP01s6NacWnEZpDypcpCCN882XDaQFPxZB

0QewuPG33p7Vm0beI/sOAwmRhES3LWiKXb0gxoCvWLP+Qm+pgb2xByuHx4AaBs9vmX7zzpXAcMKK

+tYaDVrW2u2f/Qqt9RwF4Qg7Pi/vhFyxNyU73EtuPntBOUFna/i2y+JHX/E+Di2mPPdigeZ1M9lB

WHudjuvTS8XtsnC7nz+2iF+RTkE59ipXIl406D0XZG3yCZYmyf0zVjJONFIkXGnSKBNXzj0nnv63

t+fe678HboyQdsQ9+P6FVZtJFjFRBeJHlVM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-04-24T15:43:03.099Z" NotOnOrAfter="2020-04-24T16:53:13.099Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:ProxyRestriction Count="10" /><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10" xsi:type="rsa:RenewRestrictionType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" /></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-04-24T15:43:04.348Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.BashShellAdministrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement>

in that post he wrote :

"

Here's a snippet of perl code I use. I take everything between <saml2:Assertion> and </saml2:Assertion>, not including those tags and call that $token.

Then I:

gzip \$token => \$gzipped;

$encoded = encode_base64($gzipped);

$encoded =~ s/\n//g;

$restClient->addHeader('Authorization',   'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');

"

so thats why i have removed this assertion  as well.

I did tests with , and without . Still the same result. Also same result if i would be removing new lines or not.

Can anybody point me in right direction ?

I also did a version like the person mentioned in his post:

not sure if thats how its supposed to be , if it is not outdated , person wrote this in 2015.

$response = $service.Issue($token)

$responsetoken =  $response.RequestSecurityTokenResponse.RequestedSecurityToken

#This part has to be gziped and into base64

#$responsetokenInsideXML = $responsetoken.InnerXml

$responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"

$sig = $responsetoken.Signature.SignatureValue.Replace("`n","")

$encodedANDgzipped = ConvertTo-GZipString -String $responsetokenInsideXML

$nonce =  '143210500:asdfsd'

#$restClient->addHeader('Authorization',   'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');

$headervalue = 'SIGN token="{0}", nonce="{1}", signature_alg="RSA-SHA256", signature="{2}" ' -f $encodedANDgzipped,$nonce,$sig

$header = @{'Authorization' = $headervalue}

Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header

but this is also failing. as you can see i have used his format for the Authorization headers SIGN token, nonce, sig alg, sig.

I am really out of ideas.

When i read literally the documentation on the vro page, it does not mention to do any sign token, sig, etc ..

it is written, paste the gzipped/base64 HoK. So if i am on the same page, if the HoK is just XML that i pasted, i have to gzip it/base64, and then put this into the Authorization header, then what am i doing wrong  ?

Any ideas ?

Thank you all in advance for any hints.