Vmware VCloud API Programming Guide Director 5.5 V Cloud Vcd 55

User Manual: vmware vCloud Director - 5.5 - API Programming Guide Free User Guide for VMware vCloud Software, Manual

Open the PDF directly: View PDF .
Page Count: 370

Download
Open PDF In Browser	View PDF

vCloud API Programming Guide
vCloud Director 5.5

This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.

EN-001031-00

vCloud API Programming Guide

You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com

Copyright © 2009–2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

VMware, Inc.

Contents

vCloud API Programming Guide 7

1 About the VMware vCloud API 9

Object Taxonomy 10
Objects, References, and Representations 12
Links and Link Relations 12
Client Workflow Overview 17
Using the vCloud API with vCloud Director 21
About the vCloud API Examples 22

2 Hello vCloud: A Simplified RESTful Workflow 23
Logging In 24
Find a Catalog and a VDC 26
Retrieve the Contents of a Catalog 27
Retrieve a Catalog Item 28
Retrieve Deployment Information From the VDC
Deploy the vApp 31
Get Information About a vApp 34
Displaying the Virtual Machine Console 37
Undeploy, Power Off, and Delete the vApp 38
Log Out 40

3 Exploring a Cloud 41

Summary of vCloud API Browsing Requests 41
Retrieve the Login URL and List of Supported API Versions 43
Create a Login Session Using the Integrated Identity Provider 44
Retrieve a List of Organizations Accessible to You 49
Retrieve an Administrative View of a Cloud 50
Retrieve a List of vSphere Platform Operations and Objects for a Cloud

4 Provisioning an Organization 55

Summary of vCloud API Provisioning Requests 56
Upload an OVF Package to Create a vApp Template 58
Download a vApp or vApp Template as OVF 68
Upload a Media Image 72
Download a Media Image 74
Capturing and Importing vApps 75
Managing Catalog Items 76
Creating and Using Independent Disks 80
View or Change the Owner of an Object 83
Controlling Access to vApps and Catalogs 84

VMware, Inc.

vCloud API Programming Guide

5 Deploying and Operating vApps 89

Summary of vCloud API vApp and Virtual Machine Operations Requests 91
Create a vApp From a Template 93
Create a vApp From an OVF Package 97
Compose a vApp From Existing Virtual Machines 101
Recompose a vApp to Add or Remove Virtual Machines 103
Clone a vApp 106
Capture a vApp as a Template 108
Update vApp Access Controls 110
Provide User Input Requested by a Virtual Machine 111
Attach or Detach an Independent Disk 112
Creating and Using vApp Snapshots 114
Operate a vApp 115
Configuring vApps and Virtual Machines 116

6 Creating and Managing Organizations 149
Summary of Administrative Requests 149
Administrator Credentials and Privileges 152
Organization Administration 153
VDC Administration 160
Network Administration 169
Catalog Administration 197
User and Group Administration 219
Working With Roles and Rights 227

7 Managing and Monitoring a Cloud 235

Summary of System Administration Requests 235
Retrieve or Update System Settings 239
Attach a vCenter Server 240
Finding Available vCenter Resources 242
Create a Provider VDC 251
Create an External Network 261
Create a Network Pool 264
Import a Virtual Machine from vCenter 270
Relocate a Virtual Machine to a Different Datastore 273
Truststore and Keytab Maintenance 275
Retrieve the vSphere URL of an Object 277

8 Working With Object Metadata 281

Retrieve or Update a Metadata Element 283
Retrieve or Update a Metadata Value 286

9 Using the Query Service 289

Typed Queries 290
Packaged Queries 294
Query Parameters 299
Add a Metadata Filter to a Query

303

VMware, Inc.

Contents

10 Configuring and Using Blocking Tasks and Notifications 307
Configure Notifications and AMQP Settings 308
Retrieve or Update Blocking Task Settings 318
Monitor Blocking Tasks 324
Take Action on a Blocking Task 325
Extend The Timeout Expiration of an Active Task 327

11 vCloud Director Extension Services 329

Summary of vCloud API Extension Services Framework Requests 330
Register an Extension Service 332
Adding or Removing Service Links 336
Service-Specific Tasks and Events 339
Authorization Framework for Extension Service Operations 342
Localization Framework for Extension Services 350
REST APIs for Extension Services 353

12 XML Representations in the vCloud API 357
XML Namespace Identifiers 359
Common vCloud API Attributes 360
Retrieve an Object as an Entity 362

Index

VMware, Inc.

365

vCloud API Programming Guide

VMware, Inc.

vCloud API Programming Guide

This edition of the vCloud API Programming Guide provides information about version 5.5 of the vCloud API.
VMware provides many different APIs and SDKs for applications and goals. This guide provides
information about the vCloud API for developers who are interested in creating RESTful clients of
VMware vCloud Director.

Revision History
The vCloud API Programming Guide is revised with each release of the product or when necessary. A revised
version can contain minor or major changes.
Table 1. Revision History
Revision Date

Description

19SEP13

API Version 5.5

10SEP12

API Version 5.1

01SEP11

API Version 1.5

30AUG10

API Version 1.0

14APR10

API Version 0.9

Intended Audience
This guide is intended for software developers who are building VMware Ready Cloud Services, including
interactive clients of VMware vCloud Director. This guide discusses Representational State Transfer (REST)
and RESTful programming conventions, the Open Virtualization Format Specification, and VMware Virtual
machine technology. You must be familiar with these and other widely deployed technologies such as XML,
HTTP, and the Windows or Linux operating system.

Related Publications
The vCloud API Schema Reference includes reference material for all elements, types, queries, and operations
in the vCloud API. It also includes the schema definition files. The schema reference is available in HTML
format in the vCloud Director documentation center.
The VMware vCloud Director Administrator's Guide and VMware vCloud Director User’s Guide contain detailed
information about many of the objects and operations referred to in this guide. Most users of the vCloud
API will find the information in those documents valuable when developing client applications. To access
the current versions of these and other VMware publications, go to http://www.vmware.com/support/pubs.

VMware, Inc.

vCloud API Programming Guide

VMware, Inc.

About the VMware vCloud API

The VMware vCloud API provides support for developers who are building interactive clients of
VMware vCloud Director using a RESTful application development style.
vCloud API clients and vCloud Director servers communicate over HTTP, exchanging representations of
vCloud objects. These representations take the form of XML elements. You use HTTP GET requests to
retrieve the current representation of an object, HTTP POST and PUT requests to create or modify an object,
and HTTP DELETE requests to delete an object.
This chapter includes the following topics:
n

“Object Taxonomy,” on page 10

“Objects, References, and Representations,” on page 12

“Links and Link Relations,” on page 12

“Client Workflow Overview,” on page 17

“Using the vCloud API with vCloud Director,” on page 21

“About the vCloud API Examples,” on page 22

VMware, Inc.

vCloud API Programming Guide

Object Taxonomy
The vCloud API defines a set of objects common to cloud computing environments. An understanding of
these objects, their properties, and their relationships is essential to using the vCloud API.
Figure 1‑1. vCloud API Object Taxonomy

Organization
vDC1
Catalog 3

vApp
template

vApp

Catalogitem
em
Publish
Catalog 2 em
em
Catalogitem
em
Catalog 1 em
em
Catalogitem
Catalogitem
Catalogitem
Catalogitem
Subscribe

Media
Media
Network

vDC2
vApp
template

vApp

External
catalog

Media
Media
users

Network

groups

TasksList

vCloud API objects have the following high-level properties:

Organizations

A cloud can contain one or more organizations. Each organization is a unit of
administration for a collection of users, groups, and computing resources.
Users authenticate at the organization level, supplying credentials
established when the user was created or imported. User credentials are
authenticated by the organization's identity provider, which can be either the
integrated identity provider included in vCloud Director or an external
SAML-based identity provider.

Users and Groups

An organization can contain an arbitrary number of users and groups. Users
can be created by the organization administrator or imported from an LDAP
directory service or SAML-based identity provider. Groups must be
imported. Permissions within an organization are controlled through the
assignment of rights and roles to users and groups.

Catalogs

Catalogs contain references to vApp templates and media images. You can
configure a catalog in several different ways:
n

as a repository for local content that can remain private to the catalog
owner or can be shared with other users, groups, or organizations in
your cloud

as a source of published content, to which other clouds can subscribe.

VMware, Inc.

Chapter 1 About the VMware vCloud API

as a local repository for content published by another cloud or any Web
site that hosts a VMware Content Subscription Protocol (VCSP)
endpoint.

An organization administrator or catalog owner controls catalog sharing.
Organization administrators in organizations that have permission to
publish catalogs control publication and subscription options for catalogs in
their organization. A system administrator can enable background
synchronization of catalogs with external sources and set background
synchronization schedules to regulate consumption of network bandwidth
by this activity.
Organization VDCs

An organization virtual datacenter (organization VDC) is a deployment
environment for virtual systems owned by the containing organization, and
an allocation mechanism for resources such as networks, storage, CPU, and
memory. In an organization VDC, computing resources are fully virtualized,
and can be allocated based on demand, service level requirements, or a
combination of the two.

Organization VDC
Networks

An organization VDC can be provisioned with one or more networks. These
organization VDC networks can be configured to provide direct or routed
connections to external networks, or can be isolated from external networks
and other organization VDC networks. Routed connections require an Edge
Gateway and network pool in the VDC. The Edge Gateway provides
firewall, network address translation, static routing, VPN, and load
balancing services.

Virtual Systems and
Media Images

Virtual systems and ISO-format media images are stored in a catalog and
represented as catalog item objects. Virtual systems are stored as templates,
using an open standard format (OVF 1.0). These templates can be retrieved
from catalogs and transformed into virtual systems, called vApps, through a
process called instantiation, which binds a template’s abstract resource
requirements to resources available in a VDC. A vApp contains one or more
individual virtual machines (Vm elements), along with parameters that define
operational details, including:

Tasks

VMware, Inc.

How the contained virtual machines are connected to each other and to
external networks.

The order in which individual virtual machines are powered on or off.

End-user license agreement terms for each virtual machine.

Deployment lease terms, typically inherited from the containing
organization, that constrain the consumption of VDC resources by the
vApp.

Access control information specifying which users and groups can
perform operations such as deploy, power on, modify, and suspend on
the vApp and the virtual machines that it contains.

Asynchronous operations are tracked by task objects. Running and recently
completed tasks initiated by members of an organization are kept on the
organization’s tasks list.

vCloud API Programming Guide

Objects, References, and Representations
The vCloud API represents objects as XML documents in which object properties are encoded as elements
and attributes with typed values and an explicit object hierarchy defined by an XML schema.
XML representations of first-class vCloud API objects, such as the objects in Figure 1-1, include these
attributes.
id

The object identifier, expressed in URN format. The value of the id attribute
uniquely identifies the object, persists for the life of the object, and is never
reused. The id attribute value is intended to provide a context-free identifier
that can be used with the vCloud API entityResolver (see “Retrieve an
Object as an Entity,” on page 362).

type

The object type, specified as a MIME content type.

href

An object reference, expressed in URL format. Because this URL includes the
object identifier portion of the id attribute value, it uniquely identifies the
object, persists for the life of the object, and is never reused. The value of the
href attribute is a reference to a view of the object, and can be used to access
a representation of the object that is valid in a particular context. Although
URLs have a well-known syntax and a well-understood interpretation, a
client should treat each href as an opaque string. The rules that govern how
the server constructs href strings might change in future releases.

Example: Object id, type, and href Attributes
This XML fragment, extracted from the representation of a vApp, shows its id, type, and href attributes.

...

Links and Link Relations
The vCloud API makes extensive use of Link elements to provide references to objects and the actions that
they support. These elements are the primary mechanism by which a server tells a client how to access and
operate on an object.
The server creates Link elements in a response body. They are read-only at the client. If a request body
includes a Link element, the server ignores it.

Attributes of a Link Element
In the XML representation of a vCloud object, each Link element has the following form:

VMware, Inc.

Chapter 1 About the VMware vCloud API

Attribute values in a Link element supply the following information:
rel

Defines the relationship of the link to the object that contains it. A
relationship can be the name of an operation on the object, a reference to a
contained or containing object, or a reference to an alternate representation of
the object. The relationship value implies the HTTP verb to use when you
use the link's href value as a request URL.

type

The object type, specified as a MIME content type, of the object that the link
references. This attribute is present only for links to objects. It is not present
for links to actions.

href

name

The name of the referenced object, taken from the value of that object's name
attribute. Action links do not include a name attribute.

Table 1‑1. Link Relationships and HTTP Request Types
rel Attribute Value

Action or Relationship Description

Implied HTTP Verb

abort

Abort this blocking task.

POST

add

Add an item to this container.

POST

alternate

References an alternate representation of this object.

GET

answer

Provide user input requested by a virtual machine.

POST

authorization:check

Check whether an extension service operation is
authorized for an entity.

POST

blockingTask

A list of pending blocking task requests in this cloud.

GET

bundle:upload

Upload an extension service localization bundle.

PUT

bundles:cleanup

Remove unused extension service localization bundles.

POST

catalogItem

References the CatalogItem object that refers to this
object.

GET

certificate:reset

Removes the SSL certificate used by this service.

POST

certificate:update

Updates the SSL certificate used by this service.

POST

checkCompliance

Check that this virtual machine is using a storage profile
of the intended type.

POST

consolidate

Consolidate this virtual machine.

POST

controlAccess

Apply access controls to this object.

POST

copy

Reserved

N/A

deploy

Deploy this vApp.

POST

disable

Disable this object.

POST

discardState

Discard the suspended state of this virtual machine.

POST

disk:attach

Attach an independent disk to this virtual machine.

POST

disk:detach

Detach an independent disk from this virtual machine.

POST

VMware, Inc.

vCloud API Programming Guide

Table 1‑1. Link Relationships and HTTP Request Types (Continued)

rel Attribute Value

Action or Relationship Description

Implied HTTP Verb

down

References an object contained by this object.

GET

down:aclRules

Retrieve the ACL rules for this resource class action.

GET

down:apidefinitions

Retrieve the API definitions for this extension service.

GET

down:apiDefinitions

Retrieve the API definitions for this extension service.

GET

down:apiFilters

Retrieve the API filters for this extension service.

GET

down:extensibility

Add an extension service to the system.

POST

down:fileDescriptors

Retrieve file descriptors for extension services APIs

GET

down:files

Retrieve files for extension services APIs

GET

down:resourceClassActions

Retrieve the actions defined for this extension service
resource class.

GET

down:resourceClasses

Retrieve the resource classes defined by this extension
service.

GET

down:serviceLinks

Retrieve the service links defined by this extension
service.

GET

down:serviceResources

Retrieve the list of extension service resources of this
class.

down:services

Retrieve the list of registered extension services.

GET

download:alternate

Reserved

N/A

download:default

References the default location from which this file can
be downloaded.

GET

download:identity

References the extended OVF descriptor of this vApp
template. The extended OVF descriptor contains
additional information such as MAC address, BIOS
UUID, and NetworkConfigSection

GET

edgeGateway:configureServices

Update the network services offered by this Edge
Gateway.

PUT

edgeGateway:reapplyServices

Reapply (after an update) the network services offered
by this Edge Gateway.

POST

edgeGateway:redeploy

Redeploy the vShield Edge supporting this Edge
Gateway.

POST

edgeGateway:syncSyslogSettings

Synchronize syslog server addresses used by this Edge
Gateway with system defaults.

POST

edgeGateway:upgrade

Upgrade the backing configuration of this Edge Gateway
from compact to full.

POST

edgeGateways

List the Edge Gateway objects in this organization VDC.

GET

edit

Modify this object, typically by replacing its current
representation with the one in the request body.

PUT

enable

Enable this object.

POST

enterMaintenanceMode

Put this virtual machine into maintenance mode.

POST

entity

Retrieve a representation of the object on which an
operation triggered this notification.

GET

entityResolver

Retrieve an object id as a context-free Entity element.

GET

event:create

Create an event in an this organization's event stream.

POST

exitMaintenanceMode

Take this virtual machine out of maintenance mode.

POST

VMware, Inc.

Chapter 1 About the VMware vCloud API

Table 1‑1. Link Relationships and HTTP Request Types (Continued)
rel Attribute Value

Action or Relationship Description

Implied HTTP Verb

fail

Fail this blocking task.

POST

firstPage

Reference to the first page of a paginated response.

GET

installVmwareTools

Install VMware Tools on this virtual machine.

POST

keystore:reset

Removes the keystore used by this service.

POST

keystore:update

Updates the keystore used by this service.

POST

keytab:reset

Removes the keytab used by this service.

POST

keytab:update

Updates the keytab used by this service.

POST

lastPage

Reference to the last page of a paginated response.

GET

media:ejectMedia

Eject virtual media from a virtual device.

POST

media:insertMedia

Insert virtual media into a virtual device.

POST

merge

Merge one or more Provider VDCs with this Provider
VDC.

POST

migrateVms

Migrate virtual machines from this resource pool to a
different one.

POST

move

Reserved

N/A

Reference to the next page of a paginated response.

GET

orgVdcNetworks

List the organization VDC networks supported by this
Edge Gateway.

GET

ova

Reserved

N/A

ovf

References the OVF descriptor of this vApp template.

GET

power:powerOff

Power off this vApp or virtual machine.

POST

power:powerOn

Power on this vApp or virtual machine.

POST

power:reboot

Reboot this vApp or virtual machine.

POST

power:reset

Reset this vApp or virtual machine.

POST

power:shutdown

Shut down this vApp or virtual machine.

POST

power:suspend

Suspend this vApp or virtual machine.

POST

Reference to the previous page of a paginated response.

GET

publish

Share this catalog.

POST

publishToExternalOrganizations

Publish this catalog externally

POST

recompose

Recompose this vApp to add, remove, or reconfigure
virtual machines.

POST

reconfigureVm

Update multiple sections of a virtual machine.

POST

reconnect

Reconnect this vCenter Server to the system.

POST

refreshStorageProfiles

Refresh the list of storage profiles that exist on the
vCenter service backing this Provider VDC.

POST

refreshVirtualCenter

Refresh the representation of this vCenter server

POST

relocate

Relocate this virtual machine.

POST

remove

Remove this object.

DELETE

remove:force

Force removal of this object.

DELETE

VMware, Inc.

vCloud API Programming Guide

Table 1‑1. Link Relationships and HTTP Request Types (Continued)

rel Attribute Value

Action or Relationship Description

Implied HTTP Verb

repair

Repair this host or network.

POST

resourcePoolVmList

List the virtual machines using this resource pool.

GET

resume

Resume this blocking task.

POST

rights

List the service-specific rights created by this extension
service.

GET

rights:cleanup

Remove service-specific rights no longer used by any
extension service.

POST

screen:acquireTicket

Retrieve a screen ticket for this virtual machine.

GET

screen:thumbnail

Retrieve a thumbnail view of the screen of this virtual
machine.

GET

shadowVms

List shadow virtual machines associated with the virtual
machines in this vApp template.

GET

snapshot:create

Create a snapshot of the virtual machines in this vApp.

POST

snapshot:removeAll

Remove all snapshots created for the virtual machines in
this vApp.

POST

snapshot:revertToCurrent

Revert all virtual machines in this vApp to their current
snapshot.

POST

storageProfile

References the storage profile for this object.

GET

subscribeToExternalCatalog

Add an external subscription to this catalog.

POST

sync

Synchronize this catalog or catalog item with its external
source.

POST

syncSyslogSettings

Synchronize syslog server addresses used by this vApp
network with system defaults.

POST

task

Retrieve the blocking task that triggered this notification.

GET

task:cancel

Cancel this task.

POST

task:create

Create a task object.

POST

task:owner

Reference to the owner of a task.

GET

truststore:reset

Remove the truststore used by this service.

POST

truststore:update

Update the truststore used by this service.

PUT

undeploy

Undeploy this vApp.

POST

unlock

Unlock this user account.

POST

unregister

Unregister this vCenter Server.

POST

References an object that contains this object.

GET

update:resourcePools

Update the resource pools of this Provider VDC

POST

updateProgress

Request an update of this task's progress.

POST

upgrade

Upgrade this host.

POST

upload:alternate

Reserved

N/A

upload:default

References the default location to which this object can
be uploaded.

PUT

vSphereWebClientUrl

A URL that you can use to view this object with the
vSphere Web Client

GET

VMware, Inc.

Chapter 1 About the VMware vCloud API

Client Workflow Overview
vCloud API clients implement a RESTful workflow, making HTTP requests to the server and retrieving the
information they need from the server’s responses.

About RESTful Workflows
REST, an acronym for Representational State Transfer, describes an architectural style characteristic of
programs that use the Hypertext Transfer Protocol (HTTP) to exchange serialized representations of objects
between a client and a server. In the vCloud API, these representations are XML documents.
In a RESTful workflow, representations of objects are passed back and forth between a client and a server
with the explicit assumption that neither party need know anything about an object other than what is
presented in a single request or response. The URLs at which these documents are available often persist
beyond the lifetime of the request or response that includes them. The other content of the documents is
nominally valid until the expiration date noted in the HTTP Expires header.

vCloud REST API Workflows
Application programs written to a REST API use HTTP requests that are often executed by a script or other
higher-level language to make remote procedure calls that create, retrieve, update, or delete objects that the
API defines. In the vCloud REST API, these objects are defined by a collection of XML schemas. The
operations themselves are HTTP requests, and so are generic to all HTTP clients.
To write a RESTful client application, you must understand only the HTTP protocol and the semantics of
XML, the transfer format that the vCloud API uses. To use the vCloud API effectively in such a client, you
need to know only a few things:
n

The set of objects that the API supports, and what they represent; for example, what is a VDC and how
does it relate to an organization or catalog?

How the API represents these objects; for example, what does the XML schema for an Org look like?
What do the individual elements and attributes represent?

How a client refers to an object on which it wants to operate; for example, where are the links to objects
in a VDC? How does a client obtain and use them?

You can find that information in this Guide, and in the vCloud API Schema Reference. See “About the Schema
Reference,” on page 22.

RESTful Workflow Patterns
All RESTful workflows follow a common pattern.
1

Make an HTTP request, typically GET, PUT, POST, or DELETE. The target of this request is either a
well-known URL such as the vCloud API versions URL, or a URL obtained from the response to a
previous request. For example, a GET request to an organization URL returns links to catalog and VDC
objects that the organization contains.

Examine the response, which always includes an HTTP response code and usually includes a body. In
the vCloud API, a response body is an XML document that can contain any of the following items.
n

XML elements and attributes that represent object properties

Link elements that implement operations on the object or its contents

Iif the object is being created or modified, an embedded Task object that tracks the progress of the
creation or modification

These operations can repeat, in this order, for as long as necessary.

VMware, Inc.

vCloud API Programming Guide

vCloud API REST Requests
To retrieve object representations, clients make HTTP requests to object references. The server supplies these
references as href attribute values in responses to GET requests.
Every cloud has a well-known URL from which an unauthenticated user can retrieve a SupportedVersions
document, which lists each version of the of vCloud API that the server supports. For each version, the
response lists the names and MIME types of the complex types defined in the version's XML namespace,
and the version login URL. A system administrator can use that URL to authenticate to the cloud by logging
in to the System organization. An authenticated user can discover other vCloud API URLs by making GET
requests to URLs retrieved from the login response, and the URLs contained in responses to those requests.
See Chapter 3, “Exploring a Cloud,” on page 41.
Requests are typically categorized in terms of the type of requested operation: create, retrieve, update, and
delete. This sequence of verbs is often abbreviated with the acronym CRUD. Each type of request is
characterized by the use of specific HTTP verb to access a URL found in a Link element that has an
operation-specific value for its rel (relation) attribute.
Table 1‑2. CRUD Operations Summary
Operation Type

HTTP Verb

Link Relation

Operation Summary

Create

POST

add

Creates a new object.

Retrieve

GET

down

Retrieves the representation of an existing object in its current
state.

Update

PUT

edit

Modifies an existing object.

Delete

DELETE

remove

Deletes an existing object. If the object is a container, you must
remove all of its contents before you can delete it.

For example, this Link element indicates that you can use the URL
https://vcloud.example.com/api/admin/org/26 to update the Org object that contains it.

The implied HTTP verb is PUT.

Authentication
HTTP communications between a vCloud API client and server are secured with SSL. The vCloud API also
implements Basic HTTP Authentication, as defined by RFC 2617, which enables a client to authenticate
individual HTTP requests by including an authentication header in the request. See “Logging In,” on
page 24.

Request Headers
The following HTTP headers are typically included in vCloud API requests:
Accept

All requests must include an HTTP Accept header that designates the vCloud
API version that the client supports. The following header indicates that the
request is from a vCloud API version 5.5 client:
Accept: application/*+xml;version=5.5

VMware, Inc.

Chapter 1 About the VMware vCloud API

Valid values for the HTTP Accept header in this release are:
version=5.5

The request is from a vCloud API version 5.5 client.

version=5.1

The request is from a vCloud API version 5.1 client.

version=1.5

The request is from a vCloud API version 1.5 client.

In general, client requests can access objects defined by any version of the
vCloud API that is less than or equal to the version specified in the Accept
header. Exceptions to this rule are mentioned in the vCloud Director Release
Notes.
Accept-Encoding

By default, vCloud Director returns response content as uncompressed XML.
Compressing the response can improve performance, especially when the
response is large and network bandwidth is a factor. (Requests cannot be
compressed.) To request a response to be returned as compressed XML,
include the following header:
Accept-Encoding: gzip

The response is encoded using gzip encoding as described in RFC 1952, and
includes the following header:
Content-Encoding: gzip

In the default configuration, responses smaller than 64KB are never
compressed.
Authorization

All requests from authenticated clients must include an Authorization
header. See “Logging In,” on page 24 for details about the value of this
header.

Content-Type

Requests that include a body must include an appropriate HTTP ContentType header. Content types for all elements are listed in the schema reference.
In addition, the type attribute of a response body indicates the content type
of the document. For example, this response fragment indicates that the
content type associated with a CatalogItem object is
application/vnd.vmware.vcloud.catalogItem+xml.

A POST or PUT request that supplies a CatalogItem in the request body
requires the following Content-Type header:
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml

When it appears as the value of a Content-Type header or the type attribute
of an element in the vCloud API, this string is case-insensitive in requests,
and can be returned in either mixed case or lowercase characters in
responses.

Request Bodies
vCloud Director uses a validating XML parser that requires elements in a request body to agree with the
schema in order and number. Request bodies are rejected as invalid unless they meet the following criteria:
n

VMware, Inc.

XML namespace attributes must be supplied for all namespaces represented by elements in the request.
See “XML Namespace Identifiers,” on page 359.

vCloud API Programming Guide

If multiple namespaces are represented in the request, XML namespace attributes must include an
identifying prefix, and that prefix must be used with all elements from that namespace.

All required elements must appear in request bodies. All elements that appear in request bodies must
appear in the order that the schema establishes, and with content that conforms to the type constraint
that the schema specifies.

Request Limits
To guard against denial-of-service attacks, vCloud Director imposes the following limits on vCloud API
requests:
n

Requests cannot exceed 512 KB.

Requests cannot contain more than 4096 XML elements.

Requests cannot have a depth greater than 100.

vCloud API REST Responses
All responses include an HTTP status code and, unless the status code is 204 (No Content), a Content-Type
header. Response content depends on the request. Some responses include a document body, some include
only a URL, and some are empty.

Response Content
Response content depends on the requested operation. The response to a GET request is typically the
complete representation of an existing object. The response to a PUT or POST request always contains
values for the href, name, and id attributes of the object being created or updated. It also contains at most
one Task element that you can retrieve to track the progress of the operation. When the Task completes with
a status of success, a GET request to the object's href returns all properties of the object. If the Task
completion status is not success, the object is in an indeterminate state, and should be deleted.

HTTP Response Codes
A vCloud API client can expect a subset of HTTP status codes in a response.
Table 1‑3. HTTP Status Codes that the vCloud API Returns

Status Code

Status Description

200 OK

The request is valid and was completed. The response
includes a document body.

201 Created

The request is valid. The requested object was created and
can be found at the URL specified in the Location header.

202 Accepted

The request is valid and a task was created to handle it.
This response is usually accompanied by a Task element.

204 No Content

The request is valid and was completed. The response does
not include a body.

400 Bad Request

The request body is malformed, incomplete, or otherwise
invalid.

401 Unauthorized

An authorization header was expected but not found.

403 Forbidden

The requesting user is not authenticated or does not have
adequate privileges to access one or more objects specified
in the request.

404 Not Found

One or more objects specified in the request could not be
found in the specified container.

405 Method Not Allowed

The HTTP method specified in the request is not supported
for this object.

VMware, Inc.

Chapter 1 About the VMware vCloud API

Table 1‑3. HTTP Status Codes that the vCloud API Returns (Continued)
Status Code

Status Description

406 Not Acceptable

The resource identified by the request is not capable of
generating a response of the type specified in the request's
Accept header.

409 Conflict

The object state is not compatible with the requested
operation.

415 Unsupported Media Type

The resource identified by the request does not support a
request of the specified Content-Type and HTTP method.

500 Internal Server Error

The request was received but could not be completed
because of an internal error at the server.

504 Gateway Timeout

The server, while acting as a gateway or proxy, did not
receive a timely response from the upstream server
specified by the request URL.

Using the vCloud API with vCloud Director
VMware vCloud Director 5.5 supports version 5.5 of the vCloud API. You can use a browser or other HTTP
client program to send requests and receive responses.
The vCloud Director REST API Reference documentation includes HTML reference material for all XML
elements and complex types defined by the vCloud API. It also includes example XML representations. See
“About the Schema Reference,” on page 22. For information about HTTP client programs to use with
vCloud Director, see “REST Client Programs,” on page 21.
Procedure
1

Configure the vCloud Director REST API base URL.
a

In the vCloud Director Web Console, open System Settings > Public Addresses

Type the URL in the VCD public REST API base URL text box.

(Optional) If you want to use the vSphere Web Client to access vCloud API objects on a vSphere server,
verify that the vSphere Web Client URL is enabled for all vCenter servers from which you want to
retrieve the vSphere URL of an object.
You can manage this feature on the General tab of the vSphere Properties page of the vCloud Director
Web console.

What to do next
Decide on an HTTP client program to use. See “REST Client Programs,” on page 21.

REST Client Programs
Any client application that can send HTTPS requests can be an appropriate tool for developing RESTful
applications with the vCloud API.
REST client plug-ins are available for most browsers and many IDEs. The examples in this information were
developed using two open-source programs: cURL (http://curl.haxx.se/) and the RESTclient
(http://code.google.com/p/rest-client/).
VMware provides additional SDK products that implement language-specific bindings for the vCloud API,
and include their own HTTP client capability. See
http://communities.vmware.com/community/developer/forums.

VMware, Inc.

vCloud API Programming Guide

About the Schema Reference
The vCloud API Schema Reference includes reference material for all elements, types, queries, and operations
in the vCloud API. It also includes the schema definition files.
The schema reference is available in HTML format in the vCloud Director documentation center.

About the vCloud API Examples
The vCloud API Programming Guide includes many examples of HTTP requests and responses. These
examples show the workflow and content associated with operations such as browsing, provisioning, and
managing your cloud and its contents, and operating virtual systems.
Example requests generally conform to the rules listed in “Request Bodies,” on page 19. Most example
responses show only those elements and attributes that are relevant to the operation being discussed.
Ellipses (…) indicate omitted content within response bodies. Several additional conventions apply.
n

The following HTTP header, which is required in all requests that access version 5.5 of the vCloud API,
is omitted from most examples.
Accept: application/*+xml;version=5.5

All other request headers required by the vCloud API are included in example requests that are not
fragments of some larger example. Although the examples show these strings using the character case
in which the implementation defines them, header names and values are case-insensitive, and can be
submitted or returned in any character case. Other HTTP headers, such as Date, Content-Length, and
Server, are omitted because they are not relevant to the specifics of any example.

The XML version and encoding header

is included in example requests but omitted from example responses.
n

Object IDs shown in href attribute values appear as small integers, for example vapp-7 or org/3. In the
vCloud API that vCloud Director supports, object IDs are universal unique identifiers (UUIDs) as
defined by RFC 4122, for example vapp-f5e185a4-7c00-41f1-8b91-0e552d538101 or org/89a1a8f9c518-4f53-960c-950db9e3a1fd.

VMware, Inc.

Hello vCloud: A Simplified RESTful
Workflow

vCloud API clients and vCloud Director servers communicate over HTTPS, exchanging XML
representations of vCloud API objects.
This simplified example of a RESTful workflow includes requests that discover and deploy a particular
vApp, in this case, an FTP server with a connection to the public Internet.
These examples assume that you have access to a catalog that includes a vApp template with certain
characteristics and an organization network that supports connections to the public Internet. The workflow
and examples are flexible, and can accommodate various vApp templates and cloud capabilities.
1

Logging In on page 24
vCloud Director requires API requests to be authenticated. The first step in any RESTful workflow is
to obtain an authentication token.

Find a Catalog and a VDC on page 26
Before you can deploy a vApp, you must find a vApp template in one of your organization's catalogs
and a VDC in your organization to use for the deployment.

Retrieve the Contents of a Catalog on page 27
You can make a GET request to a catalog URL to retrieve a list of vApp templates and media images
referenced by the catalog.

Retrieve a Catalog Item on page 28
You can examine the list of items in a catalog to find items of interest based on the values of their name
and type attributes. You must retrieve a catalog item to get a Description and a usable reference to the
underlying object.

Retrieve Deployment Information From the VDC on page 30
To deploy your template as a vApp, you must specify an organization VDC to deploy it in and an
organization VDC network to connect it to.

Deploy the vApp on page 31
To create a vApp from a vApp template, you must bind the template's abstract resource requirements,
such as network connections, storage resources, memory, and CPU capacity, to appropriate resources
in the target VDC. This binding operation is called instantiation.

Get Information About a vApp on page 34
When you instantiate a vApp template, the server returns the URL of the resulting vApp. You can use
this URL with a GET request to retrieve information that you can use to connect to the vApp, modify
its configuration, and operate it.

VMware, Inc.

vCloud API Programming Guide

Displaying the Virtual Machine Console on page 37
After a vApp is powered on, you can retrieve a screen ticket from one of its virtual machines. You use
that ticket with the VMRC browser plug-in to gain access to the console of the virtual machine.

Undeploy, Power Off, and Delete the vApp on page 38
After you undeploy a vApp and power it off, you can use an HTTP DELETE request to delete the
vApp object.

Log Out on page 40
To log out and terminate a vCloud API session, delete the Session you created when you logged in.

Logging In
vCloud Director requires API requests to be authenticated. The first step in any RESTful workflow is to
obtain an authentication token.
Every cloud has a login URL that a client can obtain by making an unauthenticated GET request to the
vCloud Director api/versions URL. See “Retrieve the Login URL and List of Supported API Versions,” on
page 43. Because all other vCloud API requests must be authenticated, any vCloud API workflow must
begin with a login request that supplies user credentials in the form that Basic HTTP authentication
requires.
For information about how to create a login request and view the response, see “Example: Login Request
and Response,” on page 25.
NOTE This procedure assumes that you are logging in with credentials managed by the vCloud Director
integrated identity provider. Users whose credentials are managed by a SAML identity provider must
follow a different login workflow.
Prerequisites
Verify that the following conditions are met:
n

You are a member of an organization in the cloud, and have permission to create and operate vApps.

Your organization contains at least one VDC and one network. For more information about setting up
an organization to support the Hello vCloud workflow, see Chapter 6, “Creating and Managing
Organizations,” on page 149.

Your organization contains a catalog in which at least one vApp template is available. For more
information about adding a vApp template to a catalog, see Chapter 4, “Provisioning an Organization,”
on page 55.

Procedure
1

Make an API versions request to vCloud Director to obtain the login URL for the REST API.

Use the login URL to create a login session.
POST a request to this URL that includes your username, password, and organization name in a MIME
Base64 encoding. See “Example: Login Request and Response,” on page 25.

Examine the response.
The response code indicates whether the request succeeded, or how it failed.

A successful login request returns an authentication token that you can use in subsequent requests. It also
returns a Session element, which contains one or more Link elements, each of which provides a URL that
you can use to explore a subset of objects in the cloud. If you log in as a system administrator or
organization administrator, this list includes multiple links. See “Example: Create a Login Session Using the

VMware, Inc.

Chapter 2 Hello vCloud: A Simplified RESTful Workflow

Integrated Identity Provider,” on page 45. Otherwise, the list typically includes a link of type

application/vnd.vmware.vcloud.orgList+xml, as shown in the response portion of “Example: Login

Request and Response,” on page 25. You can use this link to find out more about your organization and
the objects it contains.

For more information about the other links in the Session element, see “Create a Login Session Using the
Integrated Identity Provider,” on page 44.

Example: Login Request and Response
A request to create a login session must supply the user's credentials in the following form:
user@organization:password
n

user is the user's login name.

organization is the name of an organization of which the user is a member.

password is the user's password.

These credentials must be supplied in a MIME Base64 encoding, as specified in RFC 1421.
NOTE System administrators must log in to the System organization. See “Administrator Credentials and
Privileges,” on page 152. Because the System organization does not support some of the features
demonstrated in the Hello vCloud workflow, you should try this example in another organization.
This example shows a login request and response for a user named HelloUser logging into an organization
named ExampleOrg in a cloud whose login URL is https://vcloud.example.com/api/sessions.
Request:
POST https://vcloud.example.com/api/sessions
Authorization: Basic encoded-credentials
Accept: application/*+xml;version=5.5

Response:
200 OK
x-vcloud-authorization: cn9uYmdugN8E2j96+5Lqrc3YBvFsEgDHXzyfJrJ/6bM=
Content-Type: application/vnd.vmware.vcloud.session+xml;version=5.5
...

VMware, Inc.

vCloud API Programming Guide

The response code indicates whether the request succeeded, or how it failed.
n

If the request is successful, the server returns HTTP response code 200 (OK) and headers that include an
authorization header of the following form:
x-vcloud-authorization: token

This header must be included in each subsequent vCloud API request.
n

If the authentication header is missing, the server returns HTTP response code 403.

If the credentials supplied in the authentication header are invalid, or if the token has expired, the
server returns HTTP response code 401. The token expires after a configurable interval of client
inactivity. The default is 30 minutes after the token is created. After the token expires, you must log in
again to obtain a new token.

Find a Catalog and a VDC
Before you can deploy a vApp, you must find a vApp template in one of your organization's catalogs and a
VDC in your organization to use for the deployment.
After you log in, you can make a GET request to your organization's URL to retrieve the XML
representation of the organization. This representation shows the organization's attributes and contents,
including links to its catalogs and VDCs.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Examine the list of organizations to which you have access.
Make a GET request to the URL in the href value of the orgList link, which is present in the response to
all login requests.
GET https://vcloud.example.com/api/org/

Unless you are a system administrator, the response to this request is an OrgList element containing a
single Org element, which represents your organization.

Retrieve the representation of your organization.
See the request portion of “Example: Retrieve the Contents of an Organization,” on page 26.

Examine the response to find the links to the organization's catalogs and VDCs.
See the response portion of “Example: Retrieve the Contents of an Organization,” on page 26.

Example: Retrieve the Contents of an Organization
This example retrieves the ExampleOrg organization listed in the OrgList element shown in Step 1.

VMware, Inc.

Chapter 2 Hello vCloud: A Simplified RESTful Workflow

Request:
GET https://vcloud.example.com/api/org/5

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.org+xml
...

Example Corp’s Primary Organization

Links in the response whose rel attribute has a value of down are references to objects that the organization
contains. This example shows the subset of those items that we reference in the Hello vCloud example:
n

A catalog named ExampleCatalog, at URL https://vcloud.example.com/api/catalog/32, where you can
look for vApp templates.

An organization VDC named ExampleVdc01, at URL https://vcloud.example.com/api/vdc/5, where you
can deploy the vApp.

Retrieve the Contents of a Catalog
You can make a GET request to a catalog URL to retrieve a list of vApp templates and media images
referenced by the catalog.
To use a vApp template or media image listed in a catalog, retrieve the catalog to discover the set of
CatalogItem elements it contains, then make an additional request to retrieve the CatalogItem of interest.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of your organization.
Use a request like this one:
GET https://vcloud.example.com/api/org/5

VMware, Inc.

vCloud API Programming Guide

Examine the response to find the links to the organization's catalogs.
These links have the following form:

Retrieve the contents of the catalog.
Use a GET request of the form shown in the request portion of “Example: Retrieve the Contents of a
Catalog,” on page 28.

Example: Retrieve the Contents of a Catalog
This example retrieves the catalog shown in the response portion of “Example: Retrieve the Contents of an
Organization,” on page 26.
Request:
GET https://vcloud.example.com/api/catalog/32

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.catalog+xml
...

Main Org Catalog

Retrieve a Catalog Item
You can examine the list of items in a catalog to find items of interest based on the values of their name and
type attributes. You must retrieve a catalog item to get a Description and a usable reference to the
underlying object.
Every vApp template or media image that is added to the catalog is represented as a CatalogItem element.
When a client browses a catalog, it can read only the name, type, and href of each CatalogItem. To retrieve an
item from the catalog, the client requires more information. In “Example: Retrieve a Catalog Item,”
on page 29, the client makes a GET request to the URL in the value of the href attribute of a CatalogItem.
The response provides more information, including a description of the referenced object and another URL
that the client can use to retrieve a representation of the object.

VMware, Inc.

Chapter 2 Hello vCloud: A Simplified RESTful Workflow

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the representation of a catalog in your organization.
Use a request like this one:
GET https://vcloud.example.com/api/catalog/32

Examine the response to find the CatalogItem elements that the catalog contains.
The value of the name attribute of a CatalogItem element is taken from the name attribute of the
referenced object. You can use it as a preliminary indicator of what the item represents.

Retrieve a CatalogItem.
Use a GET request of the form shown in the request portion of “Example: Retrieve a Catalog Item,” on
page 29.

Example: Retrieve a Catalog Item
This example retrieves the CatalogItem shown in the response portion of “Example: Retrieve the Contents of
a Catalog,” on page 28.
Request:
GET https://vcloud.example.com/api/catalogItem/221

In addition to the name attribute and Description element, the CatalogItem contains a rel="up" link to the
catalog that contains it, and other links that you can use to manage the CatalogItem.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml
...

Approved template for public FTP sites

Retrieve Deployment Information From the VDC
To deploy your template as a vApp, you must specify an organization VDC to deploy it in and an
organization VDC network to connect it to.
Instantiation, deployment, and operation of a vApp all take place in the context of an organization VDC.
The XML representation of a VDC object defines that context in detail. For this exercise, you need several
pieces of information from the VDC:
n

The URL that a client can use to request an instantiateVAppTemplate operation in the VDC.

A list of networks in the organization VDC that the vApp can connect to.

“Example: Deployment Information in a VDC,” on page 30 shows this subset of VDC contents.
Prerequisites
Verify that the following conditions are met:
n

Verify that you are logged in to the vCloud API as a system administrator or member of an
organization in the cloud.

Retrieve the representation of your organization. See the request portion of “Example: Retrieve the
Contents of an Organization,” on page 26. The response portion contains links to the organization's
VDCs.

Procedure
1

Examine the Org response to find the links to the organization's VDCs.
Links to VDCs have the form:

Retrieve the contents of the VDC.
Use a GET request of the form shown in the request portion of “Example: Deployment Information in a
VDC,” on page 30.

Example: Deployment Information in a VDC
This example shows a request to retrieve the XML representation of a VDC. It shows only the subset of the
response that contains deployment information.
Request:
GET https://vcloud.example.com/api/vdc/5

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vdc+xml
...

...

The information that you need is available in the following elements of the response:
n

A Link element that contains an action URL for instantiateVAppTemplate. The rel attribute of this link
has a value of add. It implements an action that adds an object (a vApp) to the VDC.

A list of AvailableNetworks that includes all the networks in the VDC.

Deploy the vApp
To create a vApp from a vApp template, you must bind the template's abstract resource requirements, such
as network connections, storage resources, memory, and CPU capacity, to appropriate resources in the
target VDC. This binding operation is called instantiation.
To deploy the vApp, you construct an InstantiateVAppTemplateParams element that specifies a vApp
template to use and a network to connect to, then POST the element to the action/instantiateVAppTemplate
URL of the VDC.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of the vApp template.
Make a GET request to the URL provided in the href attribute of the Entity contained by the
CatalogItem that references the template.

Examine the template to find the Vm elements of the virtual machines that it contains.
Look for a NetworkConnection element in the Vm. You need some of the information in that element to
create a vApp network that the virtual machine can connect to.

Create an InstantiateVAppTemplateParams element.
See “Example: Deploying a vApp,” on page 32 for guidelines.

VMware, Inc.

vCloud API Programming Guide

Make a POST request to the action/instantiateVAppTemplate URL of the VDC.
Supply the InstantiateVAppTemplateParams element as the request body.

The server takes the requested action and returns a VApp element. The element has a status attribute value
of 0, meaning it is unresolved because it is still being constructed. It also contains a Task element that tracks
the progress of the request.
See the response portion of “Example: Deploying a vApp,” on page 32.

Example: Deploying a vApp
This simple instantiateVAppTemplate request assumes that the vApp template includes one Vm and has no
special requirements other than connecting that Vm to a network. For a look at a more complex instantiation
request, see “Example: Instantiate a vApp Template,” on page 94. The InstantiateVAppTemplateParams
includes the following information:
n

A name for the vApp, supplied in the name attribute of the InstantiateVAppTemplateParams element.
This request also provides a description, which is optional but a good practice.

A reference to a template, obtained from the href attribute of the Entity contained by the CatalogItem
that you retrieved in “Retrieve a Catalog Item,” on page 28 and suppled in the Source element of the
InstantiateVAppTemplateParams.

Configuration parameters for a vApp network, supplied in the NetworkConfigSection element. This
specification includes the following parameters:
n

A name for the network, supplied in the name attribute of the NetworkConfigSection element. The
name you specify for the vApp network must match the value of the network attribute of the
NetworkConnection of the Vm. This example assumes that this NetworkConnection element includes
the following values, which specify that the Vm connects to a network named VappNetwork:

...

A reference to the organization VDC network to which the vApp network connects, specified in the
ParentNetwork element. The URL used in this reference is one shown in the AvailableNetworks
element in “Example: Deployment Information in a VDC,” on page 30.

A fence mode, specified in the FenceMode element. A value of bridged indicates that the vApp
network is connected directly to the organization VDC network.

For more information about creating networks with the vCloud API, see “About vCloud Director
Networks,” on page 169.
The target of the request is the instantiateVAppTemplate URL of this VDC. See “Example: Deployment
Information in a VDC,” on page 30. Because the operation creates a new vApp object, the HTTP request type
is POST.
Request:
POST https://vcloud.example.com/api/vdc/5/action/instantiateVAppTemplate
Content-Type: application/vnd.vmware.vcloud.instantiateVAppTemplateParams+xml
...

Example FTP Server

Configuration parameters for logical networks

bridged

The response to the instantiation request is a sparsely populated vApp element that includes the following
information:
n

The status of the vApp. The status value 0 indicates that the vApp is unresolved, because instantiation
is not complete.

The name of the vApp, as supplied in the request.

The vApp URL, shown in the href attribute of the VApp element. You can use this reference to retrieve
information about the vApp.

A task created to track the instantiation. The Task element has an operation attribute that describes
what is happening, and contains an Owner element that is a reference the vApp being created. The vApp
is the owner of the task.

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

Example FTP Server vApp

Get Information About a vApp
When you instantiate a vApp template, the server returns the URL of the resulting vApp. You can use this
URL with a GET request to retrieve information that you can use to connect to the vApp, modify its
configuration, and operate it.
As other examples have shown, a client can always use an HTTP GET request to the URL in the object's href
attribute to discover the current state of any vCloud API object, including a vApp.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of the vApp.
Make a GET request to the URL in the href attribute of the VApp element that is returned when you
create the vApp from the template.

Examine the response.
See “Example: Getting Information About the vApp,” on page 34.

Example: Getting Information About the vApp
This response reveals several things about the vApp:
n

The vApp is deployed (its deployed attribute is set to true) and powered on (status="4"). See “Object
Creation Status,” on page 361.

The Vm in its Children collection is also powered on and deployed. The Vm is connected to the vApp
network created during instantiation. See “Example: Deploying a vApp,” on page 32. Properties of this
network are included in the NetworkConfigSection of the vApp, although most are not shown here.
Properties of the virtual machine's connection to the network, including its IP address, are shown in the
NetworkConnection of the Vm.

Action links for all operations except powerOn are present in the VApp element and the Vm element that it
contains. Because the vApp is already powered on, that operation is invalid for the vApp in its current
state, so the link is not part of the response. The link for deploy is always present, even in a deployed
vApp, because the deploy action is always valid. The Vm element also includes several links for actions
that are not applicable to a vApp. Actions such as acquiring a screen ticket or thumbnail, and inserting
or removing media, are meaningful only in the context of a virtual machine. Other actions, like
shutdown and reboot, can be applied to either object. See Chapter 5, “Deploying and Operating
vApps,” on page 89.

Request:
GET https://vcloud.example.com/api/vApp/vapp-7

VMware, Inc.

Chapter 2 Hello vCloud: A Simplified RESTful Workflow

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

...

...
Example FTP Server vApp

...

Configuration parameters for vAppNetwork

...

bridged

true

...

network="vAppNetwork">
0
10.147.201.10
true
00:50:56:01:01:49
DHCP

...

Displaying the Virtual Machine Console
After a vApp is powered on, you can retrieve a screen ticket from one of its virtual machines. You use that
ticket with the VMRC browser plug-in to gain access to the console of the virtual machine.
A screen ticket is a string that includes the virtual machine’s IP address, its managed object reference, and a
residual that is encoded as described in RFC 2396. Each Vm element in a vApp includes a link where
rel="screen:acquireTicket" if the virtual machine it represents is powered on. You can use that link to
retrieve a screen ticket that you can use with the VMRC API to open a VMware Remote Console for the
virtual machine.
NOTE A Vm element might also contain a link of the form:

This link acqures a special kind ticket to be used with the WebMKS Javascript API, which is described in the
VMware Remote Console SDK documentation.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator or member of an
organization in the cloud.

Verify that the virtual machine whose console you want to display is powered on.

VMware, Inc.

vCloud API Programming Guide

Verify that your browser has an installed copy of the vmware-vmrc plug-in. This plug-in is installed by
your browser whenever you use the vCloud Director Web Console to access the console of a running
virtual machine. After this plug-in is installed, you can find it in the folder where your browser stores
plug-ins.

Procedure
1

Retrieve the screen ticket.
POST a request to the acquireTicket link of the Vm.
Request:
POST https://vcloud.example.com/api/vApp/vm-4/screen/action/acquireTicket

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.screenTicket+xml
...

In the request body, specify that the undeployment include powering off the vApp. See
“Example: Undeploy, Power Off, and Delete a vApp,” on page 39.
3

Retrieve the XML representation of the vApp again.
After it is powered off and undeployed, the vApp includes a rel="remove" link of the following form:

Remove the vApp.
Make a DELETE request to the vApp's rel="remove" link, as shown in the request portion of
“Example: Undeploy, Power Off, and Delete a vApp,” on page 39.

The server starts a task to manage the events that lead up to the removal of the vApp, and returns a Task
element that you can use to track the progress of the task.

Example: Undeploy, Power Off, and Delete a vApp
You can use the undeploy request body, an UndeployVAppParams element, to specify an UndeployPowerAction
element. This example specifies an UndeployPowerAction of powerOff.
NOTE powerOff is the default UndeployPowerAction. It appears here for clarity.
Request:
POST https://vcloud.example.com/api/vApp/vapp-7/action/undeploy
Content-Type: application/vnd.vmware.vcloud.undeployVAppParams+xml
...

powerOff

Response:
202 Accepted
...

After the vApp is undeployed and powered off, its representation includes a link where rel="remove". Make
a DELETE request to this link to remove the vApp.

VMware, Inc.

vCloud API Programming Guide

Request:
DELETE https://vcloud.example.com/api/vApp/vapp-7

Response:
202 Accepted
...

Log Out
To log out and terminate a vCloud API session, delete the Session you created when you logged in.
The logout request, like all other authenticated requests, must include the authorization header, as shown in
“Example: Logging Out,” on page 40.
Prerequisites
Verify that you are logged in.
Procedure
u

Make a DELETE request specifying the href of the current Session object.

Example: Logging Out
This example deletes the current user's Session, which logs the user out.
Request:
DELETE https://vcloud.example.com/api/session
x-vcloud-authorization: cn9uYmdugN8E2j96+5Lqrc3YBvFsEgDHXzyfJrJ/6bM=

Response:
200 OK

VMware, Inc.

Exploring a Cloud

You can use HTTP GET requests to browse containers such as organizations, catalogs, and VDCs in a cloud.
Responses to these requests include metadata about the container itself and references to the objects it
contains. These references are provided in Link elements, which have href attributes whose values the client
can use in requests to get more information about the objects themselves. This process is sometimes called
serial discovery, because the contents of one response provides links to locations where you can look for
more information. The hierarchical structure of vCloud API container objects lends itself to graphical
representation as a folder hierarchy or tree view of vCloud API objects, and enables clients to use the same
set of objects and operations to implement a breadth-first or depth-first approach to browsing.
The list of entry points from which you can begin browsing is contained in the Session element that is
returned in response to a successful login. The contents of this list is based on your role and privileges.
This chapter includes the following topics:
n

“Summary of vCloud API Browsing Requests,” on page 41

“Retrieve the Login URL and List of Supported API Versions,” on page 43

“Create a Login Session Using the Integrated Identity Provider,” on page 44

“Retrieve a List of Organizations Accessible to You,” on page 49

“Retrieve an Administrative View of a Cloud,” on page 50

“Retrieve a List of vSphere Platform Operations and Objects for a Cloud,” on page 52

Summary of vCloud API Browsing Requests
Browsing requests provide read-only access to a cloud and the objects it contains.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

IMPORTANT Request URLs are always available in Link elements contained by the representation of the
object on which they operate. URL forms shown here are for reference purposes only. Although URLs have
a well-known syntax and a well-understood interpretation, a client should treat vCloud API request URLs
as opaque strings. The rules that govern how the server constructs these strings might change in future
releases.
This summary may not cover all requests in this category. For the complete list of requests, along with
detailed information about input and output types, see the Operations lists in the schema reference.

VMware, Inc.

vCloud API Programming Guide

Table 3‑1. Summary of vCloud API Browsing Requests

Operation

Request

Request Body

Response

Show login URL and list of
supported API versions

GET API-URL/versions

None

SupportedVersions

POST API-URL/sessions

None

Session

Log out

DELETE API-URL/session

None

200 OK

POST API-URL/login

None

OrgList

Log out [DEPRECATED]

POST API-URL/login

None

200 OK

Retrieve a list of entry points
for browsing operations

GET API-URL/session

None

200 OK

Retrieve a list of
organizations to which you
have access

GET API-URL/org/

None

OrgList

Retrieve the contents of an
organization

GET API-URL/org/id

None

Org

Retrieve properties of a
network

GET API-URL/network/id

None

OrgNetwork

Retrieve the contents of a
catalog

GET API-URL/catalog/id

None

Catalog

Retrieve properties of a
catalog item

GET APIURL/catalogItem/id

None

CatalogItem

Retrieve the contents of a
VDC

GET API-URL/vdc/id

None

Vdc

Retrieve properties of a
media image

GET API-URL/media/id

None

Media

Retrieve a vApp template

GET APIURL/vAppTemplate/vappT
emplate-id

None

VAppTemplate

Retrieve properties of a
vApp

GET API-URL/vApp/vappid

None

VApp

Retrieve properties of a
virtual machine

GET API-URL/vApp/vm-id

None

Retrieve metadata for an
object such as an
organization, network,
vApp, virtual machine,
media image, or
independent disk.

GET APIURL/object/id/metadata

None

Metadata

Retrieve a list of IP
addresses allocated to a
network. [NEW]

GET APIURL/network/id/allocatedA
ddresses

None

AllocatedIpAddresses

VMware, Inc.

Chapter 3 Exploring a Cloud

Retrieve the Login URL and List of Supported API Versions
Every cloud has a login URL that a client can obtain by making an unauthenticated GET request to the
vCloud Director api/versions URL. The response to this request also lists vCloud API versions that the
server supports.
Procedure
1

Make an API version request to vCloud Director to obtain the login URL for the REST API.
See the request portion of “Example: Versions Request and Response,” on page 43.

Examine the response to find the login URLs.
Each version of the vCloud API that the server supports has its own login URL. Look for a line of the
following form:
http://vcloud.example.com/api/...

Use the login URL to log in to the cloud.

Example: Versions Request and Response
The api/versions request does not need to be authenticated. The response, a small subset of which is shown
here, includes a VersionInfo element for each API version that the server supports. Each VersionInfo
element contains:
n

A LoginUrl element that contains the URL to which a client can make a login request to access that
version of the vCloud API. See “Logging In,” on page 24.

MediaTypeMapping elements for each complex type supported by that version of the vCloud API.

Request:
GET http://vcloud.example.com/api/versions

Response:
200 OK
Content-Type: text/xml
...

1.5
https://vcloud.example.com/api/login

application/vnd.vmware.vcloud.catalog+xml
CatalogType
http://vcloud.example.com/api/v1.5/schema/master.xsd

...

5.1

VMware, Inc.

vCloud API Programming Guide

https://vcloud.example.com/api/sessions

...

5.5
https://vcloud.example.com/api/sessions

...

NOTE You can use the URL in the SchemaLocation element with a GET request to retreive the file in which
that complex type is defined. For example:
GET http://vcloud.example.com/api/v1.5/schema/master.xsd

Create a Login Session Using the Integrated Identity Provider
The vCloud API login mechanism authenticates a user and creates a Session object that contains the URLs
from which that user can begin browsing. Users who authenticate to the integrated identity provider use
basic HTTP authentication.
Prerequisites
NOTE This procedure assumes that you are logging in with credentials managed by the vCloud Director
integrated identity provider. Users whose credentials are managed by a SAML identity provider must
follow a different login workflow.
n

Verify that you know the login URL. See “Retrieve the Login URL and List of Supported API Versions,”
on page 43.

Verify that you are logging in as a user whose identity is managed by the vCloud Director integrated
identity provider.

Procedure
1

Use the login URL to authenticate to the cloud.
POST a request to this URL. The request must include your username, organization name, and
password in a MIME Base64 encoding. See “Example: Create a Login Session Using the Integrated
Identity Provider,” on page 45.

Examine the response.
The response code indicates whether the request succeeded, or how it failed.
If the authentication header is missing, the server returns HTTP response code 403.

n
n

If the credentials supplied in the authentication header are invalid, the server returns HTTP
response code 401.

If the request is successful, the server returns HTTP response code 200 (OK) and headers that
include an authorization header of the form:
x-vcloud-authorization: token

This header must be included in each subsequent vCloud API request.

VMware, Inc.

Chapter 3 Exploring a Cloud

The Session element returned from a successful login contains one or more URLs from which you can
begin browsing.
The list of URLs in the Session object is based on the role and privileges of the authenticated user. A Session
object expires after a configurable interval of client inactivity. To change the length of this client inactivity
timeout, a system administrator can change the value of SessionTimeoutMinutes in the system's
GeneralSettings. See “Retrieve or Update System Settings,” on page 239.
A Session object can be deleted by its owner or an administrator. After your Session expires or is deleted,
you are not authenticated.

Example: Create a Login Session Using the Integrated Identity Provider
A request to create a login session must supply the user's credentials in the following form:
user@organization:password
n

user is the user's login name.

organization is the name of an organization of which the user is a member.

password is the user's password.

These credentials must be supplied in a MIME Base64 encoding, as specified in RFC 1421.
This example shows a login request and response for a system administrator logging in to a cloud whose
login URL is https://vcloud.example.com/api/sessions.
Request:
POST https://vcloud.example.com/api/sessions
Authorization: Basic encoded-credentials
Accept: application/*+xml;version=5.5

Response:
200 OK
x-vcloud-authorization: cn9uYmdugN8E2j96+5Lqrc3YBvFsEgDHXzyfJrJ/6bM=
Content-Type: application/vnd.vmware.vcloud.session+xml
...

This response includes the following link types:
orgList

A link to the list of organizations that you can access. See “Retrieve a List of
Organizations Accessible to You,” on page 49.

org

A link to the user's organization. See “Retrieve a List of Organizations
Accessible to You,” on page 49.

vcloud

A link to administrative objects and operations. See Chapter 6, “Creating and
Managing Organizations,” on page 149

vmwExtension

A link to the vCloud API extensions, accessible to a system administrator.
See Chapter 7, “Managing and Monitoring a Cloud,” on page 235.

queryList

A link to the set of typed queries you can run. See Chapter 9, “Using the
Query Service,” on page 289.

entity

A link to the entity resolver. See “Retrieve an Object as an Entity,” on
page 362.

extensibility

A link to the extensibility framework entry point. See Chapter 11, “vCloud
Director Extension Services,” on page 329.

Create a Login Session Using a SAML Identity Provider
The vCloud API login mechanism authenticates a user and creates a Session object that contains the URLs
from which that user can begin browsing. Users who authenticate to a SAML identity provider must acquire
and process a security assertion from that identity provider, then submit the processed assertion to the
vCloud API login URL.
The vCloud API login mechanism supports Security Assertion Markup Language (SAML) authentication
using two types security assertions:

Bearer assertions, which can make no guarantees about message integrity and claimed client identity.

Holder-of-key assertions, which guarantee subject identity by including a signature generated with the
subject's private key.

VMware, Inc.

Chapter 3 Exploring a Cloud

Prerequisites
NOTE This procedure assumes that you are logging in with credentials managed by a SAML identity
provider. Users whose credentials are managed by the vCloud Director integrated identity provider must
follow a different login workflow.
n

Verify that you know the login URL. See “Retrieve the Login URL and List of Supported API Versions,”
on page 43

Verify that you are logging in as a user whose identity is managed by the SAML identity provider
defined by your organization.

Procedure
1

Acquire the SAML assertion from your identity provider.
The system administrator must use the vSphere SSO Service as the identity provider.

Compress the assertion using GZIP.

Encode the compressed assertion a MIME Base64 encoding, as specified in RFC 1421.

Use the login URL to authenticate to the cloud.
POST a request to this URL. The request must include an Authorization header that specifies SIGN as
the authorization method and has the following attributes:
Table 3‑2. Authorization Header Attributes and Values
Attribute Name

Attribute Value

token

The compressed, encoded identity assertion from your
SAML identity provider.

signature

Base64 encoded signature of the token XML (the
uncompressed identity assertion from your SAML
identity provider) generated using client's private key.
Required when using holder-of-key subject
confirmation.

signature_alg

The algorithm used to generate the signature,
expressed as one of the values listed in
http://docs.oracle.com/javase/7/docs/technotes/guides/se
curity/StandardNames.html#Signature Required if
signature is present.

org

The name of your vCloud Director organization.
Defaults to org="system" if not specified.

See “Example: Create a Login Session Using a SAML Identity Provider,” on page 48.
5

Examine the response.
The response code indicates whether the request succeeded, or how it failed.
n

If the authentication header is missing, the server returns HTTP response code 403.

If the credentials supplied in the authentication header are invalid, the server returns HTTP
response code 401.

If the request is successful, the server returns HTTP response code 200 (OK) and headers that
include an authorization header of the form:
x-vcloud-authorization: token

This header must be included in each subsequent vCloud API request.
The Session element returned from a successful login contains one or more URLs from which you can
begin browsing.

VMware, Inc.

vCloud API Programming Guide

The list of URLs in the Session object is based on the role and privileges of the authenticated user. A Session
object expires after a configurable interval of client inactivity. To change the length of this client inactivity
timeout, a system administrator can change the value of SessionTimeoutMinutes in the system's
GeneralSettings. See “Retrieve or Update System Settings,” on page 239.
A Session object can be deleted by its owner or an administrator. After your Session expires or is deleted,
you are not authenticated.

Example: Create a Login Session Using a SAML Identity Provider
This example shows a login request and response for a user of a SAML identity provider logging in to the

Finance organization of a cloud whose login URL is https://vcloud.example.com/api/sessions. This

example shows two varieties of the request.
Request (bearer token):

POST https://vcloud.example.com/api/sessions
Authorization: SIGN token="compressed-encoded-credentials",
org="Finance"
Accept: application/*+xml;version=5.5

When using a SAML assertion that provides holder-of-key (HOK) subject confirmation, the request header
must include signature and signature_alg attributes, as shown in this example, which assumes a signature
created with a SHA encoding and RSA encryption algorithms:
Request (holder-of-key token):
POST https://vcloud.example.com/api/sessions
Authorization: SIGN token="compressed-encoded-credentials",
org="Finance",
signature="encoded-signature"
signature_alg="SHA1withRSA"
Accept: application/*+xml;version=5.5

The response is the same in both cases.
Response:
200 OK
x-vcloud-authorization: cn9uYmdugN8E2j96+5Lqrc3YBvFsEgDHXzyfJrJ/6bM=
Content-Type: application/vnd.vmware.vcloud.session+xml
...

Because this user has limited rights, the response includes only a few link types:
org

A link to the user's organization. See “Retrieve a List of Organizations
Accessible to You,” on page 49.

queryList

A link to the set of typed queries you can run. See Chapter 9, “Using the
Query Service,” on page 289.

entity

A link to the entity resolver. See “Retrieve an Object as an Entity,” on
page 362.

An administrator would see a more extensive set of links in the returned Session object. See
“Example: Create a Login Session Using the Integrated Identity Provider,” on page 45.

Retrieve a List of Organizations Accessible to You
A successful login request returns a Session element, which contains a link to a list of all organizations that
you are permitted to access.
Every authenticated user has an associated Session object that contains one or more Link elements. The set
of Link elements in your Session is based on your role and privileges. Each of these elements includes a
URL that you can use with a GET request to explore a subset of objects in the cloud.
All Session elements include a link that you can use to retrieve an OrgList element. For an ordinary user,
this list includes just the organization to which the user logged in. For an organization administrator or
system administrator, the list includes all organizations in the cloud.
Prerequisites
Create a login session. See “Create a Login Session Using the Integrated Identity Provider,” on page 44.
Procedure
1

Retrieve the XML representation of your Session object.
Use a request like this one:
GET https://vcloud.example.com/api/session

Examine the contents of the Session element to locate the link to the organization list.
This link has the following form:

Retrieve the list of organizations by making a GET request to the href value of the Link.
See “Example: Retrieve an Organization List,” on page 49.

Example: Retrieve an Organization List
Request:
GET https://vcloud.example.com/api/org

VMware, Inc.

vCloud API Programming Guide

The request returns an OrgList element similar to the one shown here. Additional Org elements are returned
only when a system administrator makes the request.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.orgList+xml
...

Retrieve an Administrative View of a Cloud
A successful login by an organization or system administrator returns a Session element that contains a link
that you can use to retrieve a VCloud element. The VCloud element provides access to a cloud-wide
namespace of objects that an organization administrator can view and, in most cases, modify.
The primary administrative objects in a cloud include organizations, provider VDCs, rights, roles, and
external networks. Each object type is represented in a VCloud element by zero or more references. The
vCloud API defines several objects that are used only in administrative operations. Some, like User, Group,
and Role, are unique to administrative operations. Others extend common vCloud API objects to add
elements and attributes that only administrators can view or modify. An AdminOrg, for example, provides an
administrative view of an Org, and an AdminVdc does the same thing for a Vdc.
A system administrator can obtain more information about any of these objects by making a GET request to
its URL, which is the value of its href attribute.
The vCloud element includes links that enable a system administrator to add organizations and roles.
Subordinate objects such as users, catalogs, and VDCs are contained by individual organizations and not
listed at this level.
Prerequisites
Use the credentials of an organization administrator or system administrator to create a login session. See
“Create a Login Session Using the Integrated Identity Provider,” on page 44.
Procedure
1

Retrieve the XML representation of your Session object.
Use a request like this one:
GET https://vcloud.example.com/api/session

Examine the contents of the Session element to locate the link to the VCloud object.
This link has the following form:

VMware, Inc.

Chapter 3 Exploring a Cloud

Retrieve the VCloud element by making a GET request to the href value of the Link described in Step 2.
See “Example: Retrieve an Administrative View of a Cloud,” on page 51

Example: Retrieve an Administrative View of a Cloud
Request:
GET https://vcloud.example.com/api/admin

Response:
200 OK
Content-Type: application/vnd.vmware.admin.vcloud+xml
...

...
Example Corporation’s vCloud

...

Retrieve a List of vSphere Platform Operations and Objects for a
Cloud
A successful login by a system administrator returns a Session element that contains a link that you can use
to retrieve a VMWExtension element.
Every vCloud Director installation depends on vSphere platform resources such as vCenter servers and
hosts, vShield Manager, portgroups, virtual switches, and so on. The VMWExtension element provides access
to a cloud-wide namespace of vSphere platform objects that are registered for use by the system, and links
that allow you to add vSphere servers and related resources to your cloud. Objects in the admin/extension
XML namespace provide a system administrator with programmatic access to these resources.
Prerequisites
Use the credentials of a system administrator to create a login session. See “Create a Login Session Using the
Integrated Identity Provider,” on page 44.
Procedure
1

Retrieve the XML representation of your Session object.
Use a request like this one:
GET https://vcloud.example.com/api/session

VMware, Inc.

Chapter 3 Exploring a Cloud

Examine the contents of the Session element to locate the link to the VMWExtension object.
This link has the following form:

Retrieve the list of organizations by making a GET request to the href value of the Link described in
Step 2.
The request returns a VMWExtension element, as shown in “Example: Retrieve a List of vSphere Platform
Operations and Objects for a Cloud,” on page 53.

Example: Retrieve a List of vSphere Platform Operations and Objects for a
Cloud
Request:
GET https://vcloud.example.com/api/admin/extension

The response is a VMWExtension element containing a number of Link elements. This example shows only a
subset of VMWExtension contents.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.vmwextension+xml
...

...

VMware, Inc.

Provisioning an Organization

The vCloud API provides several ways for you to make vApp templates, vApps, media images, and
independent disks available to users in a vCloud Director organization.
The vCloud API allows you to upload and download OVF packages and ISO-format media images.
Operations are characterized as uploads when they transfer content from a vCloud API client system to a
target catalog in a vCloud Director organization, and as downloads when a vCloud API client requests the
transfer of content from vCloud Director. A POST request initiates an upload, and a GET request initiates a
download. The vCloud Director transfer service facilitates uploads and downloads and provides temporary
storage for files. Uploaded vApp templates and media images are made available as catalog items in the
target catalog.
In addition to uploading, you can use the following operations to provision an organization with vApp
templates, vApps, and media images:
Cloning

The vCloud API cloneVApp operation creates a copy of a vApp in a specified
VDC. You can specify whether to delete the source vApp after the operation
completes. Deleting the source vApp after cloning it moves or renames it.

Capturing

The vCloud API captureVApp operation creates a vApp template from a
vApp and places the template in a specified catalog.

Importing

A system administrator can import a virtual machine from a vCenter server
that is registered to the cloud. You can import the virtual machine as a vApp
or as a vApp template. You can add an imported template to a catalog or
download it as an OVF package.

Subscribing

Organizations that have the appropriate permissions can create catalogs with
external subscriptions. These contents of these catalogs are downloaded from
a catalog hosted on another instance of vCloud Director, or any Web site that
implements the VMware Content Subscription Protocol. See “Create a
Catalog With an External Subscription,” on page 203.

You can also create independent disks that are contained by an organization VDC and can be connected to
any virtual machine in that VDC.
This chapter includes the following topics:
n

“Summary of vCloud API Provisioning Requests,” on page 56

“Upload an OVF Package to Create a vApp Template,” on page 58

“Download a vApp or vApp Template as OVF,” on page 68

“Upload a Media Image,” on page 72

“Download a Media Image,” on page 74

VMware, Inc.

vCloud API Programming Guide

“Capturing and Importing vApps,” on page 75

“Managing Catalog Items,” on page 76

“Creating and Using Independent Disks,” on page 80

“View or Change the Owner of an Object,” on page 83

“Controlling Access to vApps and Catalogs,” on page 84

Summary of vCloud API Provisioning Requests
Provisioning requests add vApp templates and media to a a catalog. You can also use provisioning requests
to copy, move, rename, download, and delete these objects.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

Operation

Request

Request Body

Response

Upload OVF to a catalog
create a vApp template.
[NEW]

POST API-URL/catalog/id/
action/upload

UploadVAppTemplatePara
ms

CatalogItem

Upload OVF to a VDC to
create a vApp template.
[DEPRECATED]

POST API-URL/vdc/id/
action/uploadVAppTempla
te

UploadVAppTemplatePara
ms

VAppTemplate

Enable a vApp for
download. [NEW]

POST APIURL/vApp/id/action/enable
Download

None

Task

Disable a vApp for
download. [NEW]

POST APIURL/vApp/id/action/disabl
eDownload

None

Task

Enable a vApp template for
download.

POST APIURL/vAppTemplate/
vAppTemplateid/action/enableDownload

None

Task

Disable a vApp template for
download.

POST APIURL/vAppTemplate/
vAppTemplateid/action/disableDownload

None

204 No Content

Download a vApp or vApp
template as an OVF package.

GET download-URL

None

Depends on file type.

Upload a media image to a
catalog. [NEW]

POST APIURL/catalog/id/action/uplo
ad

Media

Upload a media image to a
VDC. [DEPRECATED]

POST APIURL/vdc/id/media

Media

VMware, Inc.

Chapter 4 Provisioning an Organization

Table 4‑1. Summary of Provisioning Requests (Continued)
Operation

Request

Request Body

Response

Move a catalog item. [NEW]

POST APIURL/catalogItem/id/
action/move

CopyOrMoveCatalogItemP
arams

Task

Copy a catalog item. [NEW]

POST APIURL/catalogItem/id/
action/copy

CopyOrMoveCatalogItemP
arams

Task

Synchronize a catalog with
its remote source. [NEW]

POST API-URL/catalog/id/
action/sync

None

Task

Synchronize a catalog item
with its remote source.
[NEW]

POST APIURL/catalogItemid/
action/sync

None

Task

Copy or move a media
image. [DEPRECATED]

POST APIURL/vdc/id/action/cloneMe
dia

CloneMediaParams

Media

Copy or move a vApp
template. [DEPRECATED]

POST APIURL/vdc/id/action/
cloneVAppTemplate

CloneVAppTemplateParam
s

VAppTemplate

Change the name or
description of a vApp
template.

PUT APIURL/vAppTemplate/vappT
emplate-id

VAppTemplate

Task

Change the name or
description of a media
image.

PUT API-URL/media/id

Media

Task

Delete a vApp template,
vApp, or media image.

DELETE object-URL

None

Task

Synchronize a catalog with
its external source. [NEW]

POST APIURL/catalog/id/action/sync

None

Task

Synchronize a catalog item
with its external source.
[NEW]

POST APIURL/catalogItem/id/actio
n/sync

None

Task

Add an item to a catalog.
[DEPRECATED]

POST APIURL/catalog/id/catalogItem
s

CatalogItem

Remove an item from a
catalog.

DELETE API-URL/
catalog/id/catalogItem/id

None

204 No content

Control access to catalogs.

POST APIURL/catalog/id/action/contr
olAccess

ControlAccessParams

Retrieve the owner of a
media object.

GET APIURL/media/id/owner

None

Owner

Retrieve the owner of a
vApp template.

GET APIURL/vAppTemplate/vappT
emplate-id/owner

None

Owner

Retrieve the owner of a
vApp.

GET APIURL/vApp/id/owner

None

Owner

Update the owner of a
vApp.

PUT APIURL/vApp/id/owner

Owner

204 No Content

Create an independent disk
in a VDC.

POST API-URL/vdc/id/
disk

DiskCreateParams

Disk

VMware, Inc.

vCloud API Programming Guide

Table 4‑1. Summary of Provisioning Requests (Continued)
Operation

Request

Request Body

Response

Retrieve properties of an
independent disk.

GET API-URL/disk/id

None

Disk

Update an independent disk
in a VDC.

POST API-URL/disk/id

Disk

Retrieve a list of all virtual
machines attached to an
independent disk.

GET APIURL/disk/id/attachedVms

None

Vms

Delete an independent disk.

DELETE API-URL/disk/id

None

Task

Upload an OVF Package to Create a vApp Template
A vCloud API client that has access to an OVF package can use a standard workflow to upload the package
and create a vApp template.
The initial configuration of a vApp is established in the OVF package on which its source template is based.
In the vCloud API, vApp templates are based OVF 1.0, an open standard format. For more information
about OVF and how the vCloud API uses it, see “About OVF,” on page 89.
An OVF package includes several kinds of files.
An OVF descriptor

An XML file that contains metadata that describe a virtual machine or
collection of related virtual machines and the deployment environment they
require. By convention, this file has the suffix .ovf.

Virtual disk files

The descriptor lists these files and includes information about their format.

An optional certificate

You can use this file to certify the authenticity of the package.

An optional manifest

Contains a SHA-1 digest of each of the files in the package.

Upload Workflow
The upload workflow for OVF packages uses a combination of vCloud API requests and standard HTTP file
transfer requests.

The client makes a POST request to the catalog chosen to hold the template derived form the uploaded
OVF. The request body specifies a name, description, and other parameters used when creating the
template.

The server returns a CatalogItem that references a vApp template.

The client makes a GET request to the entity reference in the CatalogItem to retrieve the VAppTemplate,
which includes an upload URL for the OVF descriptor. Because the template is not yet complete, the
VAppTemplate element has status="0".

The client makes a PUT request to the upload URL and supplies the OVF descriptor in the request
body.

The server processes the descriptor and modifies the vAppTemplate to include an upload URL for each
file listed in the References section of the descriptor. While the server is modifying the vAppTemplate,
the client makes periodic requests for it and examines the response for additional upload URLs. When
the response contains additional upload URLs that were not present in the initial response, template
construction is complete.

The client uses PUT requests to upload each of the files.

VMware, Inc.

Chapter 4 Provisioning an Organization

If the OVF package includes a manifest file, the entire upload is validated against the contents of the
manifest file.

Both monolithic and ranged, or chunked, PUT requests are supported. After starting an upload, a client can
make periodic requests to assess its progress. After all of the files are uploaded (and validated if a manifest
is present), the server processes them and updates the vApp template. When processing is complete, the
server sets the value of the template's status attribute to 8, indicating that it is ready for use. This status
value indicates that all of the virtual machines in the template are powered off. For more information,
including a complete list of possible status values and their meanings, see “Object Creation Status,” on
page 361.
NOTE If you have an OVF package that you want to deploy immediately as a vApp, without creating a
vApp template and corresponding catalog item, make an instantiateOvf request. See “Create a vApp From
an OVF Package,” on page 97.

Restrictions on Uploaded Content
The vCloud Director transfer service imposes the following restrictions on uploaded OVF content:
n

You can upload either OVF 1.0 or OVF 1.1 content. OVF 1.1 packages are converted to OVF 1.0 for
download, and any OVF 1.1 content is lost.

You cannot upload a compressed OVF package.

If you upload an OVF package in which any VirtualSystem element has an ovf:id attribute value that is
longer than 13 characters, the name of the Vm that represents that VirtualSystem in the vAppTemplate
that the upload creates is rewritten as the first 13 characters of the ovf:id attribute followed by three
digits. For example, NewVirtualMachine1 and NewVirtualMachine2 become NewVirtualMac001 and
NewVirtualMac002.

Initiating the OVF Upload on page 60
To initiate the OVF upload, a client makes a POST request to an action/upload link in the target
catalog. The type of this link is application/vnd.vmware.vcloud.uploadVAppTemplateParams+xml. The
request body is an UploadVAppTemplateParams element.

Retrieving the Upload URL for the OVF Descriptor on page 62
After the vApp template and corresponding catalog item have been created, you must retrieve the
template to get the upload URL for the OVF descriptor.

Uploading the OVF Descriptor on page 63
You upload the OVF descriptor by making a PUT request to the upload URL created for it in the
VAppTemplate. The request body is the descriptor's Envelope element. If the request is valid, the server
responds with a 200 OK status.

Retrieving Additional Upload URLs on page 64
After an OVF descriptor is uploaded, the server validates it and, if it is valid, updates the
corresponding template with upload URLs for each of the files referenced in the descriptor. You must
retrieve the template to see these URLs.

Uploading Referenced Files on page 66
You can use a PUT request to upload each file that the vApp template references.

VMware, Inc.

vCloud API Programming Guide

Initiating the OVF Upload
To initiate the OVF upload, a client makes a POST request to an action/upload link in the target catalog. The
type of this link is application/vnd.vmware.vcloud.uploadVAppTemplateParams+xml. The request body is an
UploadVAppTemplateParams element.
The first step in uploading an OVF package is to request vCloud Director to create a catalog item in the
target catalog and a corresponding vAppTemplate object to represent the template that will be constructed
from the upload.
Prerequisites
Verify that the following are true:
n

You have an OVF package to upload.

You are logged in as a user who has permission to upload OVF packages and create vApp templates.

You know the URL of the target catalog that will receive the upload. Retrieve the XML representation of
your organization to see a list of the catalogs that it contains.

Procedure
1

Find the action/upload link for vApp templates in the target catalog.
Retrieve the XML representation of the catalog using a request like the one shown in the request portion
of “Example: Deployment Information in a VDC,” on page 30. The response contains an action/upload
link, which has the following form:

Create an UploadVAppTemplateParams element that specifies the parameters for the vApp template that
this request creates.
See the request portion of “Example: Initiating the Upload,” on page 61.

(Optional) If the OVF package includes a manifest, include a manifestRequired="true" attribute in the

UploadVAppTemplateParams element.

Some OVF packages include a manifest document, which provides a checksum for each file in the
package. When the UploadVAppTemplateParams element includes a manifestRequired="true" attribute,
the set of File elements returned after you upload the OVF descriptor includes one for the manifest
itself.
4

Make an HTTP POST request to the upload link that you retrieved in Step 1, supplying the
UploadVAppTemplateParams element in the request body.
See the request portion of “Example: Initiating the Upload,” on page 61.

Examine the response.
The response, a CatalogITem element, contains an Entity element that contains a reference to the vApp
template that will be constructed from the uploaded OVF. See the response portion of
“Example: Initiating the Upload,” on page 61.

The server creates a VAppTemplate object and a corresponding CatalogItem in the target catalog, and returns
an XML representation of the CatalogItem. See the response portion of “Example: Initiating the Upload,” on
page 61.

VMware, Inc.

Chapter 4 Provisioning an Organization

Example: Initiating the Upload
This example assumes an OVF package that has no manifest.
Request:
POST https://vcloud.example.com/api/catalog/32/action/upload
Content-Type: application/vnd.vmware.vcloud.uploadVAppTemplateParams+xml
...

Ubuntu vApp Template

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml
...

Approved template for public FTP sites

VMware, Inc.

vCloud API Programming Guide

Retrieving the Upload URL for the OVF Descriptor
After the vApp template and corresponding catalog item have been created, you must retrieve the template
to get the upload URL for the OVF descriptor.
Procedure
1

Examine the CatalogItem returned by the upload request to find the reference to the new vApp
template.
The reference is the value of the href attribute of the Entity element, as shown here.

Retrieve the VAppTemplate.
See the request portion of “Example: OVF Descriptor Upload URL in a vAppTemplate,” on page 62.

Examine the template to find the upload URL for the OVF descriptor.
These URLs are contained in Link elements where rel="upload:default".

Example: OVF Descriptor Upload URL in a vAppTemplate
This request uses the vApp template URL referenced in the Entity element shown in the response portion of
“Example: Initiating the Upload,” on page 61.
Request:
GET https://vcloud.example.com/api/vAppTemplate/vappTemplate-111

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

Ubuntu vApp Template

...

The response body includes the following attributes:
n

An ovfDescriptorUploaded attribute with a value of false, indicating that the OVF descriptor file is not
uploaded.

A status attribute with a value of 0, indicating that the file references in the descriptor are not
uploaded. (A VAppTemplate with a status of 0 is said to be unresolved.)

A goldMaster attribute, initially set to false.

An id attribute. See “Objects, References, and Representations,” on page 12.

The response body also includes a File element with an upload URL (rel="upload:default") for the OVF
descriptor. The server creates the name attribute of this File element, which specifies a container that the
server creates to receive the contents of the descriptor. The name attribute has no relation to the file name of
the descriptor in the client’s file system.
In addition to the File element, the response includes Owner, Children, LeaseSettingsSection, and
CustomizationSection elements that the server creates and sets to their default contents. For more
information about these elements, see the schema reference.

Uploading the OVF Descriptor
You upload the OVF descriptor by making a PUT request to the upload URL created for it in the

VAppTemplate. The request body is the descriptor's Envelope element. If the request is valid, the server
responds with a 200 OK status.

Prerequisites
Verify that you have an upload URL for the OVF descriptor. See “Retrieving the Upload URL for the OVF
Descriptor,” on page 62.
Procedure
1

Upload the OVF descriptor.
Make a PUT request to the upload URL in the VAppTemplate. The upload URL for the OVF descriptor is
in a Link element with the following form:

Supply the OVF descriptor as the request body. The OVF descriptor contains a single Envelope element.

VMware, Inc.

vCloud API Programming Guide

Verify that the request succeeded.
A response of the following form indicates that the request was valid and is being processed:
200 OK

Example: Uploading the OVF Descriptor
Request:
PUT https://vcloud.example.com/transfer/.../descriptor.ovf
Content-Type text/xml
...

...

Response:
200 OK

Retrieving Additional Upload URLs
After an OVF descriptor is uploaded, the server validates it and, if it is valid, updates the corresponding
template with upload URLs for each of the files referenced in the descriptor. You must retrieve the template
to see these URLs.
Procedure
1

Retrieve the VAppTemplate to verify that the OVF descriptor is uploaded.
See the request portion of “Example: Upload URLs in a vAppTemplate,” on page 64.

Verify that the value of the template's ovfDescriptorUploaded attribute is true.

Examine the template to find the upload URLs for the files referenced in the OVF descriptor.
These URLs are contained in Link elements where rel="upload:default".

Example: Upload URLs in a vAppTemplate
This request uses the vApp template URL returned in “Retrieving the Upload URL for the OVF Descriptor,”
on page 62.
Request:
GET https://vcloud.example.com/api/vAppTemplate/vappTemplate-111

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

...
Ubuntu vApp Template

...

In this example, which omits most of the additional elements shown in “Example: Initiating the Upload,” on
page 61, the ovfDescriptorUploaded attribute has a value of true and the status attribute has a value of 0. If
the descriptor fails validation, status is set to -1, and the template contains a Task element whose Error
element indicates the reason for the failure.
Each of the File elements includes an upload link where rel="upload:default" and several attributes.
size

The file size, taken from the size attribute of the File element in the OVF
descriptor.

bytesTransferred

For all file references other than the descriptor, this attribute is initially set to
a value of 0, indicating that the upload has not begun. In the File element
that references the OVF descriptor, the value of the bytesTransferred
attribute is equal to the value of the size attribute, indicating that all the
bytes in the descriptor were transferred.

name

The file name, taken from the href attribute of the File element in the OVF
descriptor.

NOTE Upload URLs remain valid while a transfer session is in progress, and for a maximum of 60 minutes
of transfer session idle time. A system administrator can change this default value. See “Retrieve or Update
System Settings,” on page 239.

VMware, Inc.

vCloud API Programming Guide

Uploading Referenced Files
You can use a PUT request to upload each file that the vApp template references.
Prerequisites
n

Verify that you uploaded the OVF descriptor. See “Uploading the OVF Descriptor,” on page 63.

Retrieve the upload URLs for all files in the package. See “Retrieving Additional Upload URLs,” on
page 64.

Procedure
1

Find the upload:default URL for the file you want to upload.

Use the upload:default URL to construct a PUT request for the file.
The request specifies an upload URL and a content length in bytes. See “Example: Uploading File
Data,” on page 66.

After all the files are uploaded, the vApp template is complete, and has a status attribute value of 8. If the
upload included a manifest file, the server checks each file in the upload to verify that its checksum matches
the one stated in the manifest. If a checksum does not match, the template’s status attribute is set to -1 and
the template contains a Task element whose Error element indicates the reason for the failure.

Example: Uploading File Data
This example shows an upload request for one of the files that an OVF package requires. The upload request
is a Content-Length header followed by the serialized file content.
Request:
PUT https://vcloud.example.com/transfer/.../disk0.vmdk
Content-length: 1950489088
...serialized contents of file disk0.vmdk...
EOF

Response:
200 OK

Monitoring the Progress of an Upload
After you initiate the upload of a file referenced by a vApp template, you can monitor the progress of the
upload by periodically retrieving the vApp template and checking the value of the file's bytesTransferred
attribute.
To monitor the progress of an upload, you can watch the bytesTransferred attribute of the file. Each File
element in the template includes a bytesTransferred attribute whose value indicates the number of bytes
that the server received.
Prerequisites
Verify that you initiated the upload of a file referenced by the vApp template.
Procedure
1

Make a GET request specifying the URL of the vApp template.
See the request portion of “Example: Monitoring the Progress of an Upload,” on page 67.

VMware, Inc.

Chapter 4 Provisioning an Organization

Compare the values of the size and the bytesTransferred attributes of each File element.
When these two values are equal, the file transfer is complete.

After all the files are uploaded, the response includes final values for the bytesTransferred attribute of each
File, and a Task that tracks the events leading up to resolution of the template with the uploaded files, as
shown in “Example: Monitoring the Progress of an Upload,” on page 67.
Example: Monitoring the Progress of an Upload
Request:
GET https://vcloud.example.com/api/vAppTemplate/vappTemplate-111

The complete VAppTemplate body is returned. This example omits most of it for clarity.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

...

Using Ranged PUT requests to Complete a Partial Upload
You typically need ranged PUT requests for very large uploads, especially when network bandwidth or
latency might cause the operation to time out.
If the response to an upload progress request indicates that the upload terminated before it was complete,
you can use the size and bytesTransferred values from the response to construct a ranged PUT request of
the remaining contents, as shown in “Example: Ranged PUT Request to Complete a Partial Upload,” on
page 68.
Procedure
1

VMware, Inc.

Retrieve the VAppTemplate and find the File element that references the partially uploaded file.

vCloud API Programming Guide

Make a PUT request that specifies a Content-Range and Content-Length and includes the serialized
contents of the range.
For Content-Range, specify the value of the File element's bytesTransferred attribute for the low end of
the range and the value of its size attribute for the high end of the range. For Content-Length, subtract
the value of the File element's bytesTransferred attribute from the value of its size attribute.

Example: Ranged PUT Request to Complete a Partial Upload
The following request completes the upload of the file disk0.vmdk shown in this fragment of a VAppTemplate.

...

Request:
PUT https://vcloud.example.com/transfer/.../disk0.vmdk
Content-Range: bytes 500000000-1950489087/1950489088
Content-Length: 1450489088
...serialized contents of specified range...
EOF

Response:
200 OK

Download a vApp or vApp Template as OVF
You can download a vApp or vApp template object as an OVF package. After you enable the object for
download, you can download the OVF descriptor, then download all of the files referenced by the
descriptor. A vApp must powered off and undeployed before you can enable it for download.
When you enable a vApp or vApp template for download, the server performs several operations to create
an OVF package and make it available to the transfer service.
1

The server reconstructs the OVF descriptor using information in the vApp or vApp template. The
server excludes any deployment-specific information that the object contains, and populates the
descriptor's References element with references to files, such as .vmdk files, that are part of the package.

The server copies the reconstructed OVF descriptor to transfer service storage, along with all files that
the descriptor references.

The server updates the corresponding VApp or VAppTemplate element with a link that contains a URL
from which you can retrieve the OVF descriptor.

After you retrieve the descriptor, you can examine it to discover the download URLs for the files it
references.

You can download any file referenced in the descriptor by making a GET request to its download URL.

VMware, Inc.

Chapter 4 Provisioning an Organization

Enable a vApp or vApp Template for Download on page 69
Before you can download a vApp or vApp template, an administrator or privileged user must
explicitly enable the object for download.

Download the OVF Descriptor of a vApp or vApp Template on page 70
To download the OVF descriptor, make a GET request to the download:default URL in the downloadenabled VApp or VAppTemplate element.

Download a Referenced File on page 71
After you download the OVF descriptor of a vApp or vApp template, you can examine the contents of
the descriptor to discover download URLs for .vmdk and other files in the package.

Enable a vApp or vApp Template for Download
Before you can download a vApp or vApp template, an administrator or privileged user must explicitly
enable the object for download.
Prerequisites
n

Verify that you are logged in as an administrator or other user who has privileges to enable a vApp or
vApp template for download.

Verify that any vApp you plan to enable for download is powered off and undeployed. See “Undeploy,
Power Off, and Delete the vApp,” on page 38.

Procedure
1

Retrieve the XML representation of object to find its action/enableDownload link.
Every VAppTemplate element includes a link of the following form, where id is the id of the template:

Every vApp element includes a similar link:

Enable the object for download.
Make a POST request to the action/enableDownload URL, which you retrieved in Step 1. The response
is a Task that tracks the completion of the enablement operation.

When the task completes, retrieve the representation of the object, which now contains a download
URL for the OVF descriptor.
This URL remains valid while a transfer session is in progress, and for a maximum of 60 minutes of
transfer session idle time. A system administrator can change this default value. See “Retrieve or
Update System Settings,” on page 239.

Example: vApp Template with Download URL for OVF Descriptor
Request:
GET https://vcloud.example.com/api/vAppTemplate/vappTemplate-111

VMware, Inc.

vCloud API Programming Guide

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

...

Download the OVF Descriptor of a vApp or vApp Template
To download the OVF descriptor, make a GET request to the download:default URL in the downloadenabled VApp or VAppTemplate element.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator or member of an
organization in the cloud.

Verify that you have a vApp or vApp template that is enabled for download. See “Enable a vApp or
vApp Template for Download,” on page 69.

Procedure
1

Examine the object to find the the download:default URL for the descriptor.

Make a GET request to the download:default URL to retrieve the descriptor
See “Example: Downloading the OVF Descriptor,” on page 70.

Example: Downloading the OVF Descriptor
This example downloads the OVF descriptor from the URL shown in the href value of the Link shown in
“Example: vApp Template with Download URL for OVF Descriptor,” on page 69. The response includes the
entire Envelope element, only part of which appears here.
Request:
GET https://vcloud.example.com/transfer/..../descriptor.ovf

Response:
200 OK
Content-Type text/xml
...

...

VMware, Inc.

Chapter 4 Provisioning an Organization

Download a Referenced File
After you download the OVF descriptor of a vApp or vApp template, you can examine the contents of the
descriptor to discover download URLs for .vmdk and other files in the package.
The OVF descriptor includes an href value for each file that the descriptor references. To retrieve one of
these files, you must create a download URL for it by combining this href value with a URL derived from
the download URL that you used to retrieve the descriptor. You must retrieve all of the referenced files to
create a valid OVF package.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator or member of an
organization in the cloud.

Retrieve the OVF descriptor of a vApp or vApp template that has been enabled for download.

Procedure
1

For each File element in the References element of the descriptor, construct a download URL.
a

Start with the URL that you used to download the descriptor.
This URL is the href value of the download:default link that the template contains.

b
2

Replace the final component of that URL with the value of the href attribute of the File element.

Use the constructed URLs to download each file.
See “Example: Downloading a Referenced File,” on page 71.

Example: Downloading a Referenced File
The request URL shown in this example combines the URL used in the request portion of
“Example: Downloading the OVF Descriptor,” on page 70 with the file name shown in this File element:

Request:
GET https://vcloud.example.com/transfer/..../disk0.vmdk

Response:
200 OK
...
...serialized contents of file disk0.vmdk...
EOF

NOTE The downloaded package is valid only if the descriptor and all of its referenced files maintain the
same relationship in the local file system that they had on the transfer server file system. In this case, the
descriptor and disk0.vmdk were both in the same directory, which is the default arrangement.

VMware, Inc.

vCloud API Programming Guide

Upload a Media Image
Uploading an ISO-format media image to a catalog creates a Media object and a corresponding CatalogItem
object.
vCloud Director supports using the vCloud API to upload media images to a catalog.
NOTE Media images in formats other than ISO can be uploaded, but are given an imageType of other in the
catalog.
The workflow for uploading media images is similar to the one shown in “Upload an OVF Package to
Create a vApp Template,” on page 58.
Prerequisites
Verify that the following conditions are met:
n

You have a media image to upload.

You are logged in as a user who has permission to upload media images.

You know the URL of the target catalog that will receive the upload. Retrieve the XML representation of
your organization to see a list of the catalogs that it contains.

Procedure
1

Find the add link for media in the target catalog
This link has the following form:

POST an action/upload request to the URL shown in Step 1
The request body is a Media element. See the request portion of “Example: Upload a Media Image,” on
page 72.
The server uses this information to create a CatalogItem and corresponding Media object, then returns
the CatalogItem in its response. See the response portion of “Example: Upload a Media Image,” on
page 72.

Use the URL in the Entity element of the CatalogItem to retrieve the Media object.
The Media element includes a File element that contains an upload:default URL.

PUT the media file contents to the upload:default link in the response.
The procedure is the same as the one shown in “Uploading Referenced Files,” on page 66.

Example: Upload a Media Image
There are two steps to uploading a media file. The first step is to make an action/upload request to the
catalog. The request body is a Media element that specifies the size of the ISO file and the name that you
want to apply to the created Media object. The imageType attribute is optional, and must be set to a value of
iso if you supply it.

VMware, Inc.

Chapter 4 Provisioning an Organization

Request:
POST https://vcloud.example.com/api/catalog/32/action/upload
Content-Type: application/vnd.vmware.vcloud.media+xml
...

ISO database image

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml
...

Approved template for public FTP sites

Examine the response to the action/upload request, then make a GET request to the URL in the Entity
element of the CatalogItem to retrieve the Media object.
GET https://vcloud.example.com/api/media/254

The Media object includes an upload URL for the media file itself.

...

VMware, Inc.

vCloud API Programming Guide

...

PUT the media file contents to the upload:default link in the response. The procedure is the same as the one
shown in “Uploading Referenced Files,” on page 66.
The upload URL remains valid while a transfer session is in progress, and for a maximum of 60 minutes of
transfer session idle time. A system administrator can change this default value. See “Retrieve or Update
System Settings,” on page 239.

Download a Media Image
The vCloud API supports downloading media images from a catalog.
Prerequisites
Verify that the following conditions are met:
n

You are logged in as a user who has permission to download media images.

You know the URL of the catalog item that references the media image.

Procedure
1

Retrieve the XML representation of the catalog and examine the catalog items that it contains.

Retrieve the catalog item that represents the media image.

Use the URL in the Entity element of the CatalogItem to retrieve the Media object.
The Media element includes a Link element of the following form, where id is the id of the media image:

Enable the media image for download.
Make a POST request to the action/enableDownload URL shown in Step 2. The response is a Task
element.

When the task completes, retrieve the media item again.
The Media object now includes a download URL for the media file.

Make a GET request to the download:default URL.
The media file is downloaded to the current working directory.

Example: Download a Media Image
When you download a media file, you first enable the file for download.
Request:
POST https://vcloud.example.com/api/media/254/action/enableDownload

VMware, Inc.

Chapter 4 Provisioning an Organization

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

The Task in the response tracks the creation of the downloadable image. When the task completes, retrieve
the Media element again.
GET https://vcloud.example.com/api/media/254

The Media object now includes a download URL for the media file.

...

The download URL remains valid while a transfer session is in progress, and for a maximum of 60 minutes
of transfer session idle time. A system administrator can change this default value. See “Retrieve or Update
System Settings,” on page 239.

Capturing and Importing vApps
You can capture a vApp to create a vApp template from it. If you are a system administrator, you can also
import vApps and vApp templates from vSphere.
As an administrator, catalog author, or vApp author, you can capture an undeployed vApp to create a
vApp template in a catalog. Instantiating this template recreates the vApp from which the template was
captured. Capturing a vApp in this way provides a way to save the results of composing, recomposing, or
modifying a vApp after the vApp is undeployed. In addition, capturing a vApp preserves all vApp
reconfiguration in template form. Although most elements of a vApp template are read-only, you can
instantiate a template, modify the resulting vApp, and capture it to create a modified version of the
template. See “Capture a vApp as a Template,” on page 108

Importing vApps or vApp Templates from vSphere
A system administrator can import vApps and vApp templates from vSphere. See “Import a Virtual
Machine from vCenter,” on page 270.

VMware, Inc.

vCloud API Programming Guide

Managing Catalog Items
Catalog items are references to vApp templates and media files. If you have the appropriate rights, you can
copy, move, rename, or delete catalog items in your organization's catalogs. You cannot modify catalog
items in catalogs that have an external subscription.
After you add vApp templates or media files to a catalog, you might need to modify the CatalogItem objects
that represent them. Your rights to manipulate catalog items depend on the source from which the catalog
items were created.
n

If you are a catalog author or an administrator, you can copy, move, delete, or rename catalog items
that were uploaded, imported, or captured to a catalog that your organization owns, whether or not the
catalog is published externally. Changes you make to an externally published catalog are replicated to
all of the catalog's subscribers when those subscribers synchronize their copy of the catalog.

You cannot make changes to catalog items in catalogs that have an external subscription.

Changes to a catalog item increment the version number of the item and its containing catalog. See “Version
Numbers,” on page 198.
In addition to providing storage for locally created vApp templates and media files, catalogs provide a
flexible publication mechanism that supports distribution of content to other organizations and clouds. If
your organization allows it, you can publish a catalog to external consumers. You can also subscribe to
catalogs that external sources publish, although catalog items in such catalogs cannot be managed by
subscribers. See “Catalog Administration,” on page 197.

Copy or Move a Catalog Item
A Catalog object includes links that implement copy and move operations for the catalog items it contains.
To copy or move a catalog item from a source catalog to a target catalog, POST a
CopyOrMoveCatalogItemParams element that contains a reference to the catalog item to move to the copy or
move link of the target catalog.
Prerequisites
n

Verify that you are logged in as a user with the Catalog Author role, as an organization administrator of
the organization that owns the catalog, or as a system administrator.

Verify that the target catalog does not have an external subscription.

Procedure
1

Retrieve the XML representation of the source catalog.
Use a request like this one:
GET https://vcloud.example.com/api/catalog/32

Examine the Catalog element to find the CatalogItem elements it contains.
Each CatalogItem in the CatalogItems container has name, type, and href attributes. If you need more
information about a catalog item, you can retrieve it with a GET request to the URL in its href attribute.

Retrieve the XML representation of the target catalog.

VMware, Inc.

Chapter 4 Provisioning an Organization

Examine the Catalog element to find the copy and move links it contains.
These links have the following form:

Create a CopyOrMoveCatalogItemParams element that specifies the catalog item in the Source element.
See “Example: Copy a Catalog Item,” on page 77.

POST the CopyOrMoveCatalogItemParams to the appropriate link from the target catalog.
Option

Description

Copy the Catalog Item

POST the CopyOrMoveCatalogItemParams to the rel="copy" link.

Move the Catalog Item

POST the CopyOrMoveCatalogItemParams to the rel="move" link.

Example: Copy a Catalog Item
This request copies the catalog item shown in “Example: Retrieve a Catalog Item,” on page 29 to another
catalog. The response is a Task.
Request:
POST https://vcloud.example.com/api/catalog/44/action/copy
Content-Type: application/vnd.vmware.vcloud.copyOrMoveCatalogItemParams+xml
...

Reference copy of Ubuntu FTP Server

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

VMware, Inc.

vCloud API Programming Guide

Change the Name or Description of a Catalog Item
Every CatalogItem object includes a rel="edit" link that you can use to modify the name or description of
the catalog item.
Prerequisites
n

Verify that you are logged in as a user with the Catalog Author role, as an organization administrator of
the organization that owns the catalog, or as a system administrator.

Verify that the target catalog does not have an external subscription.

Procedure
1

Retrieve the catalog item from the catalog.

Locate the rel="edit" link in the CatalogItem element.

Modify the retrieved CatalogItem element to change its name, description, or both.
See “Example: Change the Name and Description of a Catalog Item,” on page 78.

Make a PUT request to the href value of the rel="edit" link in the CatalogItem, supplying the modified
CatalogItem in the request body.

Example: Change the Name and Description of a Catalog Item
This request changes the name and the description of the catalog item shown in “Example: Retrieve a
Catalog Item,” on page 29. The request body excludes components such as Link elements and id attributes
that were present in the retrieved CatalogItem. These components are ignored if you include them in a
request.
Request:
PUT https://vcloud.example.com/api/catalogItem/221
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml
...

Deprecated. Use https://vcloud.example.com/api/vAppTemplate/vappTemplate-230
instead

The response shows the modified CatalogItem.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.catalogItem+xml
...

Deprecated. Use https://vcloud.example.com/api/vAppTemplate/vappTemplate-230
instead

VMware, Inc.

Chapter 4 Provisioning an Organization

Remove an Item from a Catalog
An organization administrator or a user with adequate permissions can remove a CatalogItem by making a
DELETE request to its rel="remove" link.
Removing a CatalogItem also removes the referenced vApp template or media image from the catalog's
storage.
Prerequisites
n

Verify that you are logged in as a user with the Catalog Author role, as an organization administrator of
the organization that owns the catalog, or as a system administrator.

Verify that the target catalog does not have an external subscription.

Procedure
1

Retrieve the catalog item from the catalog.

Locate the rel="remove" link in the CatalogItem element.

Make a DELETE request to the href value of the rel="remove" link in the CatalogItem.

Example: Remove an Item from a Catalog
This request removes the source catalog item that was copied in “Example: Copy a Catalog Item,” on
page 77.
Request:
DELETE https://vcloud.example.com/api/catalogItem/221

Response:
204 No Content

Synchronize a Catalog or Catalog Item
Catalogs that have external subscriptions are synchronized with their external sources by a background
process that the system administrator controls. You can also force synchronization of individual catalog
items or entire catalogs at any time.
Prerequisites
Verify that you are logged in as a user with the Catalog Author role, as an organization administrator of the
organization that owns the catalog, or as a system administrator.
Procedure
1

Retrieve the XML representation of a catalog that has an external subscription.
Use a request like this one:
GET https://vcloud.example.com/api/catalog/32

VMware, Inc.

Examine the Catalog element to find the CatalogItem elements that it contains.

vCloud API Programming Guide

Examine the Catalog and CatalogItem element to find the sync links that they contain.
In catalogs, these links have the following form:

In catalog items, these links have the following form:

Synchronize the catalog or catalog item.
Make a POST request to the appropriate action/sync link.
Option

Description

Synchronize a Catalog

Make a POST request to the action/sync link in the Catalog element.

Synchronize a Catalog Item

Make a POST request to the action/sync link in the CatalogItem
element.

Example: Synchronize a Catalog Item
This request synchronizes a single catalog item. The response is a task that tracks the progress of the
synchronization.
Request:
POST https://vcloud.example.com/api/catalogItem/102/action/sync

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Creating and Using Independent Disks
Independent disks are stand-alone virtual disks that you create in organization VDCs. Administrators and
users who have adequate rights can create, remove, and update independent disks, and connect them to
virtual machines.
When you create an independent disk, it is associated with an organization VDC but not with a virtual
machine. After the disk has been created in a VDC, the disk owner or an administrator can attach it to any
virtual machine deployed in that VDC. The disk owner can also modify disk properties, detach it from a
virtual machine, and remove it from the VDC. The system administrator and organization administrator of
the organization that contains the VDC have the same rights to use and modify the disk as the disk owner.

Create or Update an Independent Disk
To create an independent disk in an organization VDC, POST a DiskCreateParams element to the VDC's disk
link.
To create an independent disk, you must specify its name and size. You can optionally include a description
and specify a storage profile to be used by the disk. After you have created the disk, you can modify its
name, description, and storage profile.

VMware, Inc.

Chapter 4 Provisioning an Organization

The owner of a disk is initially the user who created it. To change the owner, see “View or Change the
Owner of an Object,” on page 83.
Procedure
1

Choose an organization VDC to contain the disk.

Create a DiskCreateParams element.
You must specify the size (in Megabytes) and name of the independent disk. See the request portion of
“Example: Create an Independent Disk,” on page 81.

POST the DiskCreateParams element you created in Step 2 to the URL for adding disks to the
organization VDC.
See the request portion of “Example: Create an Independent Disk,” on page 81.

Example: Create an Independent Disk
This example adds an independent disk to the organization VDC created in “Add a VDC to an
Organization,” on page 161. Because optional attributes busType and busSubType are omitted, a SCSI disk is
created.
Request:
POST https://vcloud.example.com/api/admin/vdc/44/disk
Content-Type: application/vnd.vmware.admin.diskCreateParams+xml
...

500 GB SCSI Disk

The response, a subset of which appears here, is a Disk element that contains an embedded Task that tracks
creation of the disk. Because the request did not specify a storage profile for the disk, it uses the default
storage profile for the containing organization VDC. The response also includes Link elements that enable
access to disk operations and metadata. While the disk is under construction, its status remains 0.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.disk+xml
...

Independent Disk

...

Remove an Independent Disk
To remove an independent disk, verify that no powered-on virtual machines are attached to it, then use a
DELETE request to delete it.
A Disk element includes a link of the following form, which you can GET to return a list of virtual machines
to which the disk is attached.

VMware, Inc.

Chapter 4 Provisioning an Organization

There are also two queries that you can use to return a list of virtual machines, the disks connected to them,
and the VDC that contains them:
vmDiskRelation

Lists this information for Vm and Disk objects that you own.

AdminvmDiskRelation

Lists this information for all Vm and Disk objects in a cloud (system
administrators only).

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or the object owner.
Procedure
1

Verify that the independent disk is not connected to any virtual machines.

Delete the independent disk.
Make a DELETE request to the URL in the rel="remove" link in the Disk.

The server starts a task to manage the events that lead up to the removal of the object, and returns a Task
element that you can use to track the progress of the task.

Example: Remove an Independent Disk
Request:
DELETE https://vcloud.example.com/api/disk/128

Response:
202 Accepted
...

View or Change the Owner of an Object
You can view the owner of a VApp, VAppTemplate, Disk, or Media object by making a GET request to the
object's owner link. If you have adequate rights, you can change the owner of a Disk or VApp object, but not
that of a VAppTemplate or Media object. An administrator can view or change the owner of any object.
The initial owner of a VApp, VAppTemplate, Catalog, Disk, or Media object is the user who created it.
Ownership is expressed in an Owner element that the object representation contains. This element includes a
User element that references the owner. Object-specific rights to change ownership are included in several
predefined roles. See “Predefined Roles and Their Rights,” on page 227.
Prerequisites
To change the owner of a Disk, VApp, or Catalog object, you must be an organization administrator or the
system administrator.
Procedure
1

Retrieve the Owner element from the object.
This element includes a reference to the current owner and an edit URL you can use to change the
owner. This request retrieves the owner of a vApp.
GET https://vcloud.example.com/api/vApp/vapp-7/owner

VMware, Inc.

vCloud API Programming Guide

Modify the Owner element to specify a different User.
The user must be a member of the organization that contains the object.
NOTE You cannot modify the Owner of a Media or VAppTemplate object.

To change the owner, make a PUT request to the Owner element's rel="edit" URL and supply an Owner
element in the request body.
The User element in the Owner element references the new owner. See “Example: Change the Owner of
a vApp,” on page 84.

Example: Change the Owner of a vApp
Request:
PUT https://vcloud.example.com/api/vApp/vapp-7/owner
Content-type: application/vnd.vmware.vcloud.owner+xml
...

Response:
204 No Content

Controlling Access to vApps and Catalogs
Upon creation, catalogs and vApps grant full access to their owners and no access to other users. The
vCloud API access control mechanism enables object owners to retrieve or update these access controls as
needed.
To retrieve or update the access controls on a vApp or catalog, use controlAccess links. The controlAccess
links for catalogs are included when you retrieve the containing AdminOrg. The controlAccess links for a
vApp are included in the VApp element itself.
vCloud Director defines three levels of access:
ReadOnly

The ReadOnly access level grants rights to read or use the object.

Change

The Change access level includes all rights granted by ReadOnly access and
grants additional rights to modify the object and its properties.

FullControl

The FullControl access level includes all rights granted by Change access and
grants additional rights to change the owner of the object, share it, or delete
it.

See “Access Rights to vCloud Director Objects,” on page 87 for detailed information about the rights
granted by each access level.

VMware, Inc.

Chapter 4 Provisioning an Organization

Access Control for vApps
An administrator or vApp owner can control access to a vApp. Each VApp element includes two types of
access control links:
n

Links where rel="down".

Use this kind of link to retrieve the access control settings for the vApp identified in the href value.
n

Links where rel="controlAccess".

Use this kind of link to specify new access control settings for the vApp identified in the href value.
You specify the new access control settings in a ControlAccessParams element that you post to the URL
that the href value of this link specifies. See “Update vApp Access Controls,” on page 110 for an
example.

Access Control for Catalogs
A system administrator or organization administrator can control access to a catalog. Each Org element
includes two types of access control links for the catalogs owned by the organization it represents:
n

Links where rel="down".

Use this kind of link to retrieve the access control settings for the catalog identified in the href value.
n

Links where rel="controlAccess".

Use this kind of link to specify new access control settings for the catalog identified in the href value.
You specify the new access control settings in a ControlAccessParams element that you post to the URL
that the href value of this link specifies.
NOTE The controlAccess links for catalogs are not returned in the AdminOrg response when you retrieve the
organization in admin view.

VMware, Inc.

vCloud API Programming Guide

Granting Access to All Members of an Organization
To specify access controls that apply to all members of an organization, an organization administrator can
set IsSharedToEveryone to true and specify an access level in the EveryoneAccessLevel element. The
following ControlAccessParams element grants read access to all members of the organization.

true
ReadOnly

Granting Access to Individual Members of an Organization
To specify access controls that apply to specific users, an organization administrator can set
IsSharedToEveryone to false and specify an access level in an AccessSettings element that the
ControlAccessParams request contains. An AccessSettings element is populated with one or more
AccessSetting elements, each of which assigns an access level to the user identified in the Subject element.
The following ControlAccessParams element grants full control to one user and read-only access to another
user.

false

FullControl

ReadOnly

Viewing or Changing the Owner of a vApp or Catalog
Ownership of a VApp or Catalog object is expressed in an Owner element that you can retrieve from the object.
This element contains a User element that identifies the owner with a reference to a specific user. The initial
owner of an object is the user who created it.
A system administrator can view or change the owner of a VApp or Catalog object using the procedure
documented in “View or Change the Owner of an Object,” on page 83.

VMware, Inc.

Chapter 4 Provisioning an Organization

Access Rights to vCloud Director Objects
Each access level supported by vCloud Director grants one or more users a specific set of rights to an object.
vCloud Director access levels are similar to roles in that they give a name to a set of rights. When you apply
an access control to an object, you grant one or more users in your organization a set of rights to the object.
Access rights are additive. You can make an object more accessible to users who have limited rights, but you
cannot to restrict the rights that a user may already have. For example, an organization administrator retains
full control of an object even if you apply ReadOnlyaccess rights to it for all organization members.
Table 4‑2. Access Levels and the Rights They Grant
FullControl

Change

Catalog: Add vApp from
My Cloud

Catalog: Change Owner

Catalog: VCSP Publish
Subscribe

Catalog: Edit Properties

Catalog: Publish

Catalog: View Private and
Shared Catalogs

Catalog: View Published
Catalogs

vApp Template or Media:
Copy

vApp Template or Media:
Create or Upload

vApp Template or Media:
Edit

vApp Template or Media:
View

vApp Template: Checkout
(Add to My Cloud)

vApp Template: Download

vApp: Change Owner

vApp: Copy

vApp: Create or Reconfigure

vApp: Delete

vApp: Edit Properties

vApp: Edit VM CPU

vApp: Edit VM Hard Disk

vApp: Edit VM Memory

vApp: Edit VM Network

vApp: Edit VM Properties

vApp: Manage VM
Password Settings

vApp: Power Operations

VMware, Inc.

ReadOnly

vCloud API Programming Guide

Table 4‑2. Access Levels and the Rights They Grant (Continued)
FullControl

vApp: Sharing

vApp: Use Console

Change

ReadOnly

VMware, Inc.

Deploying and Operating vApps

The vCloud API supports programmatic access to a range of self-service datacenter operations that allow
users to create, configure, deploy, and operate vApps.
The initial configuration of a vApp is established in the OVF package on which its source template is based.
In the vCloud API, vApp templates are based on OVF 1.0. These templates can be retrieved from catalogs
and transformed into virtual systems, called vApps, through a process called instantiation, which binds a
template’s abstract resource requirements to resources available in a VDC.

About OVF
OVF is a widely accepted standard format that applies to many virtualization technologies.
n

Virtual machines and appliances are distributed as OVF packages by many vendors.

Many vendors, including VMware, offer tools that simplify creating and customizing OVF, support
converting virtual machines on existing virtualization platforms to OVF, or both.

OVF can express the complex relationships between virtual appliances in enterprise applications. The
author of the appliance can handle most of the complexity, rather than the user who deploys it.

OVF is extensible, allowing new policies and requirements to be inserted by ISVs and implemented by
the virtualization platforms that support them without requiring changes to other clients, other
platforms, or the vCloud API itself.

Administrators and advanced users should become familiar with the details of the OVF standard before
developing applications with the vCloud API. The complete OVF specification document is available at
http://www.dmtf.org/standards/published_documents/DSP0243_1.0.0.pdf. An informative white paper on
OVF is available at http://www.dmtf.org/standards/published_documents/DSP2017_1.0.0.pdf.
A virtual machine is typically made up of one or more virtual disk files that contain the operating system
and applications that run on the virtual machine, and a configuration file containing metadata that describe
how the virtual machine is configured and deployed. An OVF package includes these components, as well
as optional certificate and manifest files. The package can be distributed and stored as a collection of
individual files, or as a single archive (OVA) file. The vCloud API does not support uploading or
downloading OVA files.

vApp Life Cycle
A vApp contains one or more Vm elements, which represent individual virtual machines. It also contains
information that defines operational details for the vApp and the virtual machines that it contains. The
vApp lifecycle includes several distinct states:
n

An OVF package, the form in which vApps are typically distributed.

A vApp template, created when a client uploads an OVF package to a catalog.

VMware, Inc.

vCloud API Programming Guide

An undeployed vApp, created when a vApp template is instantiated without also being deployed, or a
deployed vApp is undeployed.

A deployed vApp, ready to be powered on and operated. Instantiation can include deployment, poweron, or both.

Figure 5‑1. vApp State Transitions

This chapter includes the following topics:

“Summary of vCloud API vApp and Virtual Machine Operations Requests,” on page 91

“Create a vApp From a Template,” on page 93

“Create a vApp From an OVF Package,” on page 97

“Compose a vApp From Existing Virtual Machines,” on page 101

“Recompose a vApp to Add or Remove Virtual Machines,” on page 103

“Clone a vApp,” on page 106

“Capture a vApp as a Template,” on page 108

VMware, Inc.

Chapter 5 Deploying and Operating vApps

“Update vApp Access Controls,” on page 110

“Provide User Input Requested by a Virtual Machine,” on page 111

“Attach or Detach an Independent Disk,” on page 112

“Creating and Using vApp Snapshots,” on page 114

“Operate a vApp,” on page 115

“Configuring vApps and Virtual Machines,” on page 116

Summary of vCloud API vApp and Virtual Machine Operations
Requests
These vCloud API operations requests create, manage, operate, and delete vApps and the virtual machines
that they contain.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

VApp-or-Vm-URL is a URL of the form API-URL/vApp/vapp-id (for a VApp object) or APIURL/vApp/vm-id (for a Vm object)

Vm-URL is a URL of the form API-URL/vApp/vm-id

Request

Request Body

Response

Create a vApp from an OVF
package [NEW]

POST API-URL/vdc/id/
action/instantiateOvf

InstantiateOvfParams

VApp

Instantiate a vApp template
to create a vApp

POST API-URL/vdc/id/
action/instantiateVAppTe
mplate

InstantiateVAppTemplat
eParams

VApp

Change the name or
description of a vApp.

PUT API-URL/vApp/vappid

VApp

Task

Compose a vApp

POST API-URL/vdc/id/
action/composeVApp

ComposeVAppParams

VApp

Capture a vApp as a
Template

POST APIURL/catalog/id/action/capt
ureVApp

CaptureVAppParams

VAppTemplate

Clone a vApp.

POST APIURL/vdc/id/action/cloneVA
pp

CloneVAppParams

VApp

Recompose a vApp to add
or remove virtual machines

POST APIURL/vApp/vapp-id/
action/recomposeVApp

RecomposeVAppParams

Task

Deploy a vApp or Virtual
Machine

POST VApp-or-VmURL/action/deploy

DeployVAppParams

Task

VMware, Inc.

vCloud API Programming Guide

Table 5‑1. Summary of vApp and Virtual Machine Operations Requests (Continued)

Operation

Request

Request Body

Response

Undeploy a vApp or Virtual
Machine

POST VApp-or-VmURL/action/undeploy

UndeployVAppParams

Task

Power On a vApp or Virtual
Machine

POST VApp-or-VmURL/action/powerOn

None

Task

Power Off a vApp or Virtual
Machine

POST VApp-or-VmURL/action/powerOff

None

Task

Reset a vApp or Virtual
Machine

POST VApp-or-VmURL/action/reset

None

Task

Suspend a vApp or Virtual
Machine

POST VApp-or-VmURL/action/suspend

None

Task

Discard the Suspended State
of a vApp or Virtual
Machine

POST VApp-or-VmURL/action/
discardSuspendedState

None

Task

Shut Down a vApp or
Virtual Machine

POST VApp-or-VmURL/action/shutdown

None

Task

Reboot a vApp or Virtual
Machine

POST VApp-or-VmURL/action/reboot

None

Task

Retrieve product sections of
a vApp or virtual machine

GET VApp-or-VmURL/productSections

None

ProductSectionList

Update product sections of a
vApp or virtual machine

PUT VApp-or-VmURL/productSections

ProductSectionList

Task

Retrieve product sections of
a vApp template

GET APIURL/vAppTemplate/vappT
emplate-id/productSections

None

ProductSectionList

Retrieve version of VMware
Tools installed on a virtual
machine

GET VmURL/runtimeInfoSection

None

RuntimeInfoSection

Install VMware Tools on a
virtual machine

POST VmURL/action/installVMware
Tools

None

Task

Consolidate a virtual
machine

POST VmURL/action/consolidate

None

Task

Upgrade the hardware
version of a virtual machine

POST VmURL/action/upgradeHardw
areVersion

None

Task

Insert Media Into a Virtual
Machine

POST VmURL/action/insertMedia

MediaInsertOrEjectPara
ms

Task

Eject Media from a Virtual
Machine

POST VmURL/action/ejectMedia

MediaInsertOrEjectPara
ms

Task

List Media Devices of a
Virtual Machine

GET Vm-URL/
virtualHardwareSection/m
edia

None

RasdItemsList

Get a Request for User Input

GET Vm-URL/question

None

VmPendingQuestion

Provide Requested User
Input

POST VmURL/question/action/answ
er

VmQuestionAnswer

204 No Content

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Table 5‑1. Summary of vApp and Virtual Machine Operations Requests (Continued)
Operation

Request

Request Body

Response

Get a Screen Thumbnail for
a Virtual Machine

GET Vm-URL/screen

None

Returns a screen thumbnail
(Content-type: image/png) if
one is available. Otherwise
returns null (ContentLength: 0).

Get a Screen Ticket for a
Virtual Machine

POST VmURL/screen/action/acquire
Ticket

None

ScreenTicket

Attach an independent disk
to a virtual machine.

POST VmURL/disk/action/attach

DiskAttachOrDetachPara
ms

Task

Detach an independent disk
from a virtual machine.

POST VmURL/disk/action/detach

DiskAttachOrDetachPara
ms

Task

Create snapshots of all
virtual machines in a vApp.

POST APIURL/vApp/vapp-id/
action/createSnapshot

CreateSnapshotParams

Task

Remove snapshots of all
virtual machines in a vApp.

POST APIURL/vApp/vapp-id/
action/removeAllSnapshots

None

Task

Revert all virtual machines
in a vApp to their current
snapshots.

POST APIURL/vApp/vapp-id/
action/revertToCurrentSna
pshot

None

Task

Retrieve information about
vApp snapshots.

GET API-URL/vApp/vappid/snapshotSection

None

SnapshotSection

Validate the storage profile
compliance of a virtual
machine.

POST API-URL/vApp/vmid/action/checkCompliance

None

Task

Retrieve a virtual machine
storage profile validation
report.

GET API-URL/vApp/vmid/complianceResult

None

ComplianceResult

Create a vApp From a Template
An instantiateVAppTemplate request creates a vApp from a vApp template.
To create a vApp from a vApp template, you must bind the template's abstract resource requirements, such
as network connections, storage resources, memory, and CPU capacity, to appropriate resources in the
target VDC. This binding operation is called instantiation.
For an example of a simple instantiation request, see “Deploy the vApp,” on page 31. You can also specify
additional parameters as part of instantiation.
Template contents that might influence composition of the request body include the following sections:
n

A NetworkConnectionSection that specifies network connection details for a virtual machine. Unless
you want to create a vApp in which none of the virtual machines are connected to a network, your
instantiation parameters must include at least one NetworkConfigSection that defines a vApp network,
and that section must include a NetworkConfig element whose networkName attribute value matches the
value of the network attribute of the NetworkConnection of each Vm in the template. If this attribute has
the value none or is missing, the Vm can connect to any network. If the template contains Vm elements that
specify different names for their network connections, you must create a vApp network for each.

VMware, Inc.

vCloud API Programming Guide

One or more EulaSection elements that specify licensing terms or other conditions that you must accept
before creating the vApp. The InstantiateVAppTemplateParams element can include an
AllEULAsAccepted element whose value indicates whether you accept all EULA terms included in the
template. If a vApp template includes any ovf:EulaSection elements, AllEULAsAccepted must be set to a
value of true. Otherwise, instantiation fails.

A LeaseSettingsSection. If this section is present and specifies settings that are appropriate for the
vApp, you do not need to modify it. If it is absent or empty, the vApp is created with your
organization’s default lease settings. If you specify new lease settings in a LeaseSettingsSection that
you provide as part of instantiation, those settings replace any existing settings and override your
organization's defaults.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of the vApp template.
Make a GET request to the URL provided in the href attribute of the Entity contained by the
CatalogItem that references the template.

Examine the template to determine the set of instantiation parameters that the request must include.

Create an InstantiateVAppTemplateParams element.
See “Example: Instantiate a vApp Template,” on page 94 for guidelines.

Make a POST request to the action/instantiateVAppTemplate URL of the VDC.
Supply the InstantiateVAppTemplateParams element as the request body.

Example: Instantiate a vApp Template
This InstantiateVAppTemplateParams request extends the request shown in “Example: Deploying a vApp,”
on page 32 to include additional elements in its InstantiationParams:
n

A LeaseSettingsSection that specifies custom lease settings, overriding the settings that would
otherwise be inherited from the organization.

An acknowledgement of EulaSection acceptance, supplied in the AllEULAsAccepted element. If the
template does not include EulaSection elements, you can omit this acknowledgement.

For more information and a list of sections that you can include in InstantiationParams, see “Configuring a
vApp,” on page 117.
Request:
POST https://vcloud.example.com/api/vdc/5/action/instantiateVAppTemplate
Content-Type: application/vnd.vmware.vcloud.instantiateVAppTemplateParams+xml
...

Example FTP Server

Configuration parameters for logical networks

bridged

Lease Settings
172800
2010-04-11T08:08:16.438-07:00

true

The response is a sparsely populated VApp element, as shown in the response portion of
“Example: Deploying a vApp,” on page 32.

Modify Virtual Machine Hardware During vApp Template Instantiation
An InstantiateVAppTemplateParams request body can include a SourcedVmInstantiationParams element for
each virtual machine in the vApp. With the values in this element, you can modify a subset of virtual
machine hardware configuration parameters during instantiation.
SourcedVmInstantiationParams supports the following configuration changes:
n

Specify a storage profile for the virtual machine.

Increase the capacity of the virtual machine's SATA or SCSI disks.

Increase or decrease the size of the virtual machine's memory.

Increase or decrease the number of CPU cores per virtual socket.

Add or remove CPUs.

You can also modify any of these configuration settings after the vApp is deployed. See “Configuring
vApps and Virtual Machines,” on page 116
Prerequisites
Most of the virtual machine configuration parameters that you can reconfigure during instantiation are
defined in the OVF descriptor for the vApp template that contains the virtual machine. The easiest way to
access these parameters is to download the OVF descriptor of the vApp template. See “Download the OVF
Descriptor of a vApp or vApp Template,” on page 70. You do not need to download any files other than the
descriptor.

VMware, Inc.

vCloud API Programming Guide

Procedure
1

Examine the OVF descriptor of the template to determine the values that you can include in a

SourcedVmInstantiationParams element.

See “Example: Modify Virtual Machine Hardware During vApp Template Instantiation,” on page 96
for guidelines.
2

Include the SourcedVmInstantiationParams element in an InstantiateVAppTemplateParams element.
See “Example: Modify Virtual Machine Hardware During vApp Template Instantiation,” on page 96.

Make a POST request to the action/instantiateVAppTemplate URL of the VDC.
Supply the InstantiateVAppTemplateParams element as the request body.

Example: Modify Virtual Machine Hardware During vApp Template Instantiation
This InstantiateVAppTemplateParams request extends the one shown in “Example: Instantiate a vApp
Template,” on page 94 to include a SourcedVmInstantiationParams element that makes several configuration
changes in the virtual machine referenced at https://vcloud.example.com/api/vAppTemplate/vm-4.
n

Specifies a storage profile for the virtual machine.

Adds a virtual CPU and changes the value of CoresPerSocket to 2. If you include a CoresPerSocket
element, its value must be an integer multiple of the value of the existing rasd:VirtualQuantity of CPU
items, or of the value you supply in NumberOfCpus. “Example: Modify the CPU Configuration of a
Virtual Machine,” on page 136 shows the original CPU configuration, and how to make this change by
reconfiguring the virtual machine in a deployed vApp.

Increases the capacity of the hard disk from 1GB to 10GB by including a Disk element that specifies a
Size of 10240 for the disk that has a rasd:InstanceID value of 2000. The value you supply for Size is
interpreted as megabytes. You can see the original disk configuration in “Example: Retrieve the Hard
Disks and Controllers in a Virtual Machine,” on page 142. “Example: Modify the Hard Disk
Configuration of a Virtual Machine,” on page 144 shows how to make the same change by
reconfiguring the virtual machine in a deployed vApp. If you include a Disk element, the value of its
instanceId attribute must match the value in the rasd:InstanceID element of an existing Item that
defines a virtual disk (RASD resource type 17). Disk capacity can be raised, but not lowered, for disks
on SATA and SCSI controllers. The capacity of other disk types cannot be changed. Item elements that
represent SATA disks have a vcloud:busType attribute with the value 20. Those that represent SCSI
disks have a vcloud:busType attribute with the value 6.

Request:
POST https://vcloud.example.com/api/vdc/5/action/instantiateVAppTemplate
Content-Type: application/vnd.vmware.vcloud.instantiateVAppTemplateParams+xml
...

Example FTP Server

Configuration parameters for logical networks

VMware, Inc.

Chapter 5 Deploying and Operating vApps

bridged

Lease Settings
172800
2013-04-11T08:08:16.438-07:00

2
2

10240

true

Create a vApp From an OVF Package
An instantiateOvf request uploads an OVF package and then creates a vApp from it. By default, this
operation also deploys the vApp and powers it on.
If you want to deploy an OVF package as a vApp without creating a vApp template and corresponding
catalog item, make an instantiateOvf request. This request initiates a workflow similar to the one shown in
“Upload an OVF Package to Create a vApp Template,” on page 58, but with a few important differences.
n

The target of the upload is a VDC, not a catalog.

The request body is an InstantiateOvfParams element, not an UploadVAppTemplateParams element.

The response is a VApp element that includes an upload URL for the OVF descriptor.

After you retrieve the VApp element created by the instantiateOvf request, you can upload the descriptor
and the files it references.
Prerequisites
Verify that the following are true:
n

You have an OVF package to upload.

You are logged in as a user who has permission to upload OVF packages and create vApps.

VMware, Inc.

vCloud API Programming Guide

You know the URL of the target VDC that will receive the upload. Retrieve the XML representation of
your organization to see a list of the VDCs that it contains.

Review the contents of the Envelope element in the descriptor file of your OVF package. Several properties
in this file have implications for the InstantiateOvfParams request body you must construct to initiate the
upload.
Procedure
1

Retrieve the XML representation of the target VDC.

Examine the response to locate the Link element that contains the URL for creating a vApp from an
OVF package.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.vcloud.instantiateOvfParams+xml, as shown here:

Create an InstantiateOvfParams request body.
See the request portion of “Example: Create a vApp From an OVF Package,” on page 99.

POST the InstantiateOvfParams to the instantiateOvf URL you retrieved in Step 2
See the request portion of “Example: Create a vApp From an OVF Package,” on page 99.

Examine the response.
The response, a VApp element, contains a File element that specifies an upload URL for the OVF
descriptor. See the response portion of “Example: Create a vApp From an OVF Package,” on page 99

Upload the OVF descriptor.
Make a PUT request to the upload URL in the VApp. The upload URL for the OVF descriptor is in a Link
element with the following form:

Supply the OVF descriptor as the request body. The OVF descriptor contains a single Envelope element.
7

Retrieve the remaining upload URLs
a

Retrieve the VApp.

Verify that the value of the ovfDescriptorUploaded attribute is true.

Examine the VApp to find the upload URLs for the files referenced in the OVF descriptor.
These URLs are contained in Link elements where rel="upload:default".

Upload the referenced files.
You can follow the progress of the upload by retrieving the vApp and noting the progress of the
embedded Task.

After all of the referenced files are uploaded, the VApp element no longer includes an embedded Task. The
vApp is placed in the power and deployment state that the values of the powerOn and deploy attributes
specify in the request body.

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Example: Create a vApp From an OVF Package
This request includes a NetworkMapping element that maps a network name found in the uploaded OVF
descriptor to the name of a network available in the target VDC.
Request:
POST https://vcloud.example.com/api/vdc/5/action/instantiateOvf
Content-Type: application/vnd.vmware.vcloud.instantiateOvfParams+xml
...

Example vApp

Configuration parameters for logical networks

bridged

true

Network 1
vAppNetwork

VM-1

0
true
POOL

W2K8

The response is a sparsely populated VApp element that includes an upload URL for the OVF descriptor. See
“Uploading Referenced Files,” on page 66 for file upload procedures.

VMware, Inc.

vCloud API Programming Guide

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

Example vApp

...

false

100

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Compose a vApp From Existing Virtual Machines
With the vCloud API composeVApp operation, you can build a vApp from existing virtual machines,
including virtual machines contained by vApps and vApp templates to which you have access.
Every VDC includes a link to a composeVApp operation, which creates a new vApp in it. To compose a vApp,
POST a composeVApp request to this link. The request body is a ComposeVAppParams element, which includes
the following information:
n

An InstantiationParams element that can include any of the section types listed under “Configuring a
vApp,” on page 117. This is where you define the vApp network to which all the virtual machines in
the composed vApp connect, and custom vApp lease settings and startup parameters for the virtual
machines.

An optional Description of the composed vApp.

Zero or more SourcedItem elements, each of which defines a source of virtual machines to include in the
composition. Each SourcedItem must contain a Source element that references a composition source, the
href of a Vm, VApp, or VAppTemplate. If the Source element references a virtual machine, the SourcedItem
can include any of the following elements:
n

An InstantiationParams element specific to that virtual machine. This element can include any of
the section types listed under “Configuring a Virtual Machine,” on page 117.

A NetworkAssignment element that specifies how the network connections in the virtual machine
are mapped to vApp networks defined in the InstantiationParams element that applies to the
composed vApp.

A VAppScopedLocalId element that provides a unique identifier for the virtual machine in the scope
of the composed vApp.

If the Source element references a vApp or vApp template, all Vm elements from each composition
source become peers in the Children collection of the composed vApp.
n

If any of the composition items is subject to a EULA, the ComposeVAppParams element must include an
AllEULAsAccepted element that has a value of true, indicating that you accept the EULA. Otherwise,
composition fails.

The composed vApp must be deployed and powered on before you can use it.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Find the composeVApp link in the target VDC.
The XML representation of the VDC contains a composeVapp link, which has the following form:

Create a ComposeVappParams element that specifies the details of the composition.

POST the ComposeVappParams element to the composeVapp link of the target VDC.
See the Request portion of “Example: Compose a vApp,” on page 102.

VMware, Inc.

101

vCloud API Programming Guide

Example: Compose a vApp
This request specifies two vAppTemplate items and one Vm item. The Vm item requires InstantiationParams
that modify its NetworkConnectionSection to specify the vApp network created for this vApp. The
vAppTemplate items inherit this setting from the base InstantiationParams element that appears before the
first SourcedItem is specified.
NOTE Virtual machines specified in Source elements must be powered off or this operation will fail. You
can use a query like this one to return a list of references to powered-off virtual machines that you have
access to.
https://vcloud.example.com/api/query?type=adminVM&format=references&filter=status==POWERED_OFF

See Chapter 9, “Using the Query Service,” on page 289.
Request:
POST https://vcloud.example.com/api/vdc/5/action/composeVApp
Content-Type: application/vnd.vmware.vcloud.composeVAppParams+xml
...

Composed CRM Appliance

Configuration parameters for logical networks

natRouted

0
true
DHCP

102

VMware, Inc.

Chapter 5 Deploying and Operating vApps

true

The response is a sparsely populated VApp element in the target VDC. When the Task embedded in the
response is complete, the vApp has been composed.
Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

...
Composed CRM Appliance
...

...

Recompose a vApp to Add or Remove Virtual Machines
The vCloud API supports recomposition of a vApp to add or remove virtual machines. To recompose a
vApp, make a recomposeVApp request, supplying a RecomposeVAppParams element as the request body.
The RecomposeVAppParams element allows an arbitrary number of DeleteItem elements, but is otherwise
identical to ComposeVAppParams. This means that in addition to adding or removing virtual machines, a
recomposeVApp request can also change the name and description of the vApp, and can supply new
InstantiationParams to change various sections of the composed vApp or any of the added virtual
machines.
Unlike a composeVapp request, which operates on a VDC and creates a new vApp, a recomposeVapp request
operates on (and modifies) an existing vApp.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.

VMware, Inc.

103

vCloud API Programming Guide

Procedure
1

Find the recomposeVApp link in the target vApp.
The XML representation of a vApp contains a recomposeVapp link, which has the following form:

Create a RecomposeVappParams element that specifies the details of the recomposition.
See “Example: Recompose a vApp,” on page 104.

POST the RecomposeVappParams element to the recomposeVapp link of the target vApp.

Example: Recompose a vApp
This example uses the recomposeVApp operation to modify this vApp, which contains three virtual machines.
Only a few of the elements in the vApp appear here.

...

The request removes one of the virtual machines from the vApp and creates a StartupSection that specifies
a startup order for the remaining virtual machines.

104

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Request:
POST https://vcloud.example.com/api/vApp/vapp-33/action/recomposeVApp
Content-Type: application/vnd.vmware.vcloud.recomposeVAppParams+xml
...

Composed CRM Appliance

Configuration parameters for logical networks

natRouted

VApp startup section

true

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

NOTE Virtual machines specified in Source elements must be powered off or this operation will fail. You
can use a query like this one to return a list of references to powered-off virtual machines that you have
access to.
https://vcloud.example.com/api/query?type=adminVM&format=references&filter=status==POWERED_OFF

See Chapter 9, “Using the Query Service,” on page 289.

VMware, Inc.

105

vCloud API Programming Guide

Clone a vApp
You can make a copy of a vApp by cloning it. If the vApp is deployed when you clone it, the clone
procedure also clones the memory state of the virtual machines in the vApp.
The cloneVApp request makes a copy of the vApp referenced in the Source element of the CloneVappParams
request body. The request specifies a new name and, optionally, a new description for the copy. The request
can optionally include an IsSourceDelete element whose value specifies whether to delete the source vApp
after the copy is complete. If IsSourceDelete is missing from the request body, or present with a value of
false, the source object remains in place after the copy is complete. Setting IsSourceDelete to true
effectively moves or renames the vApp.
If the vApp is deployed when you clone it and the target VDC is backed by the same provider VDC as the
source VDC, the clone is created with the following properties:
n

Memory state of all virtual machines in the source vApp is preserved in the clone.

The clone is suspended and connected to an isolated network.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of the VDC in which you want to deploy the cloned vApp.
Use a request like this one, where id is the identifier of the VDC:
GET https://vcloud.example.com/admin/vdc/id

You can create the clone in the same VDC that holds the source vApp, or in a different VDC.
2

Examine the response to locate the Link element that contains the URL for cloning a vApp.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.vcloud.captureVAppParams+xml, as shown here:

Create a CloneVappParams element that references the vApp to clone and specifies details of the clone
operation.
See “Example: Clone a vApp,” on page 106.

POST the CloneVappParams element to the action/cloneVApp link of the VDC in which the clone should
be created.

Example: Clone a vApp
This request creates a copy of the vApp created in “Example: Instantiate a vApp Template,” on page 94 in
another VDC. Because the ParentNetwork in the Source vApp is not available in the VDC specified in the
action/cloneVApp request, the CloneVAppParams request body must include InstantiationParams that
specify a new ParentNetwork for the vApp network.
NOTE If the vApp is deployed when you clone it, any network configuration you specify in the

CloneVAppParams is ignored and the clone is created with a connection to an isolated network.

106

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Request:
POST https://vcloud.example.com/api/vdc/12/action/cloneVApp
Content-Type: application/vnd.vmware.vcloud.cloneVAppParams+xml
...

Cloned vApp Example

Configuration parameters for logical networks

bridged

false

The response is a sparsely populated VApp element in the target VDC. When the Task embedded in the
response is complete, the vApp has been cloned.
Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

...

...
Cloned vApp Example
...

...

Capture a vApp as a Template
You can capture a vApp to create a vApp template in a catalog. Instantiating the resulting template recreates
the vApp from which it was captured.
The captureVApp request creates a template based on the vApp referenced in the Source element of the
CaptureVAppParams request body. The request specifies a new name and, optionally, a new description and

storage profile for the template. If you want the new template to overwrite an existing template in the
catalog, you can specify a TargetCatalogItem in the request. Otherwise, the new template is stored in a new
catalog item.
If the vApp is deployed when you capture it, the template is created with the following properties.
n

Memory state of all virtual machines in the source vApp is preserved in the template.

Instantiating the template always creates a suspended vApp connected to an isolated network.

NOTE If the template is instantiated in a VDC that is not backed by the provider VDC that backed the VDC
in which the vApp was captured, memory state in the template is discarded on instantiation, and the vApp
is created with the network connections defined in the template or instantiation parameters.
Prerequisites
n

Verify that you are logged in as a user with the Catalog Author role, as an organization administrator of
the organization that owns the catalog, or as a system administrator.

Verify that the target catalog does not have an external subscription.

Procedure
1

Retrieve the XML representation of the catalog to which to add the vApp template that the capture
creates.
Use a request like this one, where id is the identifier of the catalog:
GET https://vcloud.example.com/api/admin/catalog/id

Examine the response to locate the Link element that contains the URL for capturing a vApp.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.vcloud.captureVAppParams+xml, as shown here:

Create a CaptureVAppParams element that references the vApp to capture.
See “Example: Capture a vApp,” on page 109.

108

POST the CaptureVAppParams element to the action/captureVApp link shown in Step 2.

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Example: Capture a vApp
This request captures the vApp created in “Example: Compose a vApp,” on page 102. Because the request
does not specify a TargetCatalogItem, a new catalog item is created for the new template.
Request:
POST https://vcloud.example.com/api/catalog/5/action/captureVApp
Content-Type: application/vnd.vmware.vcloud.captureVAppParams+xml
...

Captured CRM Appliance

The response is a sparsely populated VApp element in the target VDC. It contains a Link to the catalog
specified in the request. When the Task embedded in the response is complete, the vApp has been captured
and a vApp template created in the target catalog.
Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

...

...
Captured CRM Appliance
...

...

VMware, Inc.

109

vCloud API Programming Guide

Update vApp Access Controls
A system or organization administrator can use the controlAccess links in a VApp element to grant or restrict
access to the vApp.
A vApp initially grants full access to its owner and no access to other users. The vCloud API access control
mechanism enables an administrator to retrieve or update vApp access controls to add or remove rights for
all users, or for individual users. For a general discussion of access controls in vCloud Director, see
“Controlling Access to vApps and Catalogs,” on page 84.
Procedure
1

Retrieve the XML representation of the vApp.
Use a request like this one:
GET https://vcloud.example.com/api/vApp/vapp-7

Examine the VApp element to find the controlAccess links that it contains.

Create a ControlAccessParams element request body that specifies the details of the update.

POST the ControlAccessParams element to the action/controlAccess link that you retrieved in Step 1.

Example: Update vApp Access Controls
This request updates the access controls of a vApp to grant full control to one user and read-only access to
another user. The request body, a ControlAccessParams element, specifies a value of false for the
IsSharedToEveryone element, and contains an AccessSetting element for each user whose access rights are
being modified. Each user is identified by a reference to a User object (see “User and Group
Administration,” on page 219). The response, a subset of which appears in this example, echoes the request.
Request:
POST https://vcloud.example.com/api/vApp/vapp-7/action/controlAccess
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

false

FullControl

ReadOnly

110

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

false

...

Provide User Input Requested by a Virtual Machine
A request for a virtual machine to change state (power on, suspend, reconfigure, and so on) might cause the
virtual machine to ask for additional user input before it can complete.
A vApp that contains a Vm awaiting a user response has status="5", and includes a link that you can GET to
discover what input is needed.
Procedure
1

Find the question link in the target vApp.
This link has the following form:

Make a GET request to the URL in that link's href value.
The response is a VmPendingQuestion response that includes the question and the set of possible
answers.

Create a VmQuestionAnswer element that supplies the answer.
See “Example: Provide User Input Requested by a Virtual Machine,” on page 111.

POST the element to the question/action/answer link included in the VmPendingQuestion response.

Example: Provide User Input Requested by a Virtual Machine
In this series of examples, a virtual machine that was recently reconfigured in vCenter to add a new parallel
port device and then powered on is requesting user input about where to send output from the device. The
powerOn request cannot complete until this input is supplied.
The first step is to use the vmPendingQuestion link, shown in Step 1, to get a VmPendingQuestion response that
includes the question and the set of possible answers.
Request:
GET https://vcloud.example.com/api/vApp/vm-5/question

Response:
200 OK
Content-type: application/vnd.vmware.vcloud.vmPendingQuestion+xml
...

VMware, Inc.

111

vCloud API Programming Guide

msg.parallel.file.open:Parallel port output file
"/vmfs/volumes/d6162a46-58e50cab/linuxftp/vm-mgi.log" already
exists. Do you want to replace it with any newly created content,
or append new content to the end of the file?

0
Append

1
Replace

2
Cancel

To supply the answer, POST a VmQuestionAnswer element to the question/action/answer link of the Vm.
Request:
POST http://vcloud.example.com/api/vApp/vm-5/question/action/answer
Content-type: application/vnd.vmware.vcloud.vmPendingAnswer+xml

2
50

Attach or Detach an Independent Disk
Use the disk/action/attach or disk/action/detach links in a Vm to attach or detach an independent disk.
You must be the owner of the Vm element and the disk.
Every Vm element includes links of the following form:

You can POST a DiskAttachOrDetachParams element to one of these URLs to attach or detach an independent
disk.
Prerequisites
n

112

Verify that you are logged in to the vCloud API as a system administrator or the object owner.

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Verify that the VDC contains an independent disk. If the VDC does not contain independent disks, you
can create one. See “Create or Update an Independent Disk,” on page 80.

Procedure
1

Retrieve a reference to the independent disk to attach to a virtual machine.
The independent disk and the virtual machine must be contained by the same VDC. You can retrieve
references to independent disks in a VDC in the following ways:
n

Use the query service. A query like this one returns references to all Disk objects in the VDC named

MyVdc.

GET https://vcloud.example.com/api/query?
type=disk&format=references&filter=vdcName==MyVdc
n

Retrieve the VDC and look for ResourceEntity elements whose type attribute has a value of
application/vnd.vmware.vcloud.disk+xml. The href value of a ResourceEntity that represents a
disk is a reference to that Disk object.

Create a DiskAttachOrDetachParams element.
Provide a reference to the independent disk in the href attribute of the Disk element.

POST the DiskAttachOrDetachParams to the disk/action/attach link of the Vm.

Example: Attach an Independent Disk to a Virtual Machine
This request attaches the disk created in “Create or Update an Independent Disk,” on page 80 to a virtual
machine.
Request:
POST https://vcloud.example.com/api/vApp/vm-4/disk/action/attach
Content-Type: application/vnd.vmware.vcloud.diskAttachOrDetachParams+xml
...

The response is a Task.
Response:

...

VMware, Inc.

113

vCloud API Programming Guide

Creating and Using vApp Snapshots
You can take a snapshot of all the virtual machines in a vApp. After the snapshots are taken, you can revert
all virtual machines in the vApp to the most recent snapshot, or remove all snapshots.
You can take a snapshot of a vApp whether or not it is powered on. The createSnapshot operation always
creates a snapshot for each virtual machine in the vApp. Snapshots are created in the order specified for
virtual machines in the StartupSection of the VApp element.
vApp snapshots have the following limitations:
n

They do not capture the ovf:ProductSection elements in the vApp.

They do not capture NIC configurations.

They cannot be created if any virtual machine in the vApp is connected to an independent disk.

Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator or the object owner.

Verify that you are logged in as a user whose role includes the vApp: Snapshot Operations right.

Procedure
1

(Optional) Retrieve information about current vApp snapshots.
When you create a snapshot, it overwrites any existing snapshots without warning. Before creating a
new snapshot, you might want to verify whether there are any existing snapshots. Make a request like
this one:
GET https://vcloud.example.com/api/vApp/vapp-33/snapshotSection

The response is a SnapshotSection element containing a link to each of the current snapshots for the
vApp.
2

Create a CreateSnapshotParams request body.
See “Example: Create a vApp Snapshot,” on page 114.

POST the CreateSnapshotParams to the action/createSnapshot link of the vApp.

Example: Create a vApp Snapshot
In this example, the memory and quiesce options are not specified, so their values default to true. The name
attribute is optional. If you omit it from the request, the system generates a name for the snapshot.
Request:
POST https://vcloud.example.com/api/vApp/vapp-33/action/createSnapshot
Content-Type: application/vnd.vmware.vcloud.createSnapshotParams+xml
...

Demo snapshot

The response is a Task.

114

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Response:

...

After the snapshot is created, you can revert the vApp to the state captured in the snapshot.
POST https://vcloud.example.com/api/vApp/vapp-33/action/revertToCurrentSnapshot

You can also remove all snapshots.
POST https://vcloud.example.com/api/vApp/vapp-33/action/removeAllSnapshots

Neither of these requests has a request body. Both return a Task.

Operate a vApp
vApp and Vm elements include a number of action links. You can use these links to operate a vApp or one of
its virtual machines by making requests such as power on, suspend, power off, undeploy, and so on.

Only those action links that are valid for the vApp or virtual machine in its current state are returned. For
example, if a vApp is instantiated but not deployed, only the links for deploy and remove are returned. For a
vApp that is powered on, links for all actions except powerOn are returned. Some requests apply only to
vApps, some apply only to virtual machines (Vm objects), and some apply to both.
n

A request made to the power URL of a VApp invokes the requested operation on each of the virtual
machines in the Children element of the VApp, in the order specified in its ovf:StartupSection element.
This element, if present, specifies a start order and related properties for each member of a
VirtualSystemCollection (each Vm contained by the Children element). If the element is not present, all
members are started up at the same time. The same logic applies to shutdown, reboot, and similar
operations.

A request made to the power URL of a Vm affects only that virtual machine.

See “Summary of vCloud API vApp and Virtual Machine Operations Requests,” on page 91 for details
of each request.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.
Procedure
1

Retrieve the XML representation of the vApp to find the action links it contains.
Use a request like this one:
GET https://vcloud.example.com/api/vApp/vapp-7

POST a request to the URL that implements the desired action.
Many of these requests do not require a body.

The server takes the requested action and returns a Task element that tracks the progress of the request.

VMware, Inc.

115

vCloud API Programming Guide

Configuring vApps and Virtual Machines
You specify configuration details for vApps and the virtual machines they contain in ovf:SectionType
elements contained in a VApp or Vm element. You can include most of these sections in the
InstantiationParams that you supply when you instantiate a vApp template. You can also retrieve, modify,
and update these sections to reconfigure a deployed vApp.
You establish the initial configuration of a vApp in the OVF package on which its source template is based.
You cannot modify most sections of the template, but you can update the configuration during the
following operations:
n

When you create a vApp by making an instantiateVAppTemplate request, you can update its
configuration by including modified sections in the request's InstantiationParams element.

When you compose or recompose a vApp, you can update its configuration by including modified
sections in the request's InstantiationParams element.

When you update any of the modifiable sections in a deployed vApp or the virtual machines that it
contains.

You can capture the reconfigured vApp to create a vApp template that preserves your modifications. See
“Capturing and Importing vApps,” on page 75.

Updating a vApp Template
You can update the following sections of a vApp template.
CustomizationSection

You can use a PUT request to update this section, which contains a Boolean
value, CustomizeOnInstantiate, that specifies whether guest customization
should be run during instantiation. You cannot modify this element if the
vApp template has been added to a catalog.

Name and description

You can use a PUT request to update the value of the template's name
attribute or the contents of its Description element.

Owner

You can use a PUT request to update the value of the template's Owner
element. See “View or Change the Owner of an Object,” on page 83.

ProductSection elements

You can retrieve or update the template's ProductSection elements, which
provide a way to pass runtime information to the virtual machines defined in
the template. See “Retrieve or Modify ProductSection Elements,” on
page 139.

Except for the Owner element, all updates to a vApp template propagate to the vApp during instantiation.
The owner of the vApp is set to the identity of the user who instantiates the template.

116

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Configuring a vApp
You can include the following sections in the InstantiationParams you supply with an
instantiateVAppTemplate, composeVApp, or recomposeVApp request. You can also modify them in a deployed
vApp.

LeaseSettingsSection

Defines the terms of storage and deployment leases for the vApp. If this
section is omitted, the vApp inherits the default lease settings of the
containing organization.

NetworkConfigSection

Defines the properties of the vApp network and specifies how it is connected
to a network in the VDC. Unless you intend to create a vApp that has no
connection to any network, you must include this section in the
InstantiationParams element of an instantiateVappTemplate request.

StartupSection

Defines the order in which the virtual machines in the vApp start up and
shut down. If this section is omitted, the startup and shutdown order of
virtual machines in the vApp is indeterminate.

Configuring a Virtual Machine
An instantiateVAppTemplate request can modify certain properties of individual virtual machines in a
vApp template by including a SourcedVmInstantiationParams in the InstantiateVAppTemplateParams
request body. You can include a SourcedVmInstantiationParams for each virtual machine in the vApp. You
can also reconfigure a virtual machine after the vApp has been deployed by updating any of the following
sections of one of its Vm elements:
VirtualHardwareSection

Contains a description of the virtual hardware supported by a virtual
machine. You can reconfigure individual items in this section, or reconfigure
groups of related items such as hard disks or network interface cards.

OperatingSystemSection

Specifies the guest operating system installed on the virtual machine.

NetworkConnectionSectio
n

Specifies how the virtual NIC devices on the virtual machine are connected
to the vApp network.

GuestCustomizationSecti
on

Contains guest customization parameters for the virtual machine.

There are several ways to update these sections:
n

You can include any or all of the sections in the InstantiationParams for a Vm.

You can include any or all of the sections in a reconfigureVm request.

You can use the workflow in “Reconfiguration Workflow,” on page 117 to update individual section or
groups of related section.

Reconfiguration Workflow
The workflow for reconfiguring a vApp or virtual machine is the same regardless of the section you are
modifying.
1

Retrieve the vApp or Vm and examine the response to find the section that you want to modify.

Retrieve the section by making a GET request to the URL in the section’s href attribute value.

Modify the section as needed.

VMware, Inc.

117

vCloud API Programming Guide

Update the section by making a PUT request to the section’s edit link, a Link element in the section
where rel="edit", and supplying the modified section in the request body.

Modified sections must contain all required elements, even if you are not changing their values. Because
optional elements revert to default values if they are omitted or empty, it is a best practice to include
optional elements in updates. Link elements and href attributes from responses do not need to be included
in modified sections. Some elements and attributes might be read-only. See the schema reference for details.
NOTE You cannot make configuration changes to a vApp if it is in maintenance mode. A system
administrator can put a vApp into maintenance mode to prevent metadata changes during administrative
operations such as backup, restore, and upgrade. See “Summary of System Administration Requests,” on
page 235.

Retrieve the Configuration Links for a vApp
Each modifiable section of a vApp includes a Link element whose rel attribute has the value edit. You
cannot modify sections that do not contain this Link element.
Any ovf:SectionType element can include an arbitrary number of Link elements. Sections that you can
modify include a Link element where rel="edit". To modify one of these sections, retrieve it by making a
GET request to the URL in the section's href attribute. Then make a PUT request to the href attribute value
of the Link where rel="edit" to update the section with your modifications.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the XML representation of the vApp.
Use a GET request as shown in “Example: Configuration Links in a vApp,” on page 118.

Examine the response for edit links to modifiable sections.
The response portion of “Example: Configuration Links in a vApp,” on page 118 includes one of these
links for each of the modifiable sections of the vApp. You cannot modify sections that do not contain a
Link element where rel="edit".

Example: Configuration Links in a vApp
In this example, the response was edited to show only the modifiable sections of the VApp element. Each Vm
in the Children element of the VApp includes additional configuration links, shown in
“Example: Configuration Links in a Vm Element,” on page 120.
Request:
GET https://vcloud.example.com/api/vApp/vapp-7

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

...

Summary of vApp Reconfiguration Requests
vApp reconfiguration requests retrieve or update modifiable sections of a vApp.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

Request

Request Body

Response

Retrieve vApp
LeaseSettingsSection

GET API-URL/vApp/vappid/ leaseSettingsSection/

None

LeaseSettingsSection

Update vApp
LeaseSettingsSection

PUT API-URL/vApp/vappid/ leaseSettingsSection/

LeaseSettingsSection

Task

VMware, Inc.

119

vCloud API Programming Guide

Table 5‑2. Summary of vApp Reconfiguration Requests (Continued)
Operation

Request

Request Body

Response

Retrieve vApp
StartupSection

GET API-URL/vApp/vappid/ startupSection/

None

StartupSection

Update vApp
StartupSection

PUT API-URL/vApp/vappid/ startupSection/

StartupSection

Task

Retrieve vApp
NetworkConfigSection

GET API-URL/vApp/vappid/ networkConfigSection/

None

NetworkConfigSection

Update vApp
NetworkConfigSection

PUT API-URL/vApp/vappid/ networkConfigSection/

NetworkConfigSection

Task

Retrieve the Configuration Links for a Virtual Machine
A virtual machine is represented by a Vm element. Each modifiable section of a Vm element includes a Link
element whose rel attribute has the value edit. You cannot modify sections that do not contain this Link
element.
Any ovf:SectionType element can include an arbitrary number of Link elements. Sections that you can
modify include a Link element where rel="edit". To modify one of these sections, retrieve it by making a
GET request to the URL in the section's href attribute. Then make a PUT request to the href attribute value
of the Link where rel="edit" to update the section with your modifications.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the XML representation of the vApp that contains the virtual machine to reconfigure.
Use a GET request as shown in “Example: Configuration Links in a vApp,” on page 118.

In the VApp element's Children element, find the Vm element that represents the virtual machine and
retrieve it.

Examine the response to find the reconfigureVm link and edit links to modifiable sections.
The response portion of “Example: Configuration Links in a Vm Element,” on page 120 shows the

reconfigureVm link and links for each of the modifiable sections of the Vm. You cannot modify sections
that do not contain a link where rel="edit".

Example: Configuration Links in a Vm Element
This example retrieves a Vm element shown in “Example: Configuration Links in a vApp,” on page 118. It
expands that element to show its configuration links. It also shows the entire NetworkConnectionSection of
that Vm, and additional information that is referenced in other examples. You cannot modify sections that do
not have a Link where rel="edit", so they do not appear in this example. Modifiable sections of the parent
vApp are shown in “Example: Configuration Links in a vApp,” on page 118.
Request:
GET https://vcloud.example.com/api/vApp/vm-4

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.vm+xml

...

Specifies the available VM network connections
0

0
10.147.122.134
false
00:50:56:01:01:49
POOL

...

Summary of Vm Reconfiguration Requests
Vm reconfiguration requests retrieve or update modifiable sections of a virtual machine (Vm object).
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

122

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Table 5‑3. Summary of Vm Reconfiguration Requests
Operation

Request

Request Body

Response

Retrieve the
NetworkConnectionSectio
n of a virtual machine

GET API-URL/vApp/vmid/
networkConnectionSectio
n/

None

NetworkConnectionSectio
n

Update the
NetworkConnectionSectio
n of a virtual machine

PUT API-URL/vApp/vmid/
networkConnectionSectio
n/

NetworkConnectionSecti
on

Task

Retrieve the
GuestCustomizationSecti
on of a virtual machine

GET API-URL/vApp/vmid/
guestCustomizationSectio
n/

None

GuestCustomizationSecti
o

Update the
GuestCustomizationSecti
on of a virtual machine

PUT API-URL/vApp/vmid/
guestCustomizationSectio
n/

GuestCustomizationSect
io

Task

Retrieve the
OperatingSystemSection
of a virtual machine

GET API-URL/vApp/vmid/
operatingSystemSection/

None

OperatingSystemSection

Update the
OperatingSystemSection
of a virtual machine

PUT API-URL/vApp/vmid/
operatingSystemSection/

OperatingSystemSection

Task

Retrieve the
VirtualHardwareSection
of a virtual machine

GET API-URL/vApp/vmid/
virtualHardwareSection/

None

VirtualHardwareSection

Update the
VirtualHardwareSection
of a virtual machine

PUT API-URL/vApp/vmid/
virtualHardwareSection/

VirtualHardwareSection

Task

Retrieve the CPU
configuration of a virtual
machine

GET API-URL/vApp/vmid/
virtualHardwareSection/
cpu

None

ovf:Item

Update the CPU
configuration of a virtual
machine

PUT API-URL/vApp/vmid/
virtualHardwareSection/
cpu

ovf:Item

Task

Retrieve the memory item
from the
VirtualHardwareSection
of a virtual machine

GET API-URL/vApp/vmid/
virtualHardwareSection/
memory

None

ovf:Item

Update the memory item in
the
VirtualHardwareSection
of a virtual machine

PUT API-URL/vApp/vmid/
virtualHardwareSection/
memory

ovf:Item

Task

Retrieve virtual disk items
from the
VirtualHardwareSection
of a virtual machine

GET API-URL/vApp/vmid/
virtualHardwareSection/
disks

None

RasdItemsList

Update virtual disk items in
the
VirtualHardwareSection
of a virtual machine

PUT API-URL/vApp/vmid/
virtualHardwareSection/
disks

RasdItemsList

Task

VMware, Inc.

123

vCloud API Programming Guide

Table 5‑3. Summary of Vm Reconfiguration Requests (Continued)
Operation

Request

Request Body

Response

Retrieve network card items
from the
VirtualHardwareSection
of a virtual machine

GET API-URL/vApp/vmid/
virtualHardwareSection/
networkCards

None

RasdItemsList

Update network card items
in the
VirtualHardwareSection
of a virtual machine

PUT API-URL/vApp/vmid/
virtualHardwareSection/
networkCards

RasdItemsList

Task

Update the name,
Description, and any or all
of
VirtualHardwareSection,
OperatingSystemSection,
NetworkConnectionSectio
n,
GuestCustomizationSecti
on of a virtual machine.

POST API-URL/vApp/vmid/ action/reconfigureVm

Task

vCloud API Custom Attributes
vCloud API custom attributes extend several elements in the ovf and rasd XML namespaces. You can use
these attributes to provide additional detail about virtual NIC and hard disk controller devices, or to specify
the guest operating system type.
With the exception of osType, custom attributes are scoped to ovf:Item elements based on the elements'
RASD resource type. The osType attribute applies to the ovf:OperatingSystemSection element. All of the
elements to which these custom attributes apply are contained in the VirtualHardwareSection of a Vm.
Table 5‑4. vCloud API Custom Attributes for OVF and RASD Elements

Element Name

124

RASD
Resource
Type

Attribute Name

Attribute Type

Description

rasd:Connection

10
(Network
adapters)

ipAddressingMode

xs:string

IP addressing mode to use for this
connection. One of NONE, MANUAL,
DHCP, POOL.

rasd:Connection

10
(Network
adapters)

ipAddress

xs:string

If ipAddressingMode="MANUAL",
set the IP address here

rasd:Connection

10
(Network
adapters)

primaryNetworkCon
nection

xs:boolean

True if this is the primary network
connection of the virtual machine

rasd:HostResource

17 (Hard
disks)

capacity

xs:string

Hard disk capacity in megabytes.
See “Retrieve or Modify the Hard
Disk Configuration of a Virtual
Machine,” on page 143

rasd:HostResource

17 (Hard
disks)

busType

xs:string

Bus type. One of:
n 5 (IDE)
n 6 (SCSI)
n 20 (SATA)

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Table 5‑4. vCloud API Custom Attributes for OVF and RASD Elements (Continued)

Element Name
rasd:HostResource

RASD
Resource
Type
17 (Hard
disks)

Attribute Name

Attribute Type

Description

busSubType

xs:string

Hard disk controller type. One of:
n buslogic
n lsilogic
n lsilogicsas
n VirtualSCSI
n vmware.sata.ahci
See “Retrieve or Modify the Hard
Disk Configuration of a Virtual
Machine,” on page 143 for valid
combinations of busType and
busSubType.

ovf:OperatingSystemSec
tion

N/A

osType

xs:string

Internal VMware identifier for the
guest operating system. See
https://www.vmware.com/suppor
t/developer/vcsdk/visdk41pubs/ApiReference/vim
.vm.GuestOsDescriptor.GuestOsIde
ntifier.html

For more information about OVF and RASD (CIM_ResourceAllocationSettingData) elements, see the OVF
specification, available at http://www.dmtf.org/standards/published_documents/DSP0243_1.0.0.pdf.

Update Multiple Sections of a Virtual Machine
You can make a single request that updates the name, Description, and any or all of the
VirtualHardwareSection, OperatingSystemSection, NetworkConnectionSection, GuestCustomizationSection
elements of a virtual machine.
Every Vm element contains a link to a reconfigureVm operation that you can use to update the name,
Description, and multiple sections in a single operation. Sections that you omit from the request body are

not updated.

Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the Vm element that you want to update.

Modify the retrieved Vm element.
Modifications can include the name, Description, and any or all of the VirtualHardwareSection,
OperatingSystemSection, NetworkConnectionSection, GuestCustomizationSection elements of the Vm.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Use the modified Vm as the body of a reconfigureVm request.

The modified Vm replaces the contents of the retrieved Vm. For some section types, modifications take effect
immediately. For others, modifications take effect only after a power or deployment state change.

VMware, Inc.

125

vCloud API Programming Guide

Example: Update Multiple Sections of a Virtual Machine
This example uses the reconfigureVm operation to accomplish the updates shown in “Example: Update a
NetworkConnectionSection,” on page 135 and “Example: Modify the Guest Customization Section of a
Virtual Machine,” on page 138 in a single operation.
Request:
POST https://vcloud.example.com/api/vApp/vm-4/action/reconfigureVm
Content-Type: application/vnd.vmware.vcloud.vm+xml
...

...

Firewall allows access to this address.
0

0
10.147.115.1
true
00:50:56:01:01:49
STATIC

Specifies Guest OS Customization Settings
true
true
12
false
false

true
true

false

126

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Win2K3

...

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Retrieve or Update a Modifiable Section
You can make a GET request to the URL of any modifiable section to retrieve it for modification. After you
modify the section, you can make a PUT request to its edit link to update the section with your
modifications.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the section to modify.
Make a GET request to the URL in the section's href attribute value.

Update the section with your modifications.
Find the Link element in the section where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.
For most section types, the response to this request is a Task element that tracks the update operation.
When the task completes, the section is updated.

The modified section replaces the contents of the original section. For some section types, modifications take
effect immediately. For others, modifications take effect only after a power or deployment state change.

Example: Retrieve a NetworkConfigSection
This example retrieves the NetworkConfigSection of the vApp shown in “Example: Configuration Links in a
vApp,” on page 118.
Request:
GET https://vcloud.example.com/api/vApp/vapp-7/networkConfigSection

VMware, Inc.

127

vCloud API Programming Guide

Response:
200 OK
Content-type: application/vnd.vmware.vcloud.networkConfigSection+xml
...

Configuration parameters for logical networks

true
10.147.56.253
255.255.255.0
10.147.115.1
10.147.115.2
example.com

10.147.56.1
10.147.56.255

bridged

false

For an example that updates this section, see “Example: Update a NetworkConfigSection,” on page 129 .

Update a vApp Network Configuration
To change the configuration of a vApp network, you retrieve the NetworkConfigSection element of the
vApp, modify it, and use it with a PUT request to update the section.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

128

Retrieve the vApp's NetworkConfigSection.

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Modify the returned NetworkConfigSection as needed.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Update the NetworkConfigSection in the vApp.
Find the Link element in the section where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.

Example: Update a NetworkConfigSection
This example modifies the NetworkConfigSection that was retrieved in “Example: Retrieve a
NetworkConfigSection,” on page 127. The modifications change the FenceMode value to natRouted and add a
Features element that defines several network features that are useful to an FTP server that must be
reachable from the public Internet, but only at the FTP and SSH ports. The modifications add the following
items:
n

A set of FirewallRules that allow TCP traffic to ports 21 and 22. Because these rules require you to
specify a single IP address on the inside of the firewall, the IpScope element is modified to limit the
range of IP addresses available on the vApp network to a single address. Any virtual machine that
connects to the vApp network defined in this NetworkConfigSection is given this address.

A NatService element that maps a routable external IP address to the internal IP address allocated to
the Vm by the vApp network. The VAppScopedVmId value in this element is taken from the
VAppScopedLocalId element of the Vm and the VmNicId value is taken from its
PrimaryNetworkConnectionIndex. See “Example: Configuration Links in a Vm Element,” on page 120.

For more information about these and other network services in vApp networks, see “Network Services in
vApp Networks,” on page 131
This request, like all request bodies derived from a response, omits the Link elements and href attributes
that were part of the retrieved NetworkConfigurationSection. It also omits the IsDeployed element of the
NetworkConfig. These elements and attributes are created by the server and are read-only. They are ignored
if you include them in a request. Read-only elements are noted in the schema reference.
Request:
PUT https://vcloud.example.com/api/vApp/vapp-7/networkConfigSection/
Content-type: application/vnd.vmware.vcloud.networkConfigSection+xml
...

Configuration parameters for logical networks

false
10.147.56.253
255.255.255.0
10.147.115.1
10.147.115.2
example.com

VMware, Inc.

129

vCloud API Programming Guide

10.147.56.1
10.147.56.1

natRouted

true

true
FTP Rule
allow

true

21
10.147.115.1
any
any
false

true
SSH Rule
allow

true

22
10.147.115.1
any
any
false

true
ipTranslation
allowTraffic

automatic
3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b
0

130

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

IMPORTANT Whenever you modify a vApp network, as we do in this example, you must be sure that the
modifications are consistent with the network connection requirements of the virtual machines in the vApp.
The vApp in this example contains a single virtual machine. Its NetworkConnection element, shown in
“Example: Configuration Links in a Vm Element,” on page 120, specifies an IP address that will not be
available after the vApp network is reconfigured as shown here. “Example: Update a
NetworkConnectionSection,” on page 135 corrects this problem. This example uses the IpScope element to
restrict the IP addresses available on a vApp network. It is usually more practical to use a wide range of
addresses available on a vApp network and apply any firewall-related IP address restrictions by modifying
the NetworkConnectionSection of the Vm to which the FirewallRules apply, as shown in “Example: Update a
NetworkConnectionSection,” on page 135. A wider range of IP addresses allows you to modify this vApp
to include additional virtual machines, and the IP address restriction applied in “Example: Update a
NetworkConnectionSection,” on page 135 allows the FirewallRules in this example to remain valid.

Network Services in vApp Networks
The Features element of a vApp NetworkConfigSection defines the network services available to virtual
machines in the vApp.
A vApp network can be configured to provide many of the same kinds of services available in an
organization VDC network. Configuration parameters for these services are similar to those of their
counterparts on an Edge Gateway, but scoped to the needs of a vApp network.
For more information about vCloud Director networks, see “About vCloud Director Networks,”
on page 169. For more information about network services for organization VDC networks, see “Configure
Edge Gateway Services,” on page 177
DHCP Service
A DhcpService element defines an IP address range and lease policies for a DHCP service that can be used
by to virtual machines in the vApp. Unlike a DHCP service in an Edge Gateway, it can support only a single
IP address range, as shown in this example.

true
3600
7200

192.168.3.2
192.168.3.99

VMware, Inc.

131

vCloud API Programming Guide

Firewall Service
A FirewallService element defines firewall rules that, when matched, block or allow incoming or outgoing
traffic on the vApp network. A firewall rule in a vApp network can specify the destination as a combination
of address and port, or as a specific virtual NIC in a Vm This FirewallService allows TCP traffic to ports 21
and 22.

true

true
FTP Rule
allow

true

21
10.147.115.1
any
any
false

true
SSH Rule
allow

true

22
10.147.115.1
any
any
false

You can see this example in the context of a vApp NetworkConfigSection in “Example: Update a
NetworkConfigSection,” on page 129
An alternate implementation of the second FirewallRule in this example includes a DestinationVm element
that specifies the destination as a specific virtual NIC (identified in the VmNicId element) in a specific Vm
(identified in the VAppScopedVmId element. The value of VAppScopedVmId is taken from the VAppScopedLocalId
element of the Vm and the VmNicId value is taken from its PrimaryNetworkConnectionIndex. See
“Example: Configuration Links in a Vm Element,” on page 120. The IpType is set to assigned, indicating that
the NIC retains its assigned IP address. If you set IpType is set to NAT, the IP address of the NIC is its
translated address.

true
allow ssh to a specific NIC in a specific Vm
allow

true

3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b

132

VMware, Inc.

Chapter 5 Deploying and Operating vApps

0
assigned

Any
Any
false

NAT Service
A NatService element defines network address translation services to virtual machines on the network. This
simple NatService defines a single rule that implements an IP translation stratagy for a single Vm.

true
ipTranslation
allowTraffic

automatic
3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b
0

You can see this example in the context of a vApp NetworkConfigSection in “Example: Update a
NetworkConfigSection,” on page 129
A NatService element like this one configures the service to use port forwarding instead of IP translation.
Instead of using a OneToOneVmRule, which specifies one external IP address to one NIC, it uses a VmRule
element, which enables port forwarding by allowing one external IP address to be forward to different ports
on different virtual machines.

true
portForwarding
allowTraffic

22
3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b
0
22
TCP

Static Routing Service
A StaticRoutingService specifies static routes to other networks. In addition to creating static routes from
organization VDC networks on an EdgeGateway (see “Example: Static Routes Between Organization VDC
Networks,” on page 182, you can create static routes between vApp networks if they both define the same
ParentNetwork. Assume two vApp networks that have the following properties:
n

VMware, Inc.

The Configuration of the vApp network in vApp1 has a RouterInfo element whose ExternalIp value is
192.168.0.100.

133

vCloud API Programming Guide

The Configuration of the vApp network in vApp2 has a RouterInfo element whose ExternalIp value is
192.168.0.101.

Both vApp networks have the same ParentNetwork, an organization VDC network whose network
specification in CIDR notation is 192.168.0.0/24.

You can enable static routing between these two vApp networks by inserting a StaticRoutingService
element in the Features of each vApp network Configuration. This excerpt from the NetworkConfigSection
of vApp1 shows the network's Configuration and Features elements..

...

true

TovAppNet2
192.168.2.0/24
192.168.0.101
External

...

This is a similar excerpt from the NetworkConfigSection of vApp2.

...

true

TovAppNet1
192.168.1.0/24
192.168.0.100
External

...

Update the NetworkConnectionSection of a Virtual Machine
Whenever you create a vApp network or update its configuration, you might also need to update the
NetworkConnectionSection elements of the virtual machines in the vApp.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

134

Retrieve the virtual machine's NetworkConnectionSection.

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Modify the returned NetworkConnectionSection as needed.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Update the NetworkConnectionSection in the virtual machine.
Find the Link element in the section where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.

Example: Update a NetworkConnectionSection
This example modifies the NetworkConnectionSection shown in “Example: Configuration Links in a Vm
Element,” on page 120 so that this network connection is compatible with the reconfigured vApp network to
which it must connect. See “Example: Update a NetworkConfigSection,” on page 129. The modified
NetworkConnectionSection in the request changes two values:
n

The IpAddress now specifies the address to which the vApp network's firewall allows access.

Because it specifies an IP address, the modified NetworkConnectionSection also changes the value of the
IpAddressAllocationMode from DHCP to STATIC.

NOTE The ovf:Info element is a required member of NetworkConnectionSection and all other sections that
are derived from ovf:SectionType. The element must be present, even if it has no content. In this example,
we use the content to explain why the connection is configured this way.
Request:
PUT "https://vcloud.example.com/api/vApp/vm-4/networkConnectionSection/
Content-type: application/vnd.vmware.vcloud.networkConnectionSection+xml
...

Firewall allows access to this address.
0

0
10.147.115.1
true
00:50:56:01:01:49
STATIC

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

VMware, Inc.

135

vCloud API Programming Guide

Retrieve or Modify the CPU Configuration of a Virtual Machine
The CPU configuration of a virtual machine is represented by an Item in its VirtualHardwareSection
element.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the CPU section to modify.
Make a GET request to the URL in the section's href attribute value:
GET https://vcloud.example.com/api/vApp/vm-4/virtualHardwareSection/cpu

Update the section with your modifications.
Find the Link element in the section where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.
The response to this request is a Task element that tracks the update operation. When the task is
complete, the section is updated.

Example: Modify the CPU Configuration of a Virtual Machine
The initial configuration for the virtual machine used in this example shows a single CPU and

CoresPerSocket value of 1.

hertz * 10^6
Number of Virtual CPUs
1 virtual CPU(s)
4
0
3
1
0
1

This request modifies the CPU section to add a second CPU to the Vm by changing the rasd:VirtualQuantity
value of the Item to 2. It also raises the value of CoresPerSocket to 2.

136

VMware, Inc.

Chapter 5 Deploying and Operating vApps

Request:
PUT https://vcloud.example.com/api/vApp/vm-4/virtualHardwareSection/cpu
Content-type: application/vnd.vmware.vcloud.rasdItem+xml
...

hertz * 10^6
Number of Virtual CPUs
2 virtual CPU(s)
4
0
3
2
0
2

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Retrieve or Modify the GuestCustomizationSection of a Virtual Machine
The GuestCustomizationSection element includes a customization script and other parameters that are
applied when you customize a virtual machine.
The GuestCustomizationSection includes predefined property names that VMware guest customization
tools recognize. Certain values in this element, if omitted or left empty, are inherited from the
OrgGuestPersonalizationSettings of the organization that owns the virtual machine. See “Retrieve or
Update Organization Settings,” on page 157
The vCloud API also supports use of the ovf:ProductSection to pass an arbitrary set of key=value pairs to a
vApp or virtual machine through the ovf:Environment element. See “Retrieve or Modify ProductSection
Elements,” on page 139.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the GuestCustomizationSection to modify.
Make a GET request to the URL in the section's href attribute value.
GET https://vcloud.example.com/api/vApp/vm-12/guestCustomizationSection/

VMware, Inc.

137

vCloud API Programming Guide

Update the section with your modifications.
In the section, find the Link element where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.
The response to this request is a Task element that tracks the update operation. When the task
completes, the section is updated.

Example: Modify the Guest Customization Section of a Virtual Machine
This request specifies guest customization values, including the information required to join the virtual
machine to a Windows domain.
NOTE If you include a CustomizationScript, it cannot exceed 49,000 characters.
Request:
PUT https://vcloud.example.com/api/vApp/vm-12/guestCustomizationSection/
Content-type: application/vnd.vmware.vcloud.guestcustomizationsection+xml
...

Specifies Guest OS Customization Settings
true
true
12
false
false
example
admin
Pa55w0rd
true
true

false

Win2K3

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Retrieve or Modify ProductSection Elements
ProductSection elements allow you to pass runtime information to vApps and virtual machines. The
key=value pairs in this section are made available in the OVF Environment of a powered-on vApp or virtual

machine.

A vApp or virtual machine can get runtime information from its ovf:Environment element. This read-only
element is populated with information from a ProductSection element when the vApp or virtual machine is
powered on. A Vm can use VMware Tools to read these values from its ovf:Environment. A Vm can also read
the values by mounting a special media object. To make a key=value pair available in the ovf:Environment,
add it to the appropriate ProductSection of a vApp template or powered-off vApp or virtual machine.
NOTE All ProductSection elements in a vApp template, vApp, or virtual machine are returned as members
of a ProductSectionList. You cannot retrieve or update an individual ProductSection. You must retrieve
and modify the ProductSectionList to update the individual ProductSection elements it contains.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the ProductSectionList from the vApp or virtual machine.
Use a request like this one, which targets a vApp.
GET https://vcloud.example.com/api/vApp/vapp-123/productSections

The response is a ProductSectionList element, which contains all the ProductSection elements in the
vApp, along with a Link element that contains the rel="edit" URL to use when updating the
ProductSectionList. If the vApp contains no ProductSection elements, the response contains only the
Link element.
2

Modify the retrieved ProductSectionList.
You can modify existing ProductSection elements, create new ones, or both. ProductSection has no
required contents. Unlike updates to other sections, updates to a ProductSection merge new and
existing values, subject to the following rules:
Property elements that are present in the existing ProductSection but not in the update are
n
removed.

Property elements that are present in the update but not in the in the existing ProductSection are
added to the ProductSection if they have a corresponding Value element.

If a Property element that is present in the existing ProductSection has different attributes,
qualifiers, or other details in the update, the Property in the update replaces the existing one.

If a Property element that is present in the existing ProductSection has no Value in the update, the
existing Property and Value remain unchanged.

Update the section with your modifications.
Find the Link element in the ProductSectionList where rel="edit". Make a PUT request to the URL in
that link's href attribute value, and supply the modified ProductSectionList as the request body.
The response to this request is a Task element that tracks the update operation. When the task is
complete, the section is updated.

VMware, Inc.

139

vCloud API Programming Guide

The modified section replaces the contents of the original section, subject to the rules listed in Step 2.

Example: Update a ProductSection in a vApp
This request creates or updates a ProductSectionList that contains a single ProductSection. The
ProductSection sets three properties. The response is a Task.
Request:
PUT https://vcloud.example.com/api/vApp/vapp-123/productSections
Content-Type: application/vnd.vmware.vcloud.productSections+xml
...

Information about the installed software

CRM Database Host

CRM Database Usernname

CRM Database User Password

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

140

VMware, Inc.

Chapter 5 Deploying and Operating vApps

After the vApp is powered on, a virtual machine can retrieve the ovf:Environment document in the
following ways:
n

It can use the default OVF iso transport type. This makes the environment document available as a file
named ovf-env.xml on an ISO image that is mounted on the first available CD-ROM device on the
virtual machine. You can use any convenient mechanism to read this file.
[root@example-vm-RHEL ~] cat /media/cdrom/ovf-env.xml

...

If the virtual machine has VMware Tools installed, it can use the vmtoolsd program, as shown here.
[root@example-vm-RHEL ~] /usr/sbin/vmtoolsd --cmd 'info-get guestinfo.ovfEnv'

...

On Windows, the vmtoolsd executable file is typically installed in C:\Program Files\VMware\VMware
Tools\vmtoolsd.exe

VMware, Inc.

141

vCloud API Programming Guide

Retrieve or Modify Groups of Related Sections in a Virtual Machine
The vCloud API provides links that you can use to retrieve or update groups of sections that define related
hardware items such as disks, media devices, and network cards in a Vm element.
As shown in “Example: Configuration Links in a Vm Element,” on page 120, Link elements for disks, media
devices, and network cards are grouped at the end of the VirtualHardwareSection. These links have content
type application/vnd.vmware.vcloud.rasdItemsList+xml, and reference a RasdItemsList element in the
VirtualHardwareSection of a Vm. The vCloud API uses the RasdItemsList element to aggregate related
elements in a VirtualHardwareSection. This approach simplifies retrieval and modification of Item elements
that are typically viewed or modified as a group.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the RasdItemsList from a Vm.
Make a GET request to the URL in the link where

type="application/vnd.vmware.vcloud.rasdItemsList+xml" and rel="down". See “Example: Retrieve

the Hard Disks and Controllers in a Virtual Machine,” on page 142.
2

Modify the items in the retrieved list.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Update the sections with your modifications.
Make a PUT request to the URL in the link where

type="application/vnd.vmware.vcloud.rasdItemsList+xml" and rel="edit", and supply the modified

section as the request body.

The response to this request is a Task element that tracks the update operation. When the task is
complete, the section is updated.

Example: Retrieve the Hard Disks and Controllers in a Virtual Machine
This example uses the virtualHardwareSection/disks link shown in “Example: Configuration Links in a Vm
Element,” on page 120 to retrieve the list of hard disks and hard disk controllers for a virtual machine.
Request:
GET https://vcloud.example.com/api/vApp/vm-4/virtualHardwareSection/disks

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.rasdItemsList+xml
...

0
SCSI Controller
SCSI Controller 0
2
lsilogic
6

0
Hard disk
Hard disk 1

2000
2
17

1
Hard disk
Hard disk 2

2001
2
17

0
IDE Controller
IDE Controller 0
3
5

Retrieve or Modify the Hard Disk Configuration of a Virtual Machine
The hard disk configuration of a virtual machine is represented by an Item element in its
VirtualHardwareSection.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.

VMware, Inc.

143

vCloud API Programming Guide

Procedure
1

Retrieve the hard disk configuration from the virtual machine.
Make a GET request to the virtual machine's virtualHardwareSection/disks link.
GET https://vcloud.example.com/api/vApp/vm-4/virtualHardwareSection/disks

The response to this kind of request is a RasdItemsList element that contains an Item element for each
of the virtual machine's hard disks and hard disk controllers, as shown in “Example: Retrieve the Hard
Disks and Controllers in a Virtual Machine,” on page 142.
2

Modify the retrieved section.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.
You cannot modify the values of the busType and busSubType attributes after you create a new disk.
When creating a new disk, be sure to set the values of busType and busSubType to a valid combination.
Table 5‑5. Valid Combinations of busType and busSubType

busType

busSubType

Controller

null

IDE controller

buslogic

BusLogic Parallel SCSI controller

lsilogic

LSI Logic Parallel SCSI controller

lsilogicsas

LSI Logic SAS SCSI controller

VirtualSCSI

Paravirtual SCSI controller

vmware.sata.ahci

SATA controller (hardware version 10 and later)

Update the section with your modifications.
Find the Link element in the section where rel="edit". Make a PUT request to the URL in that link's
href attribute value, and supply the modified section as the request body.
The response to this request is a Task element that tracks the update operation. When the task is
complete, the section is updated.

Example: Modify the Hard Disk Configuration of a Virtual Machine
The following request increases the capacity of the hard disk from 1GB to 10GB by changing the

vcloud:capacity value of the Item that defines the disk. The capacity is raised from 1024 to 10240. The
request body includes the entire RasdItemsList returned by the request shown in Step 1, even though only
one element is changed. Link elements from a response are ignored if you include them in a request, so they

are omitted in this example.
Request:

PUT https://vcloud.example.com/api/vApp/vm-4/virtualHardwareSection/disks
Content-Type: application/vnd.vmware.vcloud.rasditemslist+xml
...

0
SCSI Controller
SCSI Controller 0
2
lsilogic
6

0
Hard disk
Hard disk 1

2000
2
17

1
Hard disk
Hard disk 2

2001
2
17

0
IDE Controller
IDE Controller 0
3
5

The response is a task.
Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

VMware, Inc.

145

vCloud API Programming Guide

Update the Storage Profile for a Virtual Machine
You can update a Vm to revalidate the storage profile it uses or specify a different storage profile.
Revalidation of a virtual machine's current storage profile is required whenever the datastore that supports
the virtual machine changes.
Every Vm element includes a StorageProfile element. The value of the href attribute of that element is a
reference to the virtual machine's storage profile. The initial value of this attribute is inherited from the VDC
that contains it unless you specify the value when the virtual machine is created. To change the value, you
must update the entire Vm element that contains it.
NOTE When the system administrator changes the datastore that stores a virtual machine, you must update
the Vm element as shown in “Example: Update the Storage Profile for a Virtual Machine,” on page 146, but
leave the href of the current StorageProfile unchanged. This action, which replaces the deprecated
relocate action, forces revalidation of the existing storage profile. If the current datastore is disabled or no
longer supports the specified storage profile, the system relocates the virtual machine to a datastore that
supports the referenced storage profile.
Prerequisites
Verify that you are logged in to the vCloud API as an administrator or vApp Author.
Procedure
1

Retrieve the Vm element.
Make a GET request to the URL in the value of the href attribute of the Vm.

Modify the retrieved Vm to change the StorageProfile reference.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Update the Vm with your modifications.
a

Find the Link element in the Vm where rel="edit".

Make a PUT request to the URL in that link's href attribute value, and supply the modified Vm as
the request body.

The response to this request is a Task element that tracks the relocation of the virtual machine to a
datastore in the new storage profile. When the task is complete, the virtual machine has been relocated.

Example: Update the Storage Profile for a Virtual Machine
This example shows a Vm element containing a StorageProfile. The actual update operation requires the
entire Vm element, including the StorageProfile, in the request body. Only a small part of the element
appears in this example.
Request:
PUT https://vcloud.example.com/api/vApp/vm-4
Content-type: application/vnd.vmware.vcloud.vm+xml
...

...

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

VMware, Inc.

147

vCloud API Programming Guide

148

VMware, Inc.

Creating and Managing
Organizations

The VMware vCloud API supports objects and operations that an organization or a system administrator
can use to automate tasks associated with creating and managing organizations and their VDCs, networks,
catalogs, and users.
A successful login by an organization or system administrator returns a Session element, which contains a
link that enables the administrator to retrieve a VCloud element. This element provides access to a cloudwide namespace of administrative objects. See “Retrieve an Administrative View of a Cloud,” on page 50.
This chapter includes the following topics:
n

“Summary of Administrative Requests,” on page 149

“Administrator Credentials and Privileges,” on page 152

“Organization Administration,” on page 153

“VDC Administration,” on page 160

“Network Administration,” on page 169

“Catalog Administration,” on page 197

“User and Group Administration,” on page 219

“Working With Roles and Rights,” on page 227

Summary of Administrative Requests
Administrative requests retrieve or update administrative objects such as organizations, users, and VDCs.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

VMware, Inc.

149

vCloud API Programming Guide

Table 6‑1. Summary of Administrative Requests

150

Operation

Request

Request Body

Response

Retrieve an administrative
view of an organization.

GET APIURL/admin/org/id

None

AdminOrg

Create an organization.

POST API-URL/admin/orgs

AdminOrg

Enable an organization.

POST APIURL/admin/org/id/action/e
nable

None

204 No Content

Disable an organization.

POST APIURL/admin/org/id/action/d
isable

None

204 No Content

Update an organization.

PUT APIURL/admin/org/id

AdminOrg

Create an Edge Gateway.

POST APIURL/admin/vdc/id/edgeGa
teways

EdgeGateway

Retrieve an Edge Gateway.

GET APIURL/admin/edgeGateway/i
d

None

EdgeGateway

Update Edge Gateway
services.

POST APIURL/admin/edgeGateway/i
d/action/configureServices

EdgeGatewayServiceConf
iguration

Task

Reapply Edge Gateway
Services

POST APIURL/admin/edgeGateway/i
d/action/reapplyServices

None

204 No Content

Redeploy an Edge Gateway

POST APIURL/admin/edgeGateway/i
d/action/redeploy

None

204 No Content

Delete an Edge Gateway.

DELETE APIURL/admin/edgeGateway/i
d

None

Task

Create an organization VDC
network.

POST APIURL/admin/vdc/id/networ
ks

OrgVdcNetwork

Task

Update an organization
VDC network.

PUT APIURL/admin/network/id

OrgVdcNetwork

Task

Retrieve a list of networks in
this organization VDC.

GET APIURL/admin/vdc/id/networ
ks

None

QueryResultRecords

Delete an organization VDC
network.

DELETE APIURL/admin/network/id

None

Task

Synchronize syslog server
settings for a vApp network.

POST APIURL/admin/network/id/acti
on/syncSyslogServerSettin
gs

None

Task

Synchronize syslog server
settings for an Edge
Gateway.

POST APIURL/admin/edgeGateway/i
d/action/syncSyslogServerS
ettings

None

Task

Reset a network.

POST APIURL/admin/network/id/acti
on/reset

None

Task

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Table 6‑1. Summary of Administrative Requests (Continued)
Operation

Request

Request Body

Response

Retrieve the admin view of a
provider VDC.

GET APIURL/admin/providervdc/id

None

ProviderVdc

List the organization VDCs
supported by a provider
VDC.

GET APIURL/admin/providervdc/id
/vdcReferences

None

VdcReferences

Create an organization VDC.

POST APIURL/admin/org/id/vdcs

AdminVdc

Enable an organization
VDC.

POST APIURL/admin/vdc/id/action/e
nable

None

204 No Content

Disable an organization
VDC.

POST APIURL/admin/vdc/id/action/d
isable

None

204 No Content

Delete an organization VDC.

DELETE APIURL/admin/vdc/id

None

Task

Create a catalog.

POST APIURL/admin/org/id/catalogs

AdminCatalog

Share a catalog with all
organizations in your cloud.

POST APIURL/admin/catalog/id/actio
n/publish

PublishCatalogParams

204 No Content

Update catalog properties.

PUT APIURL/admin/catalog/id

AdminCatalog

Delete a catalog.

DELETE APIURL/admin/catalog/id

None

204 No Content

Update the owner of a
catalog.

PUT APIURL/admin/catalog/id/own
er

Owner

204 No Content

Create or import a user.

POST APIURL/admin/org/id/users

User

Update user properties.

PUT APIURL/admin/user/id

User

Retrieve a list of rights
granted to a user.

GET APIURL/admin/user/id/grante
dRights

None

References

Delete a user.

DELETE APIURL/admin/user/id

None

204 No Content

Import a group.

POST APIURL/admin/org/id/groups

Group

Delete a group.

DELETE APIURL/admin/group/id

None

204 No Content

Update group properties.

PUT APIURL/admin/group/id

Group

Create a role.

POST APIURL/admin/org/id/roles

Role

Update role properties.

PUT APIURL/admin/role/id

Role

Delete a role.

DELETE APIURL/admin/role/id

None

204 No Content

VMware, Inc.

151

vCloud API Programming Guide

Table 6‑1. Summary of Administrative Requests (Continued)
Operation

Request

Request Body

Response

Retrieve a list of tasks
owned by organization id.

GET API-URL/tasksList/id

None

TasksList

Retrieve a task.

GET API-URL/task/id

None

Task

Cancel a task.

POST APIURL/task/id/action/cancel

None

204 No Content

Administrator Credentials and Privileges
An administrator's privileges are scoped by the organization to which the administrator authenticates.
The vCloud API defines two levels of administrative privilege:
n

Organization administrators, who have administrative privileges in a specific organization.

System administrators, who have superuser privileges throughout the system. System administrators
are members of the System organization, and can create, read, update, and delete all objects in a cloud.
They have organization administrator rights in all organizations in a cloud, and can operate directly on
vSphere resources to create and modify provider VDCs, external networks, network pools, and similar
system-level objects.

Some administrative operations, and all vSphere platform operations, are restricted to the system
administrator. Before you attempt these operations, log in to the System organization with the user name
and password of the system administrator account that was created when vCloud Director was installed.
For example, if the system administrator’s user name and password was defined as administrator and
Pa55w0rd, the system administrator login credentials are the MIME Base64 encoding of the string
administrator@System:Pa55w0rd.
NOTE When logging in using a SAML identity provider, the system administrator must use the vSphere
SSO Service as the identity provider. See “Create a Login Session Using a SAML Identity Provider,” on
page 46.

The System Organization
The System organization is created automatically when vCloud Director is installed. Unlike the
organizations represented by Org and AdminOrg objects, the System organization cannot contain catalogs,
VDCs, groups, or users who are not system administrators.

Example: The System Organization
When a system administrator logs in to the REST API, the OrgList in the returned Session element contains
a link to the System organization.

...

152

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Organization Administration
System administrators create organizations and organization administrators, and establish certain
organization policies. Organization administrators populate their organization with users and groups,
assign roles, and can update most organization policies and properties.
A cloud can contain one or more organizations. Each organization is a unit of administration for a collection
of users, groups, and computing resources. Users authenticate at the organization level, supplying
credentials established when the user was created or imported. User credentials are authenticated by the
organization's identity provider, which can be either the integrated identity provider included in
vCloud Director or an external SAML-based identity provider.

Create an Organization
To create an organization, a system administrator POSTs an AdminOrg element to the cloud’s add URL for
orgs.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the cloud.
Use a request like this one.
GET https://vcloud.example.com/api/admin

Examine the response to locate the Link element that contains the URL for adding organizations to the
cloud.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.organization+xml, as shown here:

Create an AdminOrg element that specifies the properties of the organization.
See the request portion of “Example: Create an Organization,” on page 153.

POST the AdminOrg element you created in Step 3 to the URL described in Step 2.
See the request portion of “Example: Create an Organization,” on page 153.

The server creates and enables the organization, and returns an AdminOrg element that includes the contents
you POSTed, along with a set of Link elements that you can use to access, remove, disable, or modify it.
vCloud API users can log in to this organization using the URL specified in the href attribute of the Link
where rel="alternate". Users of the vCloud Director Web console can log in to the organization at a URL of
the form cloud-url/org/name, where cloud-url is a URL of the form https://vcloud.example.com/cloud and
name is the value of the name attribute of the AdminOrg element. To log in to the organization created by
“Example: Create an Organization,” on page 153, a user opens a browser and navigates to
https://vcloud.example.com/cloud/org/Finance.

Example: Create an Organization
This request creates an organization and specifies its required properties. For a list of all required and
optional elements that an AdminOrg contains, see the schema reference.

VMware, Inc.

153

vCloud API Programming Guide

Request:
POST https://vcloud.example.com/api/admin/orgs
Content-Type: application/vnd.vmware.admin.organization+xml
...

Example Corporation’s Finance Organization
Finance

false
true
false
0
0
false
0

SYSTEM

true
true

true

The response contains information extracted from the request, and includes links that an administrator can
use to manage the organization and its settings, and to add resources such as VDCs, catalogs, and users. On
creation, AdminOrg objects are disabled by default unless the create request includes an IsEnabled element
with a value of true. A system administrator must enable a disabled AdminOrg before users can log into it.
See “Example: Enable an Organization,” on page 160
The response also includes elements inherited from system defaults, such as OrgPasswordPolicySettings,
VAppLeaseSettings, and VAppTemplateLeaseSettings. The full content of these elements appears in the actual
response. This example shows only a subset.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.organization+xml
...

Example Corporation’s Finance Organization
Finance
false

VMware, Inc.

155

vCloud API Programming Guide

false
true
false
0
0
false
0

...

156

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Retrieve or Update Organization Settings
Organization settings define organization policies such as default lease settings for vApps and how
incorrect login attempts are handled. They also configure how the organization uses services such as email
and LDAP, and define the organization's federated identity provider if it uses one.
An AdminOrg element contains an OrgSettings element, which contains the following elements, each of
which represents a group of related organization settings. Default settings are inherited from the containing
cloud.
GeneralOrgSettings

Specifies storage and deployment quotas and other behaviors for virtual
machines owned by members of this organization. Sets the scope of catalog
publication and subscription within this organization.

VAppLeaseSettings

Controls storage and deployment leases for vApps.

VAppTemplateLeaseSettin
gs

Controls storage and deployment leases for vApp templates.

OrgLdapSettings

Defines whether this organization is connected to an LDAP service, and
whether it uses the service defined in the system LdapSettings or a custom
LDAP service defined here.

OrgEmailSettings

Defines whether this organization uses the email service defined in the
system EmailSettings or a custom email service defined here.

OrgPasswordPolicySettin
gs

Specifies policies to be followed when a user in this organization enters an
incorrect password. Initial values are inherited from the system
PasswordPolicySettings.

OrgOperationLimitsSetti
ngs

Specifies limits to be placed on simultaneous resource-intensive operations
and console sessions for members of this organization.

OrgGuestPersonalization
Settings

Default values for GuestCustomizationSection elements in virtual machines
created by this organization. See “Retrieve or Modify the
GuestCustomizationSection of a Virtual Machine,” on page 137

OrgFederationSettings

Defines the SAML identity provider used by this organization. An
organization can define a SAML identity provider that it shares with other
applications or enterprises. Users that authenticate to the identity provider
obtain a token that they can then use to log in to the organization. Such a
strategy can enable an enterprise to provide access to multiple, unrelated
services, including vCloud Director with a single set of credentials, an
arrangement often referred to as "single sign-on." An organization that wants
to participate in a federated identity scheme must include an
OrgFederationSettings element that contains SAML metadata retrieved from
the federation's identity provider. By default, this element is empty.
NOTE To update or remove OrgFederationSettings after a SAML identity
provider has been specified, you must include an empty SAMLMetadata
element in the update request. If this element is not present in the update
request, the OrgFederationSettings are not changed.

Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.

VMware, Inc.

157

vCloud API Programming Guide

Procedure
1

Retrieve the list of organization settings elements.
Use a request like this one:
GET https://vcloud.example.com/api/admin/org/26/settings

The response is an OrgSettings element.
2

Examine the OrgSettings element to find the links to the sections to view or modify.
Each section is represented in the OrgSettings element with a link where rel="down". You can use that
link to retrieve the section. The retrieved section includes a link where rel="edit". You can use that link
as the target of a PUT request that modifies the settings that the element represents. The OrgSettings
element itself also has a rel="edit" link, which you can use to update multiple settings sections in one
request.

Retrieve the settings element to modify.
Make a GET request to the URL in the element's href attribute value.

Modify the retrieved settings element.
Modified sections must contain all required elements, even if you are not changing their values.
Because optional elements revert to default values if they are omitted or empty, it is a best practice to
include optional elements in updates. Link elements and href attributes from responses do not need to
be included in modified sections. Some elements and attributes might be read-only. See the schema
reference for details.

Update the settings with your modifications.
Find the Link element in the settings element where rel="edit". Make a PUT request to the URL in that
link's href attribute value, and supply the modified section as the request body. See the request portion
of “Example: Update Organization General Settings,” on page 158.

Example: Update Organization General Settings
This example updates the general settings of the organization created in “Example: Create an Organization,”
on page 153. When you create or retrieve an AdminOrg, these settings are contained in the
OrgGeneralSettings element. To update them, you must use a GeneralOrgSettings element, which has the
same contents as OrgGeneralSettings. This update changes the limits on deployed and stored virtual
machines. The request includes all members of the GeneralOrgSettings element, even those that are not
changing. It is a best practice to include all members of the GeneralOrgSettings element in an update
request. Optional elements that are missing or empty in the request are reset to their default values.
Request:
PUT https://vcloud.example.com/api/admin/org/26/settings/general
Content-Type: application/vnd.vmware.admin.organizationGeneralSettings+xml
...

false
true
false
10

158

VMware, Inc.

Chapter 6 Creating and Managing Organizations

100
false
0

The response contains information extracted from the request, and includes a rel="edit" link and other
attributes that the server creates.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.organizationGeneralSettings+xml
...

false
true
false
10
100
false
0

Note that when you retrieve the organization after updating its GeneralOrgSettings, you can see the results
of the update in the OrgGeneralSettings element of the AdminOrg.
GET https://vcloud.example.com/api/admin/org/26
...

...

false
true
false
10
100
false
0

...

VMware, Inc.

159

vCloud API Programming Guide

Enable, Disable, or Remove an Organization
An AdminOrg element includes action links that a system administrator can use to enable, disable, or remove
the organization.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the XML representation of the organization. See “Retrieve a List of Organizations Accessible to
You,” on page 49.

Procedure
n

To enable an organization, POST a request to its action/enable link.

To disable an organization, POST a request to its action/disable link.

To remove an organization, remove all the objects it contains, then disable and remove it.
a

Delete all of the following from the organization:
n

local users and groups

catalogs

VDCs

POST a request to the action/disable link to disable the organization.
After the organization is disabled, its representation includes a rel="remove" link.

Make a DELETE request to the organization's rel="remove" link.

The server takes the requested action and returns an HTTP status of 204 No Content.

Example: Enable an Organization
This example enables the organization created in “Example: Create an Organization,” on page 153.
Request:
POST https://vcloud.example.com/api/admin/org/26/action/enable

Response:
204 No Content

VDC Administration
A newly created organization has no VDCs in it. A system administrator must use system resources to
create them.
An organization virtual datacenter (organization VDC) is a deployment environment for virtual systems
owned by the containing organization, and an allocation mechanism for resources such as networks,
storage, CPU, and memory. In an organization VDC, computing resources are fully virtualized, and can be
allocated based on demand, service level requirements, or a combination of the two.
VDC administration involves the following objects:

160

A ProviderVdc, which a system administrator creates from vSphere platform resources. See “Create a
Provider VDC,” on page 251.

An AdminVdc, which a system administrator creates to allocate a subset of ProviderVdc resources to a
VDC in a specific organization. Organization members see an AdminVdc as a Vdc.

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Add a VDC to an Organization
A system administrator can allocate resources from a provider VDC to a VDC in an organization by
POSTing a CreateVdcParams element to an organization’s add URL for VDCs.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Retrieve the list of network pools. Several types of organization VDC networks require the VDC to include a
network pool, which you can specify when you create or update the VDC. See “Retrieve a List of External
Networks and Network Pools,” on page 246 for information about how to retrieve this list.
Procedure
1

Retrieve the XML representation of the organization to which you want to add the VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/org/26

Examine the response to locate the Link element that contains the URL for adding VDCs to the
organization.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.createVdcParams+xml, as shown here:

Choose a provider VDC to supply resources for the new organization VDC
a

Retrieve the XML representation of the VCloud object and examine the ProviderVdcReferences
element it contains.
The following request retrieves the representation of the VCloud object:
GET https://vcloud.example.com/api/admin

The VCloud element contains a ProviderVdcReferences element. Each provider VDC in the system
is represented in that element by a ProviderVdcReference element, as shown here:

(Optional) List the organization VDCs that each ProviderVdc supports.
The following request retrieves the list of organization VDCs that .../providervdc/2 supports:
GET https://vcloud.example.com/api/admin/providervdc/2/vdcReferences

Taking this optional step can help you allocate ProviderVdc resources equitably across the
organization VDCs in a cloud.

VMware, Inc.

161

vCloud API Programming Guide

Create a CreateVdcParams request body.
a

Include an AllocationModel element that specifies how compute resources are allocated by this
VDC.
Choose one of the following values for AllocationModel:
AllocationVApp

Pay as you go. Resources are committed to the organization VDC only
when vApps are created in it. When you use this allocation model,
any Limit values you specify for Memory and CPU are ignored when
you create a vApp and returned as 0 when you retrieve a vApp.
Resources available to this kind of organization VDC can grow or
shrink as needed when its provider VDC has multiple resource pools.

AllocationPool

Only a percentage of the resources you allocate are committed to the
organization VDC

ReservationPool

All the resources you allocate are committed as a pool to the
organization VDC. vApps in VDCs that support this allocation model
can specify values for resources and limitations.

NOTE If you choose AllocationPool or ReservationPool, you can also include an
OverCommitAllowed element in the CreateVdcParams request. Setting its value to false prevents
creation of the VDC if the ComputeCapacity you specified is greater than what the backing Provider
VDC can supply.
b

Include at least one VdcStorageProfile element that specifies a ProviderVdcStorageProfile defined
in the Provider VDC you chose in Step 3.

Include a NetworkPoolReference element.
The VDC must include a network pool if you want to create routed or isolated networks in it.

Include a ProviderVdcReference element that contains a reference to the Provider VDC you chose
in Step 3.

See the request portion of “Example: Create an Organization VDC,” on page 162.
5

POST the CreateVdcParams request body to the organization's add link for vdcs.
See the request portion of “Example: Create an Organization VDC,” on page 162.

The server creates the new VDC in the specified organization and returns an AdminVdc element that includes
a set of Link elements that you can use to access, remove, or modify the new VDC. Users can reference this
VDC using the URL specified in the href attribute in the Link where rel="alternate". See the response
portion of “Example: Create an Organization VDC,” on page 162.

Example: Create an Organization VDC
This example adds an AllocationvApp VDC to the organization created in “Example: Create an
Organization,” on page 153. The new organization VDC is provisioned from the Provider VDC created in
“Create a Provider VDC,” on page 251, and includes a storage profile named Silver, which is backed by
one of the storage profiles available in the Provider VDC. It also includes a network pool, so that it is
capable of supporting routed and isolated organization VDC networks. See “Retrieve a List of External
Networks and Network Pools,” on page 246 for information on how to find a NetworkPoolReference to use.
Request:
POST https://vcloud.example.com/api/admin/org/26/vdcsparams
Content-Type: application/vnd.vmware.admin.createVdcParams+xml
...

162

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Example VDC
AllocationVApp

MHz
2048
2048

MB
2048
2048

0
100

true
MB
20480
true

1
1
2048
false

true

The response, a subset of which appears here, contains information extracted from the request, and includes
a Task element that tracks creation of the VDC. The response also includes Link elements that enable
administrative operations on the VDC, and a Capabilities element that lists the VMware virtual hardware
architectures that the VDC supports. These elements are retrieved from the Provider VDC that you specified
when you created the CreateVdcParams. While the VDC is under construction, its status remains 0.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.vdc+xml
...

VMware, Inc.

163

vCloud API Programming Guide

Example VDC
...

AllocationVApp
...

vmx-04
vmx-08

...

When construction is complete, the status changes to 1 and the Task is no longer included in representation.
The following changes in the AdminVdc are also evident:
n

A reference to the vSphere resource pool that supports the VDC appears in a VCloudExtension element.

There is an empty ResourceEntities element, because the VDC contains no Media, VAppTemplate, or
Disk entities. For information about adding them, see Chapter 4, “Provisioning an Organization,” on
page 55.

There is an empty AvailableNetworks element. To add networks to this organization VDC, see “Create
an Organization VDC Network,” on page 187.

Additional Link elements are included for operations that are now valid, but that were not valid while
the VDC was under construction.

resgroup-949
RESOURCE_POOL

...

Update Organization VDC Storage Profiles
A system administrator can update the storage profiles that are available in an organization VDC. You can
add new storage profiles and remove unused storage profiles.
An organization VDC storage profile allocates a subset of the storage available in a Provider VDC storage
profile for use by vApp templates, virtual machines, and media objects in the organization VDC. For each
organization VDC storage profile you create, you must specify a storage limit, which cannot exceed the
storage available in the Provider VDC storage profile (the value of CapacityTotal–CapacityUsed in the
ProviderVdcStorageProfile). When you update organization VDC storage profiles, you can change the
default storage profile and modify the limits on existing storage profiles.
NOTE Storage profiles are represented as Storage Policies in the vCloud Director Web console.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the VDC in the admin view.
Use a request like this one:
GET https://vcloud.example.com/api/admin/vdc/44

Examine the AdminVdc element to find the vdcStorageProfiles link, VdcStorageProfiles element, and
ProviderVdcReference element it contains.
The vdcStorageProfiles link has the following form:

166

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Create an UpdateVdcStorageProfiles request body that specifies the details of the update.
To add a storage profile:
a

Select a storage profile from the Provider VDC referenced in the ProviderVdcReference element of
the VDC you are updating.
The storage profile must not be listed in the VdcStorageProfiles element of the VDC you are
updating.

Include an AddStorageProfile element in the UpdateVdcStorageProfiles request body.
The AddStorageProfile element must specify values for Units, Limit, and Default, and must
include a reference to the Provider VDC storage profile on which it is based. You can add multiple
storage profiles in a single request. Only one of them can specify Default as true. If any
AddStorageProfile element specifies Default as true, that storage profile becomes the new default
storage profile for the VDC.

To remove a storage profile:
a

Examine the VdcStorageProfiles element and find the profile to remove.

Verify that it is not the default storage profile for the VDC, and that no virtual machines are using
it.
You can use the adminVm query and filter on the storageProfileName attribute to list all storage
profiles that are in use.

c
4

Create an UpdateVdcStorageProfiles element that contains a DeleteStorageProfile element for
each storage profile to remove.

POST the UpdateVdcStorageProfiles element to the VDC's vdcStorageProfiles link.

Example: Update VDC Storage Profiles
This request adds a storage profile to the VDC created in “Example: Create an Organization VDC,” on
page 162. The new storage profile is one of the profiles available from the Provider VDC that backs this
organization VDC.
One way to retrieve a list of all the Provider VDC storage profiles available from a specific Provider VDC is
to use the query service. This query applies a filter that selects only those storage profiles available from the
Provider VDC that backs the organization VDC created in “Example: Create an Organization VDC,” on
page 162.
GET https://vcloud.example.com/api/query?type=providerVdcStorageProfile&format=references
&filter=providerVdc==https://vcloud.example.com/api/admin/providervdc/35

The response might look something like this:

...

Using information, you can construct the AddStorageProfile element in the request body.
Request:
POST https://vcloud.example.com/api/admin/vdc/44/vdcStorageProfiles
Content-Type: application/vnd.vmware.admin.updateVdcStorageProfiles+xml
...

true
MB
5038
false

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Enable, Disable, or Remove a VDC
A system administrator can use the enable, disable, and remove links in an AdminVdc body to enable, disable,
or remove an organization VDC.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
n

To enable a VDC, POST a request to its action/enable link.

To disable a VDC, POST a request to its action/disable link.
When you disable an organization VDC, you prevent further use of its compute and storage resources.
Running vApps and powered on virtual machines continue to run, but you cannot create or start
additional vApps or virtual machines.

168

To remove a VDC, remove all the objects it contains, then disable and remove it.
a

Relocate or remove any vApps that have been uploaded to the VDC.

Remove any organization VDC networks that the VDC contains.

Remove any Edge Gateways that the VDC contains.

VMware, Inc.

Chapter 6 Creating and Managing Organizations

POST a request to its action/disable link to disable the VDC.
After the VDC is disabled, its representation includes a rel="remove" link.

Make a DELETE request to the VDC's rel="remove" link.

The server takes the requested action and returns an HTTP status of 204 No Content.

Network Administration
A newly created organization VDC has no networks in it. After a system administrator has created the
required network infrastructure, an organization administrator can create and manage most types of
organization VDC networks.
An organization VDC can be provisioned with one or more networks. These organization VDC networks
can be configured to provide direct or routed connections to external networks, or can be isolated from
external networks and other organization VDC networks. Routed connections require an Edge Gateway and
network pool in the VDC. The Edge Gateway provides firewall, network address translation, static routing,
VPN, and load balancing services.

About vCloud Director Networks
There are three categories of vCloud Director networks: external networks, organization VDC networks, and
vApp networks. Additional infrastructure objects such as Edge Gateways and network pools are required
by most categories of networks.
You must be a system administrator to create an external network, a directly connected organization VDC
network, a network pool, or an Edge Gateway. An organization administrator can create and modify routed
and isolated organization VDC networks, and any user who has vApp Author rights can create and modify
a vApp network.

vApp Networks
A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other
and to organization VDC networks. Users specify vApp network details in an instantiateVAppTemplate or
composeVApp request. The network is created when the vApp is deployed, and deleted when the vApp is
undeployed. All nonisolated virtual machines in the vApp connect to a vApp network, as specified in their
NetworkConnectionSection elements.
Every VApp element includes a link that you can use to retrieve details of a vApp network that it contains, as
the following example shows.

Retrieve the the XML representation of the Provider VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/providervdc/35

The AvailableNetworks element in the response lists the external networks that are available to that
Provider VDC, and to all the organization VDCs that it supports.

...

Choose an available external network to provide the initial interface for the new Edge Gateway.
See “Example: Create an Edge Gateway,” on page 174 for more information about criteria for
choosing an external network.
3

Create an EdgeGateway element.
In the GatewayInterfaces element, create a GatewayInterface element that defines an uplink interface.

VMware, Inc.

Specify uplink for the InterfaceType.

Include the external network reference you retrieved in Step 2 in the Network element.

If you plan to create a NAT service or load balancer service in the Edge Gateway, you must create
an IP sub-allocation for the uplink by including a SubnetParticipation element in the
GatewayInterface element. IP addresses in the range you specify in this element are reserved for
use by this Edge Gateway.

173

vCloud API Programming Guide

For information about additional elements that an EdgeGateway can contain, see “Example: Create an
Edge Gateway,” on page 174 and the schema reference.
4

POST the EdgeGateway element to the URL for adding Edge Gateways to the organization VDC.

Example: Create an Edge Gateway
This example adds an Edge Gateway to the organization VDC created in “Add a VDC to an Organization,”
on page 161. The uplink interface specifies one of the networks shown in Step 2b. For the purposes of this
example, assume that the external network has a Configuration element that includes this information:

...
10.147.115.190
255.255.255.0
...

10.147.115.129
10.147.115.189

10.147.115.129
10.147.115.133
10.147.115.132
10.147.115.130

...

You can see the values from this external network's IpScope reflected in the SubnetParticipation element of
the EdgeGateway. The address range specified in the IpRange element of this GatewayInterface must be
within the IpRanges of the external network, and cannot include any IP addresses listed in the external
network's AllocatedIpAddresses element. You can specify a contiguous IpRange, as we do in this example,
or you can include multiple IpRange elements in the IpRanges if you need more IP addresses than are
available in a contiguous block.
The external network specified in the GatewayInterface created in this example becomes the default route
from this Edge Gateway (UseForDefaultRoute has a value of true). The default DNS service address is
inherited from the network specified as the default route.

174

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Request:
POST https://vcloud.example.com/api/admin/vdc/44/edgeGateways
Content-Type: application/vnd.vmware.admin.edgeGateway+xml
...

Example Edge Gateway

compact

uplink1
uplink1

uplink

10.147.115.190
255.255.255.0

10.147.115.155
10.147.115.165

true

false
false

The response is an EdgeGateway element with an embedded Task element that tracks the creation of the Edge
Gateway object.
The response includes a number of Link elements that you can use to manage the new Edge Gateway. It also
includes an EdgeGatewayServiceConfiguration element that contains a simple FirewallService, which drops
all incoming and outgoing packets, effectively blocking all traffic through the Edge Gateway. This service is
created by default if you do not specify an EdgeGatewayServiceConfiguration when you create the
EdgeGateway. To remove or modify it, see “Configure Edge Gateway Services,” on page 177.
Response:

...

compact

uplink
false
true

true
drop
false

176

VMware, Inc.

Chapter 6 Creating and Managing Organizations

false
false

Configure Edge Gateway Services
An organization administrator or system administrator can configure NAT, firewall, and similar services on
an existing Edge Gateway by updating its EdgeGatewayServiceConfiguration.
The Configuration element of an EdgeGateway includes an EdgeGatewayServiceConfiguration element,
which can contain definitions of any of the services listed in “Edge Gateways,” on page 171. Details of
service configurations vary, but the mechanism is the same for creating or updating any Edge Gateway
service.
You can include an EdgeGatewayServiceConfiguration element that defines one or more services when you
create an Edge Gateway, or you can create the Edge Gateway without this element, as shown in “Create an
Edge Gateway,” on page 172, then update it to add or change services as needed. Note that some services
require a reference to one or more Edge Gateway interfaces, and cannot be configured until those interfaces
exist.
Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.
Procedure
1

Retrieve the XML representation of the Edge Gateway.

Examine the response to locate the Link element that contains the URL for configuring services on the
Edge Gateway.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml, as the following example
shows:

Copy the EdgeGatewayServiceConfiguration element from the EdgeGateway you retrieved in Step 1.
The configureServices action replaces the entire contents of the existing
EdgeGatewayServiceConfiguration with the one in the request body. Using the existing
EdgeGatewayServiceConfiguration as the basis for your modifications reduces the chances of
unintentional service changes.

Modify the EdgeGatewayServiceConfiguration that you copied in Step 3 to add, remove, or change the
services that this Edge Gateway offers.
An EdgeGatewayServiceConfiguration element can contain any of the following elements:

VMware, Inc.

FirewallService

GatewayDhcpService

GatewayIpsecVpnService

LoadBalancerService

NatService

StaticRoutingService

177

vCloud API Programming Guide

POST the modified EdgeGatewayServiceConfiguration element to the URL in the value of the href
attribute of the configureServices link described in Step 2.

The server takes the requested action and returns a Task element that tracks the progress of the request.
When the task completes successfully, the EdgeGatewayServiceConfiguration element you POSTed replaces
the one you copied in Step 3.
Example: Configure Services on an Edge Gateway
This example replaces the default firewall service on the Edge Gateway created in “Create an Edge
Gateway,” on page 172. For details about this FirewallService, see “Firewall Service Configurations,” on
page 179
Request:
POST https://vcloud.example.com/api/admin/edgeGateway/2000/action/configureServices
Content-Type: application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml
...

true
allow
false

true
allow incoming ssh
allow

true

22
Internal
Any
External
true

true
deny incoming telnet
drop

true

23
Internal
Any
External
false

178

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

Firewall Service Configurations
The default FirewallService in an EdgeGatewayServiceConfiguration is enabled and configured to block all
incoming traffic. You can modify that FirewallService to allow incoming traffic, block outgoing traffic, or
both.
A firewall service configuration includes several important parameters.
Firewall Rules
Each firewall rule specifies a protocol, IP address, and port. Packets that match the criteria in the rule are
subject to an action defined in the Policy element of the rule. The action can forward the packet to the
destination IP address and port, or drop it and optionally log a message describing the packet that was
dropped. Packets that do not match any rule are subject to the policy contained in the DefaultAction
element of the FirewallService.
Firewall Rule Logging
The Configuration element of an EdgeGateway can include SyslogServerSettings that specify IP addresses to
which syslog messages are sent. When you specify a value of true in the EnableLogging element of a
FirewallRule, all packets that trigger the rule are logged to the configured syslog server. Logging for all
rules is controlled by the value of the LogDefaultAction element of the FirewallService.
Port and Address Ranges
These elements in a FirewallRule specify source and destination IP ports and addresses to which the rule
applies.
Example: Firewall Service Definition with Two Rules
This fragment of an EdgeGatewayServiceConfiguration defines a firewall service with two rules: one that
allows incoming SSH connection, and one that denies incoming Telnet connections. These rules apply to any
virtual machine that connects to a network backed by this Edge Gateway. Each rule is defined in a
FirewallRule element, and can include the following specifications:
Policy

The default policy value, allow, causes the firewall to forward packets that
match the rules. Specify drop to drop packets that match the rules.

Protocols

By default, a rule applies to both UDP and TCP protocols. You can limit the
rule to one protocol or the other by including Tcp and Udp elements in
Protocols and specifying a value of true or false for each.

SourcePortRange

Specify a source IP port or port range, or set to any to match any port.

DestinationPortRange

Specify a destination IP port or port range, or set to any to match any port.

SourceIp

Specify a source IP address, or use one of these strings.

VMware, Inc.

179

vCloud API Programming Guide

Table 6‑3. SourceIp and DestinationIp Values
Value

Result

Any

Matches any IP address

Internal

Matches any IP address originating on
an organization VDC network connected
to this EdgeGateway. When used in a
vApp network, matches any IP address
assigned to a virtual machine in the
vApp.

External

Matches any IP address originating on
an external network connected to this
EdgeGateway. When used in a vApp
network, matches any IP address except
those assigned to a virtual machine in
the vApp.

DestinationIp

Specify a source IP address, or use one of the strings shown in Table 6-3.

EnableLogging

Set to true to log all packets that trigger this rule. See “Firewall Rule
Logging,” on page 179.

Rules are applied to packets in the order in which the FirewallRule elements appear in the FirewallService
definition.
NOTE The system assigns an Id value to each rule you create and uses these values when logging rule
actions.

true
allow
false

true
allow incoming ssh
allow

true

22
Internal
Any
External
false

true
deny incoming telnet
drop

true

23
Internal
Any

180

VMware, Inc.

Chapter 6 Creating and Managing Organizations

External
false

You can see this fragment in the context of an Edge Gateway configuration in “Example: Configure Services
on an Edge Gateway,” on page 178.

NAT Service Configurations
An Edge Gateway configuration can define a NAT (Network Address Translation) service that translates
source or destination IP addresses and port numbers. In the most common case, you associate a NAT service
with an uplink interface on an Edge Gateway so that addresses on organization VDC networks are not
exposed on the external network.
A NAT service in an EdgeGatewayServiceConfiguration can include one or more rules, each of which is
expressed in a GatewayNatRule element. Each rule translates the original IP address, port, or both, and
applies to a network connected to the Edge Gateway. If the network is an uplink (to an external network),
the network must include an IP sub-allocation pool.
There are two kinds of rules, as expressed in the value of the RuleType element:
SNAT

Source network address translation. This kind of rule translates the packet's
source address and, optionally, source IP port to the values you specify.

DNAT

Destination network address translation. This kind of rule translates the
packet's destination address and, optionally, destination IP port to the values
you specify.

Example: NAT Service
The following fragment of an EdgeGatewayServiceConfiguration defines and enables a NatService that
applies one destination NAT rule and one source NAT rule to the uplink interface defined in
“Example: Create an Edge Gateway,” on page 174. In the DNAT rule, the OriginalIp and OriginalPort
apply to the destination IP address and port of the packet being inspected. In the SNAT rule, the OriginalIp
and OriginalPort apply to the source IP address and port of the packet being inspected. When you create an
SNAT rule, you do not need to specify values for TranslatedPort and OriginalPort, which default to any.
NOTE The system assigns an Id value to each rule you create and uses these values when logging rule
actions.

true

DNAT
true

10.147.115.155
any
192.168.0.10
any
any
any

VMware, Inc.

181

vCloud API Programming Guide

SNAT
true

192.168.0.10-192.168.0.255
10.147.115.155
any

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See
“Example: Configure Services on an Edge Gateway,” on page 178.

Static Routing Service Configurations
An Edge Gateway or routed vApp network configuration can define a static routing service that specifies
one or more static routes.
You can create static routes between two organization VDC networks, or between routed vApp networks
that do not have overlapping IP address spaces. Static routing service details and routes are defined in a
StaticRoutingService element contained by the Features element of a vApp network's Configuration or the
GatewayFeatures element of an Edge Gateway's Configuration. A StaticRoutingService element can
contain zero or more StaticRoute elements. Each StaticRoute specification requires the following elements.
Name

Name for the route.

Network

Network specification in CIDR notation.

NextHopIp

IP address of the next hop on the route. This address is typically the value in
the ExternalIp element of the RouterInfo from the network to which this
static route connects.

Interface

Specify internal if NextHopIp contains an IP address in the same network.
Specify external if NextHopIp contains an IP address in a different network.

GatewayInterface

Used when configuring a static route in an organization VDC network.
Contains a reference to the organization VDC network for which the static
route is configured.

Example: Static Routes Between Organization VDC Networks
Assume two routed organization VDC networks, as defined in this fragment of an EdgeGateway element.

vnic2
routed1

internal

192.168.3.1
255.255.255.0
192.168.3.1

182

VMware, Inc.

Chapter 6 Creating and Managing Organizations

false

vnic3
routed2

internal

172.168.0.1
255.255.255.0
172.168.0.1

false

The organization VDC network named routed1 has Gateway address 192.168.3.1.

The organization VDC network named routed2 has Gateway address 172.168.0.1.

The Configuration of the vApp network in vApp1 has a RouterInfo element whose ExternalIp value is
192.168.2.100.

The Configuration of the vApp network in vApp2 has a RouterInfo element whose ExternalIp value is
192.168.1.100.

A StaticRoutingService defined by the following fragment creates a static route to vApp1 from network
routed1, and a static route to vApp2 from network routed2.

true

TovApp1
192.168.2.0/24
192.168.3.10
Internal

TovApp2
192.168.1.0/24
172.168.0.10
Internal

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See
“Example: Configure Services on an Edge Gateway,” on page 178.

VMware, Inc.

183

vCloud API Programming Guide

Static Routes Between vApp Networks
For an example of a static routing service in a vApp network, see “Network Services in vApp Networks,” on
page 131.

Load Balancer Service Configurations
An Edge Gateway can provide load-balancing services that allow you to distribute incoming requests to a
specific external IP address across multiple internal IP addresses. Several load-balancing algorithms are
supported.
A load balancer service provides load balancing for TCP, HTTP, and HTTPS traffic. The load balancer
accepts incoming IP requests on an external or internal interface, and uses the algorithm you specify to
distribute requests across a pool of servers.
To add a load-balancer service to an Edge Gateway, include a LoadBalancerService element in the Edge
Gateway's EdgeGatewayServiceConfiguration.
Example: Load Balancer Service
This fragment of anEdgeGatewayServiceConfiguration defines a LoadBalancerService that accepts incoming
requests at external address https://192.168.1.100 and balances them across two servers at internal
addresses 10.200.100.10 and 10.200.100.11. The following elements define a LoadBalancerService:
n

A Pool that contains ServicePort and Member elements. A LoadBalancerService must include a Pool that
defines a ServicePort for each protocol on which the load balancer handles incoming requests. You can
define up to three ServicePort elements, one for each supported protocol (HTTP, HTTPS, TCP). This
load balancer handles only SSL (HTTPS) requests, so it requires only one ServicePort element in its
Pool.
You must specify one of the following load-balancing algorithms in the Algorithm element of the
ServicePort.
IP_HASH

Selects a server based on a hash of the source and destination IP address
of each packet.

LEAST_CONN

Distributes client requests to multiple servers based on the number of
connections already on the server. New connections are sent to the server
with the fewest connections.

ROUND_ROBIN

Each server is used in turn according to the weight assigned to it. This is
the smoothest and fairest algorithm when the server's processing time
remains equally distributed.

URI

The left part of the URI, before the question mark, is hashed and divided
by the total weight of the running servers. The result designates which
server receives the request, ensuring that a request is always directed to
the same server as long as all servers remain available.

The Pool in this example also defines an optional HealthCheck element that specifies parameters used
for periodic verification that all pool members are responding to requests.
Each Member element in the Pool specifies the IpAddress of a virtual machine that provides the service
being requested. Incoming requests are balanced across all members of the pool. Because the Algorithm
specified for this Pool is ROUND_ROBIN, each Member must be assigned a Weight.

184

VMware, Inc.

Chapter 6 Creating and Managing Organizations

A VirtualServer element that defines the Interface, an internal or external interface defined by the
containing EdgeGateway, on which requests are accepted. The network referenced in the Interface
element must be configured with an IP sub-allocation.

NOTE Each Member of a load balancer Pool can contain its own ServicePort element. If this element is
present in a Member, its contents override the ServicePort element of the Pool.
For more information about LoadBalancerService elements and attributes, see the schema reference.

true

HTTPS_pool

true
HTTPS
ROUND_ROBIN
443

TCP
2
3
5
15

10.200.100.10
1

10.200.100.11
1

true
Example Virtual Server
Incoming LoadBalancerService Requests

192.168.1.100

true
HTTPS
443

SSL_SESSION_ID

VMware, Inc.

185

vCloud API Programming Guide

true
HTTPS_pool

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See
“Example: Configure Services on an Edge Gateway,” on page 178.

IPsec VPN Service Configurations
An Edge Gateway configuration can define an IPsec virtual private networking (VPN) service to provide
secure virtual private networking within an organization, between organization VDC networks, or between
an organization VDC network and an external IP address.
An EdgeGateway can contain zero or more GatewayIpsecVpnService elements, each of which defines VPN
tunnels and endpoints.
Example: IPsec VPN Service in an Edge Gateway

true

Example VPN Tunnel

3786bb05-dc9a-471b-91cd-554499d45629
gw02

10.147.46.68
C64E127E-5E86-C57C-17ED-EB175A7A1811
10.147.46.66
6844BBB4-24E6-7A50-0F29-EB175A7AD899

nw01
192.168.1.1
255.255.255.0

nw02
192.168.2.1
255.255.255.0

L3hithJa3zH7K4q2tH...
false
AES256
1500
true

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See
“Example: Configure Services on an Edge Gateway,” on page 178.

186

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Gateway DHCP Service Configurations
An Edge Gateway configuration can define a DHCP service that assigns IP addresses to clients on
organization VDC networks. You can configure multiple address pools, each of which defines a range of IP
addresses that are reserved for a specific network.
DHCP services for organization VDC networks are provided by the Edge Gateway to which those network
connect. An EdgeGateway can contain an more GatewayDhcpService element. The service can define a pool of
IP addresses for each organization VDC connected to the Edge Gateway.
NOTE To provide DHCP services on a vApp network, use the DhcpService element.
Example: Gateway DHCP Service
The following fragment of an EdgeGatewayServiceConfiguration defines and enables a GatewayDhcpService
that defines two Pool objects, each of which allocates a range of IP addresses for a single organization VDC
network.

true

3600
7200
10.100.1.100
10.100.1.150

true

3600
7200
10.100.1.200
10.100.1.250

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See
“Example: Configure Services on an Edge Gateway,” on page 178.

Create an Organization VDC Network
To add a network to an organization VDC, an administrator POSTs an OrgVdcNetwork element to the VDC's
add URL for networks. An organization VDC network with a direct connection to an external network must
be created by a system administrator. All other organization VDC network types can be created by either a
system administrator or an organization administrator.
The contents of the Configuration element of the OrgVdcNetwork define the properties of the network,
including its connections to other networks. See “Create an Organization VDC Network With a Direct
Connection,” on page 188, “Create an Organization VDC Network With a Routed Connection,”
on page 191, and “Create an Isolated Organization VDC Network,” on page 194.

VMware, Inc.

187

vCloud API Programming Guide

For more information about the types of networks you can create and the resources on which they depend,
see “About vCloud Director Networks,” on page 169.
Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.
Procedure
1

Retrieve the XML representation of the organization VDC to which you want to add the network.
This request retrieves the admin view of an organization VDC.
GET https://vcloud.example.com/api/admin/vdc/44

Examine the response to locate the Link element that contains the URL for adding networks to the VDC.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.orgVdcNetwork+xml, as shown here:

Create an OrgVdcNetwork element.

POST the OrgVdcNetwork element to the URL described in Step 2.

The server takes the requested action and returns a Task element that tracks the progress of the request. The
Owner element of this task includes the href attribute of the new network. When the task completes, you can
use the value of this attribute with a GET request to retrieve the XML representation of the new network.

Create an Organization VDC Network With a Direct Connection
An organization VDC network with a direct connection provides direct layer 2 connectivity to machines and
networks outside of the organization VDC. Machines outside of this organization VDC can connect to
machines within the organization VDC directly.
An organization VDC network with a direct connection is configured as a child network of one of the
external networks provisioned to the cloud by the system administrator.
Prerequisites

188

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the list of external networks. For information about how to retrieve this list, see “External
Networks and Network Pools,” on page 172.

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Procedure
1

Choose the external network to which this organization VDC network will connect.
This external network must be one of the ones listed in the AvailableNetworks element of the Provider
VDC that backs the organization VDC in which you are creating the new network. Follow these steps to
find a suitable external network.
a

Retrieve the XML representation of the organization VDC in which you are creating the new
network.
Use a request like this one:
GET https://vcloud.example.com/api/admin/vdc/44

The ProviderVdcReference element in the response contains a reference to the Provider VDC that
backs this organization VDC.

...

Retrieve the the XML representation of the Provider VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/providervdc/35

The AvailableNetworks element in the response lists the external networks that are available to that
Provider VDC, and to all the organization VDCs that it supports.

Create an OrgVdcNetwork element.
a

Specify the href of the external network you chose in Step 1 in the ParentNetwork element.
The type and name attributes are optional here.

Set the FenceMode to bridged.
This creates a direct connection to the parent network.

See the request portion of “Example: Create an Organization VDC Network With a Direct Connection,”
on page 190.
3

POST the OrgVdcNetwork element you created in Step 2 to the URL for adding networks to the
organization VDC.
See the request portion of “Example: Create an Organization VDC Network With a Direct Connection,”
on page 190.

VMware, Inc.

189

vCloud API Programming Guide

The server takes the requested action and returns an XML representation of the partially-created object. This
representation includes an href attribute, properties specified in the creation request, and an embedded
Task element that tracks the creation of the object. When the task completes, the object has been created, and
you can use the value of the href attribute with a GET request to retrieve the XML representation of the
object.
See the response portion of “Example: Create an Organization VDC Network With a Direct Connection,” on
page 190.
Example: Create an Organization VDC Network With a Direct Connection
This example adds a directly-connected network to the organization VDC created in “Add a VDC to an
Organization,” on page 161. Because the network has a Configuration whose ParentNetwork element
specifies an external network to connect to and sets the FenceMode to bridged, it provides a direct connection
to the parent network.
Request:
POST https://vcloud.example.com/api/admin/vdc/44/networks
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

Bridged to the public Internet

bridged

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

190

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Bridged to the public Internet

...

false

Create an Organization VDC Network With a Routed Connection
An organization VDC network with a routed connection provides controlled access to machines and
networks outside of the organization VDC. System administrators and organization administrators can
configure network address translation (NAT) and firewall settings on the network's Edge Gateway to make
specific virtual machines in the VDC accessible from an external network.
Prerequisites
n

Verify that you are logged in to the vCloud API as an organization administrator or system
administrator.

Procedure
1

Retrieve the list of Edge Gateways in the organization VDC in which you plan to create the routed
network.
You can use a query like this one, where href is the value of the href attribute of your organization VDC:
https://vcloud.example.com/api/query?type=edgeGateway&format=records&filter=vdc==href

If this organization VDC does not contain any Edge Gateways, or does not contain an Edge Gateway
that has the configuration you want, a system administrator can create a new Edge Gateway. See
“Create an Edge Gateway,” on page 172.
2

Choose an Edge Gateway that has interface capacity available.
An Edge Gateway can support a maximum of nine internal and external interfaces. At least one of those
interfaces is typically consumed by a connection to an external network. Creation of a routed
organization VDC network requires the Edge Gateway to have an unused interface available for the
new network. To see how many interfaces each Edge Gateway in your organization VDC is using, you
can run the query shown in Step 1, then add the values of the numberOfExtNetworks and
numberOfOrgNetworks attributes. If the total is less than 9, the Edge Gateway can accommodate a new
routed organization VDC network.

VMware, Inc.

191

vCloud API Programming Guide

Create an OrgVdcNetwork element.
a

Specify a value of natRouted in the FenceMode element of the network Configuration.
You can specify additional Configuration parameters, as noted in the schema reference.

Specify the href of the Edge Gateway you chose in Step 1 in the EdgeGateway element.

See the request portion of “Example: Create an Organization VDC Network With a Routed
Connection,” on page 192.
4

The server takes the requested action and returns an XML representation of the partially-created object. This
representation includes an href attribute, properties specified in the creation request, and an embedded
Task element that tracks the creation of the object. When the task completes, the object has been created, and
you can use the value of the href attribute with a GET request to retrieve the XML representation of the
object.
See the response portion of “Example: Create an Organization VDC Network With a Routed Connection,”
on page 192.
Example: Create an Organization VDC Network With a Routed Connection
This example adds a routed network to the organization VDC created in “Add a VDC to an Organization,”
on page 161. The network connects through the Edge Gateway created in “Create an Edge Gateway,” on
page 172. Because the creation request sets the value of the IsShared element to true, the new network is
made available in all VDCs in this organization.
Request:
POST https://vcloud.example.com/api/admin/vdc/44/networks
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

Routed through an Edge Gateway

false
192.168.0.1
255.255.255.0
10.147.115.1
example.com

192.168.0.100
192.168.0.199

natRouted

192

VMware, Inc.

Chapter 6 Creating and Managing Organizations

true

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

Routed through an Edge Gateway

...
false

true

NOTE When the Task completes, the new network is represented in the EdgeGateway by a GatewayInterface
whose InterfaceType is Internal. Unlike the Uplink interface that you create when you create an
EdgeGateway, an internal interface cannot be created explicitly. It is created only as a side-effect of creating a
routed organization VDC network.

Create an Isolated Organization VDC Network
An isolated organization VDC network provides an isolated, private network that machines in the
organization VDC can connect to. This network provides no connectivity to machines outside this
organization VDC.
Prerequisites
n

Verify that you are logged in to the vCloud API as an organization administrator or system
administrator.

Procedure
1

Create an OrgNetwork element.
See the request portion of “Example: Create an Isolated Organization VDC Network,” on page 194.

POST the OrgNetwork element you created in Step 1 to the URL for adding networks to the organization
VDC
See the request portion of “Example: Create an Isolated Organization VDC Network,” on page 194.

The server takes the requested action and returns an XML representation of the partially-created object. This
representation includes an href attribute, properties specified in the creation request, and an embedded
Task element that tracks the creation of the object. When the task completes, the object has been created, and
you can use the value of the href attribute with a GET request to retrieve the XML representation of the
object.
See the response portion of “Example: Create an Isolated Organization VDC Network,” on page 194.
Example: Create an Isolated Organization VDC Network
This example adds an isolated network to the organization VDC created in “Add a VDC to an
Organization,” on page 161. It includes a ServiceConfig element that configures a DHCP service for the
network. This type of DHCP service is identical to the DHCP service supported for a vApp network, and
can specify only a single IP address range. No other network services can be created in an isolated
organization VDC network.
Request:
POST https://vcloud.example.com/api/admin/vdc/44/networks
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

Isolated Organization VDC Network

194

VMware, Inc.

Chapter 6 Creating and Managing Organizations

false
192.168.0.1
255.255.255.0
10.147.115.1
example.com

192.168.0.100
192.168.0.199

isolated

false
3600
7200

192.168.0.2
192.168.0.99

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.orgVdcNetwork+xml
...

Isolated Organization Vdc Network

...

false
3600
7200

192.168.0.2
192.168.0.99

Synchronize Syslog Server Settings for an Edge Gateway or vApp Network
When you change the IP addresses of the primary or secondary syslog server for a cloud, you must also
synchronize the syslog server settings for each Edge Gateway or vApp network that includes a
FirewallService for which logging is enabled.
If a system administrator changes the SyslogServerSettings for a cloud, all Edge Gateways and vApp
networks that are configured with a firewall service whose EnableLogging element has a value of true must
be synchronized with the new syslog server settings so that logging can continue without interruption.
Prerequisites
n

To synchronize syslog server settings for an Edge Gateway, you must be an organization administrator
or system administrator.

To synchronize syslog server settings for a vApp network, you must be the vApp owner.

Procedure
1
2

Retrieve the XML representation of the vApp network or Edge Gateway.
Examine the response to locate the Link element that contains the URL for the

syncSyslogServerSettings action.

This element has a rel attribute value of syncSyslogSettings and a type attribute value of
application/vnd.vmware.vcloud.task+xml, as shown in this excerpt:

Create an AdminCatalog element.
See the request portion of “Example: Create a Catalog,” on page 199.

POST the AdminCatalog element to the organization's add URL for catalogs.
See the request portion of “Example: Create a Catalog,” on page 199.

The server creates an empty catalog and returns its representation in the response. See the response portion
of “Example: Create a Catalog,” on page 199.

Example: Create a Catalog
This example adds a catalog to the organization created in “Example: Create an Organization,” on page 153.
Because the request does not specify a CatalogStorageProfile, the catalog is created on the default storage
profile for the first VDC created in the organization. To create the catalog on a specific storage profile, you
can add a CatalogStorageProfiles element to the request. See “Specify a Storage Profile for a Catalog,” on
page 205.
Request:
POST https://vcloud.example.com/api/admin/org/26/catalogs
Content-Type: application/vnd.vmware.admin.catalog+xml
...

New Catalog for Example Org

The response contains information extracted from the request, and includes these additions that the server
creates:
n

A URL, in the value of the href attribute of the response body, that references the new catalog.

Links that implement operations on the catalog.

A link to an alternate view of this catalog. All users can access the catalog at this URL.

An empty CatalogItems element.

A Task that tracks the creation of the catalog.

An IsPublished element whose content is the string false, indicating that the catalog is not shared with
other organizations. See “Share a Catalog with All Organizations in a Cloud,” on page 208.

A VersionNumber element with an initial value of 1. See “Version Numbers,” on page 198.

VMware, Inc.

199

vCloud API Programming Guide

Response:
201 Created
Content-Type: application/vnd.vmware.admin.catalog+xml
...

...

New Catalog for Example Org

false
2013-06-18T09:52:59.260-07:00
1

200

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Create a Catalog For External Publication
An organization administrator in an organization that has permission to publish externally can create a
catalog whose contents, catalog items created locally, are made available to external consumers on a
subscription basis.
Organizations that are permitted to publish externally can enable any of their catalogs for external
publication. A catalog that is enabled for external publication becomes accessible at a URL assigned by the
system, and can be protected by a password. A catalog in another instance of vCloud Director can subscribe
to an externally published catalog and maintain an up-to-date set of catalog items. See “Synchronization,”
on page 197.
You can use this procedure to create a new catalog that is enabled for external publication, or you can use
the procedure shown in “Publish an Existing Catalog Externally,” on page 211 to enable an existing catalog
for external publication. If a catalog has an external subscription, you cannot enable it for external
publication.
Prerequisites
n

Verify that you are logged in as a system administrator, an organization administrator, or a user with
the Catalog Author role.

Verify that at least one VDC exists in your organization. You cannot create a catalog in an organization
that has no VDCs.

Verify that your organization has permission to publish externally.
The OrgGeneralSettings in the AdminOrg element that represents your organization must have a
CanPublishExternally element with a value of true.
true

Retrieve the XML representation of the organization to which to add the catalog, and examine the response
to locate the Link element that contains the URL for adding catalogs to the organization. See “Add a Catalog
to an Organization,” on page 198.
Procedure
1

Create an AdminCatalog element that includes PublishExternalCatalogParams.
See the request portion of “Example: Create a Catalog For External Publication,” on page 201.

POST the AdminCatalog element to the organization's add URL for catalogs.
See the request portion of “Example: Create a Catalog For External Publication,” on page 201.

The server creates an empty catalog and returns its representation in the response. See the response portion
of “Example: Create a Catalog,” on page 199.
Example: Create a Catalog For External Publication
This request is similar to the one used in “Example: Create a Catalog,” on page 199 but includes a

PublishExternalCatalogParams element that specifies that the catalog is to be published externally. This

request creates the catalog with a content cache, which can improve synchronization performance for
external catalogs that subscribe to this one, but requires enough space on the system's transfer storage to
accommodate all of the items in the catalog. This request also sets the PreserveIdentityInfoFlag element to
false, which prevents values such as the BIOS UUID and MAC address associated with virtual machine
identities from being published. If you omit this element or set its value to true, these values are published
for all catalog items that represent virtual machines.

VMware, Inc.

201

vCloud API Programming Guide

Request:
POST https://vcloud.example.com/api/admin/org/26/catalogs
Content-Type: application/vnd.vmware.admin.catalog+xml
...

Example Catalog for External Publication

true
true
false
Pa55w0rd

The response is similar to the one shown in “Example: Create a Catalog,” on page 199, but includes the
PublishExternalCatalogParams element. The embedded Task element tracks the creation of the catalog and
its accompanying Web site. The Password element in the request is never returned.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.catalog+xml
...

...

Example Catalog for External Publication

false
2013-06-18T09:55:59.131-07:00
1

true

202

VMware, Inc.

Chapter 6 Creating and Managing Organizations

true
false

When the task completes, the PublishExternalCatalogParams includes a URL at which external consumers
can connect to the catalog.

...

true
true
https://vcloud2.example.com/vcsp/catalog/5

Create a Catalog With an External Subscription
An organization administrator can create a catalog whose contents are downloaded from an external source.
You cannot use catalogs created this way to hold catalog items that are created locally.
Organizations that are permitted to subscribe to external sources can create catalogs whose contents are
downloaded from a catalog hosted on another instance of vCloud Director, or any Web site that implements
the VMware Content Subscription Protocol (VCSP) . See “Synchronization,” on page 197.
If a catalog has an external subscription, you cannot enable it for external publication.
Prerequisites
n

Verify that you are logged in as a system administrator, an organization administrator, or a user with
the Catalog Author role.

Verify that at least one VDC exists in your organization. You cannot create a catalog in an organization
that has no VDCs.

Verify that your organization has permission to create catalogs with external subscriptions.
The OrgGeneralSettings in the AdminOrg element that represents your organization must have a
CanSubscribe element with a value of true.
true

The external source must implement the VMware Content Subscription Protocol. See
“Synchronization,” on page 197.

You must know the URL of the external source, and the password if one is required.

Retrieve the XML representation of the organization to which you want to add the catalog, and examine the
response to locate the Link element that contains the URL for adding catalogs to the organization. See “Add
a Catalog to an Organization,” on page 198.
Procedure
1

Create an AdminCatalog element that includes ExternalCatalogSubscriptionParams.
See the request portion of “Example: Create a Catalog With an External Subscription,” on page 204.

POST the AdminCatalog element to the organization's add URL for catalogs.
See the request portion of “Example: Create a Catalog With an External Subscription,” on page 204.

The server creates an empty catalog and returns its representation in the response. See the response portion
of “Example: Create a Catalog,” on page 199.

VMware, Inc.

203

vCloud API Programming Guide

Example: Create a Catalog With an External Subscription
This request creates a catalog with a subscription to the VCSP URL
https://vcloud2.example.com/vcsp/catalog/5. Because the LocalCopy element in
ExternalCatalogSubscriptionParams has a value of false, files that comprise a vApp template or media
image that a catalog item references are not downloaded until a user requests them. If you create a catalog
where LocalCopy has a value of true, these files are downloaded the first time that the catalog subscription is
synchronized, and on each subsequent synchronization where any of the catalog items has a newer version
number. The default value of LocalCopy isfalse.
Request:
POST https://vcloud.example.com/api/admin/org/26/catalogs
Content-Type: application/vnd.vmware.admin.catalog+xml
...

Example Catalog With External Subscription

true
https://vcloud2.example.com/vcsp/catalog/5
Pa55w0rd
false

The response is similar to the one shown in “Example: Create a Catalog,” on page 199, but includes the

ExternalCatalogSubscriptionParams element that you supplied in the request. The Password element in the

request is never returned.
Response:

201 Created
Content-Type: application/vnd.vmware.admin.catalog+xml
...

...

Example Catalog With External Subscription

false
2013-06-18T10:00:03.012-07:00
1

true
https://vcloud2.example.com/vcsp/catalog/5
false

What to do next
Synchronize the catalog with its external source. Any catalog with an external subscription includes a link of
the form:

As a catalog owner or administrator, you can POST a request to the rel="sync" URL to synchronize the
catalog with its external source. See “Synchronize a Catalog or Catalog Item,” on page 79.

Specify a Storage Profile for a Catalog
Any request that creates a catalog can also specify a storage profile for the items in that catalog.
If you do not specify a CatalogStorageProfile when creating a catalog, the catalog is created on the default
storage profile for the first VDC created in the organization. To create the catalog on a specific storage
profile, retrieve the list of available storage profiles in your organization and specify one in the
CatalogStorageProfiles element of the request.
Prerequisites
n

Verify that you are logged in as a system administrator, an organization administrator, or a user with
the Catalog Author role.

Verify that at least one VDC exists in your organization. You cannot create a catalog in an organization
that has no VDCs.

Procedure
1

Find the list of storage profiles in your organization.
Use a query like this one.
https://vcloud.example.com/api/query?type=orgVdcStorageProfile&format=references

The response is a list of references to all the storage profiles used by VDCs in your organization.

VMware, Inc.

205

vCloud API Programming Guide

NOTE If you are a system administrator, you must filter the response to show only those storage
profiles in the organization where you are creating the catalog.
2

Create an AdminCatalog element that includes a CatalogStorageProfiles element.
You can include a single CatalogStorageProfile in the request. Only the type and href attributes are
required. See the request portion of “Example: Specify a Storage Profile for a Catalog,” on page 206.

POST the AdminCatalog element to the organization's add URL for catalogs.
See the request portion of “Example: Specify a Storage Profile for a Catalog,” on page 206.

The server creates an empty catalog on the specified storage profile and returns its representation in the
response. See the response portion of “Example: Create a Catalog,” on page 199.
Example: Specify a Storage Profile for a Catalog
This example modifies the request shown in “Example: Create a Catalog,” on page 199 to add a
CatalogStorageProfiles element..
Request:
POST https://vcloud.example.com/api/admin/org/26/catalogs
Content-Type: application/vnd.vmware.admin.catalog+xml
...

New Catalog for Example Org

The response is similar to the one shown in “Example: Create a Catalog,” on page 199, and includes a
CatalogStorageProfiles element derived form the one that you specified in the request.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.catalog+xml
...
New Catalog for Example Org

...

206

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Update Catalog Access Controls
If you are an administrator or catalog owner, you can use the controlAccess links in your organization to
grant or restrict access to a catalog.
A catalog initially grants full access to its owner and no access to other users. An administrator or the
catalog owner can use the vCloud API access control mechanism to view or modify catalog access controls.
For a general discussion of access controls in vCloud Director, see “Controlling Access to vApps and
Catalogs,” on page 84.
Procedure
1

Retrieve the XML representation of the organization that contains the catalog.
Use a request like this one:
GET https://vcloud.example.com/api/org/26

Examine the Org element to find the controlAccess links for the catalogs that it contains.
These links have the following form:

NOTE The controlAccess links for catalogs are not returned in the AdminOrg response when you
retrieve the organization in the admin view.
3

Create a ControlAccessParams element request body that specifies the details of the update.

POST the ControlAccessParams element to the action/controlAccess link for the catalog.

Example: Update Catalog Access Controls
This request updates the access controls of a catalog to grant full control to one user and read-only access to
another user. The request body, a ControlAccessParams element, specifies a value of false for the
IsSharedToEveryone element, and contains an AccessSetting element for each user whose access rights are
being modified. Each user is identified by a reference to a User object. See “User and Group
Administration,” on page 219. The response, a subset of which appears in this example, echoes the request.
Request:
POST https://vcloud.example.com/api/org/9/catalog/32/action/controlAccess/"/>
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

VMware, Inc.

207

vCloud API Programming Guide

false

FullControl

ReadOnly

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

false

...

Share a Catalog with All Organizations in a Cloud
An organization administrator can share a catalog to make it visible to the administrators in all other
organizations in a cloud.
The owner of a catalog can make it available to other users in the containing organization. See “Update
Catalog Access Controls,” on page 207. If you are an organization administrator, you can also share catalogs
with all other organizations in your cloud if your organization's CanPublishCatalogs element has a value of
true. The value of this element is controlled by the system administrator. To share a catalog, make a POST
request to the catalog’s action/publish URL and supply a PublishCatalogParams body that sets the value of
the catalog’s IsPublished element to true.
Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.
Procedure
1

Retrieve the XML representation of the catalog to share.
Use a request like this one, where id is the identifier of the catalog:
GET https://vcloud.example.com/api/admin/catalog/id

208

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Examine the response to locate the Link element that contains the URL for publishing the catalog.
This element has a rel attribute value of publish and a type attribute value of
application/vnd.vmware.admin.publishCatalogParams+xml, as this example shows:

Create a PublishCatalogParams element that contains an IsPublished element with a value of true.

POST the PublishCatalogParams body to the catalog's rel="publish" URL.

The catalog is shared and becomes available to members of all other organizations in the cloud.

Example: Share a Catalog With All Organizations in a Cloud
Request:
POST https://vcloud.example.com/api/admin/catalog/32/action/publish
Content-Type: application/vnd.vmware.admin.publishCatalogParams+xml
...

true

Response:
204 No Content

Share a Catalog With Specific Organizations in a Cloud
A system administrator can share a catalog to make it visible to the administrators of specific organizations
in a cloud.
The owner of a catalog can share it to make it available to all organization in the cloud. When more selective
sharing is required, a system administrator can share a catalog with specific organizations if that catalog is
not already shared to all organizations.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the organization that contains the catalog.
Use a request like this one:
GET https://vcloud.example.com/api/org/26

Examine the Org element to find the controlAccess links for the catalogs that it contains.
These links have the following form:

VMware, Inc.

209

vCloud API Programming Guide

NOTE The controlAccess links for catalogs are not returned in the AdminOrg response when you
retrieve the organization in the admin view.
3

Create a ControlAccessParams element that contains an AccessSettings element that specifies the
organizations with which to share the catalog.

POST the ControlAccessParams element to the action/controlAccess link for the catalog.

The catalog is shared with administrators of the specified organizations.

Example: Share a Catalog With Specific Organizations in a Cloud
This request updates the access controls of a catalog to share it to a single organization, giving read-only
access to all users in that organization.
Request:
POST https://vcloud.example.com/api/org/9/catalog/32/action/controlAccess/"/>
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

false

ReadOnly

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...

false

ReadOnly

210

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Publish an Existing Catalog Externally
An organization administrator in an organization that has permission to publish externally can update an
existing catalog to make its contents available to external consumers on a subscription basis.
Organizations that are permitted to publish externally can enable any of their local catalogs for external
publication. A catalog that is enabled for external publication becomes accessible at a URL assigned by the
system, and can be protected by a password. A catalog in another instance of vCloud Director can subscribe
to an externally published catalog and maintain an up-to-date set of catalog items. See “Synchronization,”
on page 197.
Prerequisites
n

Verify that you are logged in as a system administrator, an organization administrator, or a user with
the Catalog Author role.

Verify that your organization has permission to publish externally.
Verify that the OrgGeneralSettings in the AdminOrg element that represents your organization has a
CanPublishExternally element with a value of true.
true

Verify that the catalog you want to enable for external publication does not have an external
subscription.

Procedure
1

In the admin view, retrieve the XML representation of the catalog.
Use a request like this one:
GET https://vcloud.example.com/api/admin/catalog/32

Examine the AdminCatalog element to find the publishToExternalOrganizations link it contains.
This link has the following form:

Create a PublishExternalCatalogParams element.
See “Example: Publish an Existing Catalog,” on page 211.

POST the PublishExternalCatalogParams element to the publishToExternalOrganizations URL.

Example: Publish an Existing Catalog
This request updates the catalog created in “Example: Create a Catalog,” on page 199 to publish it
externally.
Request:
POST https://vcloud.example.com/api/admin/catalog/32/action/publishToExternalOrganizations
Content-Type: application/vnd.vmware.admin.publishExternalCatalogparams+xml
...

true
Password>Pa55w0rd

Response:
204 No Content

Content Subscription Endpoint Specification
This document specifies the requirements for creating an endpoint that is compatible with a client using
version 1 of the VMware Content Subscription Protocol (VCSP). VMware vCloud Director catalogs use this
protocol when synchronizing content from an external subscription.

Introduction
VMware vCloud Director enables organizations to create catalogs that acquire their content from a
subscription to an external source. The external source can be an externally published catalog hosted on
another instance of vCloud Director or a Web site that hosts a VCSP endpoint.
Configuration parameters for vCloud Director catalogs that have external subscriptions include a VCSP
endpoint URL and, if the endpoint requires authentication, a user name and password. Users periodically
synchronize to update catalog contents from the subscribed endpoint. You can request synchronization for
an entire catalog, or for individual catalog items. The process is similar in both cases.
1

The VCSP client makes a GET request to retrieve the endpoint descriptor. If the version in the
descriptor matches the version of the catalog being synchronized, no content has changed at the
endpoint, and no further action is required.

If the version in the descriptor is greater than the version of the catalog, the client makes a GET request
to retrieve the endpoint index file.

To update the entire catalog, the client makes GET requests to retrieve all catalog items whose version
at the endpoint is greater than their version in the catalog. To update an individual catalog item, the
client makes a GET request to retrieve it only if its version number at the endpoint is greater than its
version in the catalog.

The endpoint is a passive partner in this process. Its only responsibilities are to keep the version numbers up
to date in the endpoint descriptor and endpoint index files, and to return the HTTP status codes and other
responses expected by the VCSP client.

URLs
A VCSP endpoint URL must have a scheme of HTTP or HTTPS and a path that terminates in the name of
the endpoint descriptor. A VCSP endpoint whose contents are stored on a host named vcsp.example.com in
a directory named /vcsp on the host and whose descriptor file is named descriptor.json would have the
following endpoint URL:
http://vcsp.example.com/vcsp/descriptor.json

212

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Endpoint Descriptor
The endpoint descriptor is a file whose contents define the catalog available at the endpoint. The contents,
which must be expressed in JavaScript Object Notation (media type application/json) as defined by
RFC4627, define a JSON object, and must specify values for the following key names.
vcspVersion

An integer that specifies the version of the VCSP protocol to which this
endpoint conforms.

version

An integer that specifies the version of the catalog, as described in “Version
Numbers,” on page 219.

The object identifier, expressed in URN format. This value uniquely
identifies the catalog, persists for the life of the catalog, and must never be
reused.

name

The display name of the catalog. Must be a nonempty string.

created

Time and date when the endpoint was created.

itemType

Must have value vcsp.CatalogItem.

itemsHref

A reference to the endpoint index file relative to the location of the endpoint
descriptor. Replacing the final component of the endpoint URL with the
value of the itemsHref key must create a valid URL.

capabilities

A JSON object that describes the capabilities of this catalog. The object must
define all of the following properties:
transferIn

An array with a single member that must be the
string httpGet.

transferOut

An array with a single member that must be the
string httpGet.

generateIds

A Boolean value that must be set to true.

metadata

An array of catalog object metadata. See “Metadata,” on page 217.

maintenanceMessage

A string indicating that the endpoint is inaccessible because it is undergoing
maintenance. For example:
"maintenanceMessage" : "This catalog is currently in maintenance
mode"

If the endpoint descriptor includes this key, attempts by subscribers to
synchronize with this endpoint fail and display the string.
The following example shows a typical endpoint descriptor.
{
"vcspVersion" : "1",
"version" : "10",
"id" : "urn:uuid:ccdd2c56-e54e-4883-bc0a-619baaca92a6",
"name" : "published",
"created" : "2012-09-14T22:17:50.807Z",
"itemType" : "vcsp.CatalogItem",
"itemsHref" : "items",
"capabilities" : {
"transferIn" : [ "httpGet" ],
"transferOut" : [ "httpGet" ],

VMware, Inc.

213

vCloud API Programming Guide

"generateIds" : true
}
"metadata" : [ {
"type" : "STRING",
"domain" : "GENERAL",
"key" : "key1",
"value" : "value1",
"visibility" : "READWRITE"
}, {
"type" : "STRING",
"domain" : "SYSTEM",
"key" : "key2",
"value" : "value2",
"visibility" : "READONLY"
} ]
}

Endpoint Index
The endpoint index is a file whose contents define the set of items available in the catalog. The contents,
which must be expressed in JavaScript Object Notation (media type application/json) as defined by
RFC4627, define a JSON object, and must specify values for the following key names.

214

itemType

Must be vcsp.CatalogItem.

items

An array of zero or more item objects. Each item object must specify values
for the following key names.
version

An integer that specifies the version of the item, as
described in “Version Numbers,” on page 219.

The object identifier of the item, expressed in URN
format. This value uniquely identifies the item,
persists for the life of the item, and must never be
reused.

name

The display name of the item. Must be a nonempty
string.

created

Time and date when the item was created.

type

Item type. Must have one of the following values:
n

vcsp.iso if the item is an ISO image.

vcsp.ovf if the item is an OVF package.

VMware, Inc.

Chapter 6 Creating and Managing Organizations

files

properties

An array of file objects that includes all the files that
represent the item. Each file object is represented as
an array with three elements:
etag

An integer representing the
version of the file. The value of
this key must be the same for each
file in the array. When any file in
this array gets updated, you must
increment the value of the etag
key for all files in the array.

name

The name of the file.

hrefs

An array of pathnames to the file.
Must contain a single pathname
to the file from the root of the
endpoint, written as a URL
fragment.

An array of additional properties of the item. This
array has a single member:
selfHref

version

A URL to the item descriptor for
this item. See “Item Descriptors,”
on page 217.

metadata

An array of catalog item metadata. See “Metadata,”
on page 217.

vms

If this item represents a vApp template, you must
include an array representing the virtual machines
referenced in the template.
name

The name of the virtual machine.

metadata

An array of virtual machine
metadata. See “Metadata,” on
page 217.

An integer that specifies the version of the endpoint index, as described in
“Version Numbers,” on page 219.

The following example shows a typical endpoint index.
{
"itemType" : "vcsp.CatalogItem",
"items" : [ {
"version" : "1",
"id" : "urn:uuid:6dfa4596-a7c5-4d62-9a84-c559968baa26",
"name" : "vapp-demo",
"created" : "2012-09-17T17:59:15.161Z",
"type" : "vcsp.ovf",
"files" : [ {
"etag" : "37"
"name" : "descriptor.ovf",
"hrefs" : [ "/vcsp/item/6dfa4596-a7c5-4d62-9a84-c559968baa26/file/descriptor.ovf" ]

VMware, Inc.

215

vCloud API Programming Guide

}, {
"name" : "descriptor.mf",
"hrefs" : [ "/vcsp/item/6dfa4596-a7c5-4d62-9a84-c559968baa26/file/descriptor.mf" ]
}, {
"etag" : "37"
"name" : "vm-d5349476-aae2-4b65-bc9a-28effdc213fb-disk-0.vmdk",
"hrefs" : [ "/vcsp/item/6dfa4596-a7c5-4d62-9a84-c559968baa26/file/vm-d5349476-aae2-4b65bc9a-28effdc213fb-disk-0.vmdk" ]
} ],
"properties" : {
},
"selfHref" : "/vcsp/item/6dfa4596-a7c5-4d62-9a84-c559968baa26/item.json"
}, {
"version" : "2",
"id" : "urn:uuid:b63c9bbe-3614-4153-82fd-d5f4916a1327",
"name" : "template1",
"created" : "2012-09-14T22:18:12.858Z",
"description" : "Added with VMware OVFTool.",
"type" : "vcsp.ovf",
"files" : [ {
"name" : "descriptor.ovf",
"hrefs" : [ "/vcsp/item/b63c9bbe-3614-4153-82fd-d5f4916a1327/file/descriptor.ovf" ]
}, {
"name" : "descriptor.mf",
"hrefs" : [ "/vcsp/item/b63c9bbe-3614-4153-82fd-d5f4916a1327/file/descriptor.mf" ]
}, {
"name" : "vm-3fe8a95b-ccd1-4816-b4ed-d631f3e2bbf3-disk-0.vmdk",
"hrefs" : [ "/vcsp/item/b63c9bbe-3614-4153-82fd-d5f4916a1327/file/vm-3fe8a95b-ccd1-4816b4ed-d631f3e2bbf3-disk-0.vmdk" ]
} ],
"properties" : {
},
"selfHref" : "/vcsp/item/b63c9bbe-3614-4153-82fd-d5f4916a1327/item.json"
} ],
"metadata" : []
"vms" : [ {
"name" : "vm1",
"metadata" : [ ]
}, {
"name" : "vm2",
"metadata" : []
} ]
}, {
"version" : "10"
}

216

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Metadata
The endpoint descriptor and endpoint index allow you to include object metadata that is used to create
vCloud Director object metadata when endpoint contents are synchronized by a subscribed catalog. For
more information about the design and operation of vCloud Director object metadata, see Chapter 8,
“Working With Object Metadata,” on page 281.
metadata

An array of object metadata. You may include an arbitrary number of
metadata objects in this array, subject to the size limitations documented in
“vCloud API Object Metadata Limits,” on page 283
type

The type of the metadata value. One of STRING,
BOOLEAN, DATETIME or NUMBER. See “vCloud API Object
Metadata Contents,” on page 281.

domain

The access domain of the metadata. One of GENERAL
or SYSTEM. See “Access Control for vCloud API
Object Metadata,” on page 282. When
vCloud Director object metadata is created from this
endpoint, the metadata domain is always set to
SYSTEM, regardless of the value you supply here.

key

An arbitrary key name.

value

The value of the key.

visibility

The visibility the metadata. One of PRIVATE, READONLY
or READWRITE. See “Access Control for vCloud API
Object Metadata,” on page 282. When
vCloud Director object metadata is created from this
catalog item, the metadata visibility is always set
to READONLY, regardless of the value you supply here.

Item Descriptors
Every item listed in the endpoint index must include an item descriptor file in the directory that holds all the
item's files. The contents, which must be expressed in JavaScript Object Notation (media type
application/json) as defined by RFC4627, define a JSON object, and must specify values for the following
key names.
version

An integer that specifies the version of the item, as described in “Version
Numbers,” on page 219.

The object identifier, expressed in URN format. This value uniquely
identifies the catalog, persists for the life of the catalog, and must never be
reused.

name

The display name of the catalog. Must be a nonempty string.

created

Time and date when the endpoint was created.

description

A description of the item, as it will appear in the destination catalog.

type

Item type. Must have one of the following values:

VMware, Inc.

vcsp.iso if the item is an ISO image.

vcsp.ovf if the item is an OVF package.

217

vCloud API Programming Guide

files

properties

An array of file objects that includes all the files that represent the item.
Each file object is represented as an array with two elements:
name

The name of the file.

hrefs

An array of pathnames to the file. Must contain a
single pathname to the file from the root of the
endpoint, written as a URL fragment.

An array of additional properties of the item. Must be empty.

The following example shows a typical item descriptor for an OVF package.
{
"version" : "1",
"id" : "urn:uuid:b63c9bbe-3614-4153-82fd-d5f4916a1327",
"name" : "template1",
"created" : "2012-09-14T22:18:12.858Z",
"description" : "Added with VMware Ovf Tool.",
"type" : "vcsp.ovf",
"files" : [ {
"name" : "descriptor.ovf",
"size" : 9985,
"hrefs" : [ "descriptor.ovf" ]
}, {
"name" : "vm-3fe8a95b-ccd1-4816-b4ed-d631f3e2bbf3-disk-0.vmdk",
"size" : 833536,
"hrefs" : [ "vm-3fe8a95b-ccd1-4816-b4ed-d631f3e2bbf3-disk-0.vmdk" ]
} ],
} "properties" : {
}
}

Responses
VCSP clients retrieve catalog files, including the descriptor and the endpoint index, with GET requests. The
endpoint must return one of the following responses:
n

HTTP status 200 (OK) followed by the file content

HTTP status 503 (Service unavailable) followed by a document that provides additional information.
This document has media type application/json, and provides values for the following keys:
status

Status of the requested file.

progress

File generation progress, expressed as an integer in the range 0 to 100.

message

An error message describing any errors that prevented the file from being
generated.

The client continues to make GET requests until it receives either a 200 response or a 503 response with a
nonempty message.
For example, an in-progress operation could return the following response.
{
"status" : "",
"progress" : 10
}

218

VMware, Inc.

Chapter 6 Creating and Managing Organizations

An operation that has encountered an error could return the following response.
{
"status" : "failed",
"message" : "File Generation failed"
}

Authentication
An endpoint can require authentication. VCSP clients always present the user name vcsp when logging in.
The endpoint can specify any password for this user, but must accept the user name vcsp. The user name
and password are encoded as specified for Basic HTTP authentication.

Version Numbers
Version numbers appear in the endpoint descriptor and endpoint index as version values, which are integer
values that increment monotonically. It is the responsibility of the endpoint to increment the appropriate
version value whenever any of the following changes occur.
Changes to a catalog
item
Changes to a catalog

A file in the item is added, removed, or changed.

The name or description of the item is changed.

An item is added to or removed from the catalog.

The version value of any contained catalog item changes.

The name or description of the catalog is changed.

User and Group Administration
A newly created organization has no users or groups in it. An administrator must create or import them.
An organization can contain an arbitrary number of users and groups. Users can be created by the
organization administrator or imported from an LDAP directory service or SAML-based identity provider.
Groups must be imported. Permissions within an organization are controlled through the assignment of
rights and roles to users and groups.

Local Users and Imported Users
Users can be created locally or imported from the organization's LDAP service if it has defined one. Users
and groups can also be imported from an external identity provider that supports SAML (the Security
Assertion Markup Language). Local user accounts are stored in the vCloud Director database and managed
by the organization administrator. Imported user accounts are managed by the service from which the user
was imported. If an imported user changes his password, contact information, or other account properties,
those changes are not effective in vCloud Director until the user is imported again.

VMware, Inc.

219

vCloud API Programming Guide

About Identity Providers
In vCloud Director, an identity provider is a service that accepts credentials such as a user name and
password and authenticates the user as a member of a group or organization. vCloud Director recognizes
two kinds of identity providers:
Integrated

The integrated identity provider is a service provided by vCloud Director. It
can authenticate users who are created locally or imported from LDAP.

SAML

An organization can define a SAML identity provider that can be used as
part of a federated identity strategy. Such a strategy can enable an enterprise
to provide access to multiple, unrelated services, including vCloud Director,
with a single set of credentials. This sort of authentication strategy is often
referred to as "single sign-on." See “Retrieve or Update Organization
Settings,” on page 157.

The XML representation of a User can include an IdentityProvider element that specifies either INTEGRATED
or SAML. If the element is missing or empty, a value of INTEGRATED is assumed

Modifying User or Group Metadata
An organization administrator can modify metadata such as name and description for a user or group object
by creating a modified version of the User or Group element that represents the object and updating the
object by making a PUT request to the object's rel="edit" link, supplying the modified element in the
request body.

Create a User
An organization administrator can create user accounts that are local to the organization. Local user
accounts are stored in the vCloud Director database.
Every user exists within the context of an organization. An organization administrator can create a local user
in an organization by POSTing a User element to the organization’s add URL for users, as shown in
“Example: Create a Local User,” on page 220.
When you create a user, you must include the Role and Password elements in the request body. The role can
be a predefined role or one created by the organization administrator. For more information about
retrieving a list of predefined roles, see “Retrieve an Administrative View of a Cloud,” on page 50. For more
information about creating new roles, see “Create a Role,” on page 231.
Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.
Procedure
1

Create a User element that defines the user account properties.
See the request portion of “Example: Create a Local User,” on page 220.

POST the User element to the organization's add URL for users.

The server creates a user account in the vCloud Director database and returns an updated User element to
the client.

Example: Create a Local User
This example adds the user to the organization created in “Example: Create an Organization,” on page 153.
The request includes an optional IsEnabled element that enables the user. If not present in the request,
IsEnabled defaults to false.

220

VMware, Inc.

Chapter 6 Creating and Managing Organizations

The response is a User element, most of which does not appear in the example. The response includes a link
that an administrator can use to edit user properties, and additional elements, such as IsDefaultCached and
StoredVmQuota, whose values are inherited from the organization.
n

The Password element, which must not be empty when you create a User, is never returned.

The ProviderType, which was not specified in the request, defaults to INTEGRATED. See “About Identity
Providers,” on page 220.

Request:
POST https://vcloud.example.com/api/admin/org/26/users
Content-Type: application/vnd.vmware.admin.user+xml
...

Example User Full Name
user@example.com
true

Pa55w0rd

Response:
201 Created
Content-Type: application/vnd.vmware.admin.user+xml
...

Example User Full Name
user@example.com
true
INTEGRATED
false
false
false
0
0

VMware, Inc.

221

vCloud API Programming Guide

Import a User from an LDAP Database
If an organization defines an LDAP service to use, an organization or system administrator can import user
accounts from that service.
Importing a group from LDAP imports all the users in the group. See “Import a Group from an LDAP
Database,” on page 223. You can also import users individually.
Prerequisites
n

Verify that you are logged in to the vCloud API as an organization administrator or system
administrator.

Verify that your organization has defined an LDAP service to use.

Procedure
1

Create a User element that identifies the LDAP user account to import.
The name attribute of the User element must match the LDAP user name, as specified in the organization's
LDAP properties. You must include the Role element in the request body.

POST the User element to the organization's users URL.

The server matches the value of the name attribute in the request body with the value of the LDAP attribute
that the organization specified in the value of the UserName element in the UserAttributes of its
OrgLdapSettings. LDAP attributes such as userPrincipalName or samAccountName are common choices here.
The server imports the user from the organization's LDAP service, and returns an updated User element to
the client.

Example: Import a User from an LDAP Database
This example imports a user to the organization created in “Example: Create an Organization,” on page 153.
The request includes an optional IsEnabled element, so the user is enabled as soon as the import is complete.
The response is a User element, most of which is not shown in the example. The response includes a link
that an administrator can use to edit user metadata, and additional elements, such as IsDefaultCached and
StoredVmQuota, inherited from organization defaults. It also includes a NameInSource element, which
contains the user's name as stored by the LDAP server, using the server's native encoding.
Request:
POST https://vcloud.example.com/api/admin/org/26/users
Content-Type: application/vnd.vmware.admin.user+xml
...

true
true

222

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Response:
201 Created
Content-Type: application/vnd.vmware.admin.user+xml
...

Imported User Full Name
user@example.com
true
INTEGRATED
\F4\D3\42\8E\6A\BC\D3
false
false
0
0

Import a Group from an LDAP Database
If an organization defines an LDAP service to use, an organization or system administrator can import
groups from that service. You cannot create a group. You must import it.
Importing a group from LDAP imports all the users in the group. You can also import users individually.
See “Import a User from an LDAP Database,” on page 222.
Prerequisites
n

Verify that you are logged in to the vCloud API as an organization administrator or system
administrator.

Verify that your organization has defined an LDAP service to use.

Procedure
1

Create a Group element that identifies the LDAP group to import.
The name attribute of the Group element must match the LDAP group name, as specified in the
organization's LDAP properties. You must include a Role element in the request body. The role
specified in this element is assigned to all group members during the import.

POST the Group element to the organization's groups URL.

The server matches the value of the name attribute in the request body with the value of the LDAP attribute
that the organization specified in the value of the GroupName element in the GroupAttributes of its
OrgLdapSettings. The LDAP cn attribute is a common choice here. The server imports that group and all of
its users from organization's LDAP service, and returns an updated Group element to the client.

VMware, Inc.

223

vCloud API Programming Guide

Example: Import a Group from an LDAP Database
This example imports a group to the organization created in “Example: Create an Organization,” on
page 153. The response is a Group element, most of which does not appear in the example. The response
includes a link that an administrator can use to edit group metadata such as name and description, and a
UsersList element that includes a UserReference element for each user in the group. The response also
includes a NameInSource element, which contains the group's name as stored by the LDAP server, using the
server's native encoding.
Request:
POST https://vcloud.example.com/api/admin/org/26/groups
Content-Type: application/vnd.vmware.admin.group+xml
...

Response:
201 Created
Content-Type: application/vnd.vmware.admin.group+xml
...

Until the import is complete, the Group element contains only partial information. After the import is
complete, the element includes a list of users and other information.

Research and development
\C5\AF\B9\D4\9E\B5\32\40\AD\C5\E3\8E\17\4C\0D\28

224

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Import a User or Group from a SAML Identity Provider
If your organization defines a SAML identity provider in its OrgFederationSettings, you cannot import the
users or groups as you can from an LDAP service. Instead, you must map the SAML-defined roles of those
users and groups to roles defined in your organization.
Unlike imports from an LDAP service, imports from a SAML identity provider do not actually import
information from an external database. Instead, the operation creates a mapping between a user or group
name in your organization's database and a user or group name defined by your organization's SAML
provider. The vCloud Director database stores these mappings, but does not store any data retrieved from
the SAML provider.
When a user login presents a SAML token to the organization, user and group names in the token are
evaluated using the mappings established by the import operation. This evaluation process can be
summarized as follows:
n

If the SAML token includes an attribute named UserName, try to match the value of that attribute to the
value of the name attribute of the User.

If the SAML token does not include an attribute named UserName, try to match the value of the NameId
element to the value of the name attribute of the User.

If the SAML token includes an attribute named Groups, assume that the value of that attribute is a list of
group names, and try to match each value in the list to the value of the name attribute of a Group in the
organization. If the

If the SAML token does not include an attribute named Groups, assume that the user is not a member of
any group.

Prerequisites
n

Verify that you are logged in to the vCloud API as an organization administrator or system
administrator.

Verify that your organization has defined a SAML identity provider in its OrgFederationSettings.

Procedure
1

Create a User or Group element that identifies a user or group defined by your organization's SAML
provider.

Include the following line in the User or Group element.
SAML

VMware, Inc.

POST the element to the organization's users or groups URL.

225

vCloud API Programming Guide

Example: Import a User from a SAML Identity Provider
This example is identical to the one shown in “Example: Import a User from an LDAP Database,” on
page 222, but includes a ProviderType element that specifies the source as the organization's SAML identity
provider. It also omits the IsExternal element, which is required when importing from LDAP but is ignored
when importing from SAML.
Request:
POST https://vcloud.example.com/api/admin/org/26/users
Content-Type: application/vnd.vmware.admin.user+xml
...

true
SAML

Response:
201 Created
Content-Type: application/vnd.vmware.admin.user+xml
...

Imported User Full Name
user@example.com
true
SAML
\F4\D3\42\8E\6A\BC\D3
false
false
0
0

226

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Working With Roles and Rights
A role associates a role name with a set of rights. A newly created organization includes a set of predefined
roles and rights inherited from the containing cloud. An organization administrator can add new roles or
modify predefined roles.
vCloud Director uses roles, and their associated rights, to determine whether a user or group is authorized
to perform an operation. When you create or import a user or group, you must assign it a role. You can use
one of the predefined roles, or you can create a role from existing rights.
Predefined roles and rights are properties of a cloud. Roles that an organization administrator creates are
properties of the organization.
NOTE You can create and modify rights associated with extension services, but not those associated with
vCloud Director. See “Create a Service-Specific Right,” on page 349

Predefined Roles and Their Rights
vCloud Director includes predefined roles. Each of these roles includes a set of default rights.

System Administrator
The system administrator has super-user rights for the entire system. System administrator credentials are
established during installation and configuration. A system administrator can create additional system
administrator accounts. All system administrators are members of the system organization. You cannot
modify the rights associated with this role.

Organization Roles
After creating an organization, a system administrator can assign the role of organization administrator to
any user in the organization. An organization administrator has super-user rights within that organization,
and can assign any of the predefined roles to the organization's users and groups.
Organization
Administrator

An organization administrator can assign the role of organization
administrator to any member of an organization.

Catalog Author

The rights associated with the catalog author role allow a user to create and
publish catalogs.

vApp Author

The rights associated with the vApp Author role allow a user to use catalogs
and create vApps.

vApp User

The rights associated with the vApp User role allow a user to use existing
vApps.

Console Access Only

The rights associated with the Console Access Only role allow a user to view
virtual machine state and properties and to use the guest OS.

Each predefined role includes a set of default rights. If an organization administrator modifies the set of
rights associated with a predefined role, those modifications apply only in the context of that organization.
If a system administrator modifies the set of rights associated with a predefined role, those modifications
apply to all organizations in the system.
You classify rights according to the objects to which they apply.

Rights Associated with Catalogs
Admin rights are granted to the system administrator throughout the system, and to an organization
administrator within the organization.

VMware, Inc.

227

vCloud API Programming Guide

Table 6‑4. Rights Associated With Catalogs
Admin

Catalog Author

vApp Author

Catalog: Add
vApp from My
Cloud

Catalog: Change
Owner

Catalog: VCSP
Publish Subscribe

Catalog: Enable a
vApp template or
media item for
download

Catalog: Create or
Delete a Catalog

Catalog: Edit
Properties

Catalog: Publish

Catalog: Sharing

Catalog: View
Private and
Shared Catalogs

Catalog: View
Published
Catalogs

vApp User

Console Access
Only

vApp User

Console Access
Only

Rights Associated with Independent Disks
Table 6‑5. Rights Associated With Independent Disks
Admin

Catalog Author

vApp Author

Disk: Change
Owner

Disk: Create

Disk: Delete

Disk: Edit
Properties

Disk: View
Properties

Rights Associated with vApp Templates and Media
Table 6‑6. Rights Associated With vApp Templates and Media

228

Admin

Catalog Author

vApp Template or
Media: Create or
Upload

vApp Template or
Media: Edit

vApp Author

vApp User

Console Access
Only

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Table 6‑6. Rights Associated With vApp Templates and Media (Continued)
Admin

Catalog Author

vApp Author

vApp User

vApp Template or
Media: View

vApp Template:
Checkout (Add to
My Cloud)

Catalog Author

vApp Author

vApp User

Console Access
Only

Rights Associated with vApps
Table 6‑7. Rights Associated With vApps
Admin
vApp: Change
Owner

vApp: Copy

vApp: Create or
Reconfigure

vApp: Delete

vApp: Edit
Properties

vApp: Edit VM
CPU

vApp: Edit VM
Hard Disk

vApp: Edit VM
Memory

vApp: Edit VM
Network

vApp: Edit VM
Properties

vApp: Manage
VM Password
Settings

vApp: Power
Operations

vApp: Sharing

vApp: Snapshot
Operations

vApp: Use
Console

Console Access
Only

Administrative Rights
All of these rights are granted to the system administrator throughout the system, and to an organization
administrator within the organization. These rights are not granted to any other predefined role.

VMware, Inc.

229

vCloud API Programming Guide

Table 6‑8. Other Administrative Rights
Admin

230

General:
Administrator
Control

General:
Administrator
View

General: Send
Notification

Group or User:
View

Organization
Network: Edit
Properties

Organization
Network: View

Organization VDC
Gateway:
Configure Services

Organization VDC
Network: Edit
Properties

Organization VDC
Network: View
Properties

Organization VDC
Storage Policy: Set
Default

Organization
VDC: View

Organization: Edit
Federation
Settings

Organization: Edit
Leases Policy

Organization: Edit
Password Policy

Organization: Edit
Properties

Organization: Edit
Quotas Policy

Organization: Edit
SMTP Settings

Organization:
View

Catalog Author

vApp Author

vApp User

Console Access
Only

VMware, Inc.

Chapter 6 Creating and Managing Organizations

Create a Role
An organization administrator can create a role by aggregating a set of rights in a Role element and
POSTing it to the organization's add URL for roles.
Prerequisites
Verify that you are logged in to the vCloud API as an organization administrator or system administrator.
Procedure
1

Create a Role element that defines the role with a name and a set of rights.
To get the RightReference objects that populate the Role, retrieve the administrative view of the cloud,
using a request like this one:
GET https://vcloud.example.com/api/admin

The VCloud element returned by this request includes a RightReferences element that contains
RightReference elements that show the name and href for each right defined in the cloud. For example:

POST the Role element to the organization's add URL for roles.
See the request portion of “Example: Create a Role,” on page 231.

The server creates a Role element and returns its representation to the client.

Example: Create a Role
This example adds a role named vAppWrangler to the organization created in “Example: Create an
Organization,” on page 153. The rights associated with this new role are less comprehensive than those
associated with the built-in vApp Author role, but still include rights to perform many common vApp
operations.
NOTE This example uses href attributes that contain actual UUID values for specific rights, since these are
invariant across vCloud Director installations and releases.
Request:
POST https://vcloud.example.com/api/admin/roles
Content-Type: application/vnd.vmware.admin.role+xml
...

Create and manage vApps

The response is a Role element, most of which does not appear in this excerpt. The response includes links
that an administrator can use to edit or remove the role.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.role+xml
...

Create and manage vApps

...

VMware, Inc.

233

vCloud API Programming Guide

234

VMware, Inc.

Managing and Monitoring a Cloud

The VMware vCloud API includes extensions that support operations on the vSphere platform, which
provides resources to vCloud Director. A system administrator can use these extensions to retrieve or
update the configuration of a cloud, add or remove vSphere resources, and import vApps and media from
vCenter.
Only the system administrator can perform vSphere platform operations. Before you attempt these
operations, log in to the System organization with the user name and password of the system administrator
account that was created when vCloud Director was installed. See “Administrator Credentials and
Privileges,” on page 152.
This chapter includes the following topics:
n

“Summary of System Administration Requests,” on page 235

“Retrieve or Update System Settings,” on page 239

“Attach a vCenter Server,” on page 240

“Finding Available vCenter Resources,” on page 242

“Create a Provider VDC,” on page 251

“Create an External Network,” on page 261

“Create a Network Pool,” on page 264

“Import a Virtual Machine from vCenter,” on page 270

“Relocate a Virtual Machine to a Different Datastore,” on page 273

“Truststore and Keytab Maintenance,” on page 275

“Retrieve the vSphere URL of an Object,” on page 277

Summary of System Administration Requests
System administration requests allow a system administrator to create and manage resources consumed by
all organizations in a cloud, and to operate on vSphere platform objects registered to vCloud Director.
n

VMware, Inc.

API-URL is a URL of the form https://vcloud.example.com/api.

235

vCloud API Programming Guide

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

236

Operation

Request

Request Body

Response

Share a catalog with specific
organizations in your cloud.
[NEW]

POST APIURL/admin/catalog/id/acti
on/publish

PublishCatalogParams

204 No Content

Retrieve a list of Provider
VDCs in the system.

GET APIURL/admin/extension/pro
viderVdcReferences

None

VMWProviderVdcReference
s

Retrieve a list of external
networks in the system.

GET APIURL/admin/extension/exte
rnalNetworkReferences

None

VMWExternalNetworkRefer
ences

Retrieve a list of network
pools in the system.

GET APIURL/admin/extension/net
workPoolReferences

None

VMWNetworkPoolReference
s

Retrieve a list of vCenter
servers registered to
vCloud Director.

GET APIURL/admin/extension/vim
ServerReferences

None

VMWVimServerReferences

Retrieve information about a
vCenter server.

GET APIURL/admin/extension/vim
Server/id

None

VimServer

Retrieve a list of available
resource pools on a vCenter
server.

GET APIURL/admin/extension/vim
Server/id/resourcePoolList

None

ResourcePoolList

Update vCenter server
settings.

PUT APIURL/admin/extension/vim
Server/id

VimServer

Task

POST APIURL/admin/extension/acti
on/registervimserver

RegisterVimServerParam
s

RegisterVimServerParams

Unregister a vCenter server
and vShield manager.

POST APIURL/admin/extension/vim
Server/id/action/unregister

None

Task

Force reconnection to a
vCenter server.

POST APIURL/admin/extension/vim
Server/id/action/forcevims
erverreconnect

None

Task

Retrieve a list of hosts in the
system.

GET APIURL/admin/extension/host
References

None

VMWHostReferences

Retrieve information about
an ESXi host.

GET APIURL/admin/extension/hos
t/id

None

Host

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Table 7‑1. Summary of vSphere Platform Extension Requests (Continued)
Operation

Request

Request Body

Response

Prepare an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/prepare

PrepareHostParams

Task

Unprepare an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/unprepare

None

Task

Enable an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/enable

None

Task

Disable an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/disable

None

Task

Repair an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/repair

None

204 No Content

Upgrade an ESXi host.

POST APIURL/admin/extension/hos
t/id/action/upgrade

None

Task

Create a Provider VDC.

POST APIURL/admin/extension/pro
vidervdcsparams

VMWProviderVdcParams

VMWProviderVdc

Create a Provider VDC.
[DEPRECATED]

POST APIURL/admin/extension/pro
vidervdcs

VMWProviderVdc

Retrieve a Provider VDC.

GET APIURL/admin/extension/pro
vidervdc/id

None

VMWProviderVdc

Update a Provider VDC.

PUT APIURL/admin/extension/pro
vidervdc/id

VMWProviderVdc

Enable a Provider VDC.

POST APIURL/admin/extension/pro
vidervdc/id/action/enable

None

204 No Content

Disable a Provider VDC.

POST APIURL/admin/extension/pro
vidervdc/id/action/disable

None

204 No Content

Delete a Provider VDC.

DELETE APIURL/admin/extension/pro
vidervdc/id

None

Task

Create an external network.

POST APIURL/admin/extension/exte
rnalnets

VMWExternalNetwork

Retrieve an external
network.

GET APIURL/admin/extension/exte
rnalnet/id

None

VMWExternalNetwork

Update an external network.

PUT APIURL/admin/extension/exte
rnalnet/id

VMWExternalNetwork

Delete an external network.

DELETE APIURL/admin/extension/exte
rnalnet/id

None

Task

VMware, Inc.

237

vCloud API Programming Guide

Table 7‑1. Summary of vSphere Platform Extension Requests (Continued)

238

Operation

Request

Request Body

Response

Create a network pool.

POST APIURL/admin/extension/net
workPools

VMWNetworkPool

Retrieve a network pool.

GET APIURL/admin/extension/net
workPool/id

None

VMWNetworkPool

Update a network pool.

PUT APIURL/admin/extension/net
workPool/id

VMWNetworkPool

Delete a network pool.

DELETE APIURL/admin/extension/net
workPool/id

None

Task

Import a virtual machine
from vCenter as a vApp.

POST APIURL/admin/extension/vim
Server/id/importVmAsVap
p

ImportVmAsVAppParams

VApp

Import a virtual machine
from vCenter as a vApp
template.

POST APIURL/admin/extension/vim
Server/id/importVmAsVap
pTemplate

ImportVmAsVAppTemplate
Params

VAppTemplate

Retrieve the representation
of a datastore.

GET APIURL/admin/extension/data
store/id

None

Datastore

Enable a datastore.

POST APIURL/admin/extension/data
store/id/action/enable

None

Datastore

Disable a datastore.

POST APIURL/admin/extension/data
store/id/action/disable

None

Datastore

Update a datastore.

PUT APIURL/admin/extension/data
store/id

Datastore

Delete a datastore.

DELETE APIURL/admin/extension/data
store/id

None

204 No Content

Import a virtual machine
from vCenter into an
existing vApp.

POST APIURL/admin/extension/vim
Server/id/importVmIntoEx
istingVApp

ImportVmIntoExistingVA
ppParams

Task

Import a media image from
vCenter.

POST APIURL/admin/extension/vim
Server/id/importMedia

ImportMediaParams

Media

Enable a resource pool.

POST APIURL/admin/extension/reso
urcePool/id/action/enable

None

204 No Content

Disable a resource pool.

POST APIURL/admin/extension/reso
urcePool/id/action/disable

None

204 No Content

Place a vApp in
maintenance mode to
prevent users from changing
vApp metadata.

POST APIURL/vApp/id/action/enter
MaintenanceMode

None

204 No Content

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Table 7‑1. Summary of vSphere Platform Extension Requests (Continued)
Operation

Request

Request Body

Response

Remove a vApp from
maintenance mode.

POST APIURL/vApp/id/action/exitM
aintenanceMode

None

204 No Content

Relocate a virtual machine
in a vApp template to a
different datastore.
[DEPRECATED]

POST APIURL/vAppTemplate/vmid/action/relocate

RelocateParams

Task

Relocate a virtual machine
to a different datastore.
[DEPRECATED]

POST API-URL/vApp/vmid/action/relocate

RelocateParams

Task

Migrate a virtual machines
to a different resource pool.

POST APIURL/admin/extension/reso
urcePool/id/action/migrate
Vms

MigrateParams

Task

Retrieve a URL that you can
use to access a vSphere
object with a vSphere client.

GET APIURL/admin/extension/vim
Server/id/vimObjType/vimO
bjMoref/vSphereWebClient
Url

None

VSphereWebClientUrl

Merge Provider VDCs.

PUT APIURL/admin/extension/pro
vidervdc/id/action/merge

None

204 No Content

Retrieve the list of storage
profiles that exist on a
vCenter server.

GET APIURL/admin/extension/vim
Server/id/storageProfiles

None

VMWStorageProfiles

Refresh the list of storage
profiles that exist on a
vCenter server.

POST APIURL/admin/extension/vim
Server/id/action/refreshSto
rageProfiles

None

Task

POST APIURL/admin/extension/vim
Server/id/action/refresh

None

Task

Retrieve or Update System Settings
A system administrator can retrieve or update a cloud-wide set of system properties. These properties
specify default values and behaviors for the cloud and all of the organizations in it.
The SystemSettings element includes all system settings for this cloud. The element also includes links that
allow you to retrieve these subsidiary elements, which define specific categories of settings.
GeneralSettings

Control the configuration and behavior of the entire cloud.

NotificationsSettings

Control the vCloud Director AMQP notifications service.

LdapSettings

Specify details of the system LDAP directory service.

AmqpSettings

Specify credentials and connection information for the AMQP broker that
handles notifications and blocking task messages.

EmailSettings

Define configuration and connection parameters for the system default email
service, and specifies properties of email alerts that the system sends.

VMware, Inc.

239

vCloud API Programming Guide

License

System license serial number and related settings.

BrandingSettings

Customize the branding of the vCloud Director Web Console and some of
the links that appear on the vCloud Director Home login screen.

BlockingTaskSettings

Control the behavior of blocking tasks and enable blocking for specific
operations.

PasswordPolicySettings

Specify default policies to be followed when a user in any organization
enters an incorrect password. Organization administrators can override this
default for their organizations.

LookupServiceSettings

Specify the vSphere Lookup Service URL so system administrators can
authenticate using vSphere Single Sign-On (SSO).

CatalogSettings

Specify the schedule for background synchronization of catalogs that have an
external subscription. These settings apply to all organizations in the system.

You can retrieve the entire SystemSettings element to view all of these settings. To update an individual
subsection, retrieve it with a GET request, modify it, and update it with a PUT request.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the SystemSettings element.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension/settings

Examine the response to locate the Link elements that you can use to retrieve an individual subsection.
These links have a rel attribute value of down.

Use the link to retrieve the subsection.
Make a GET request to the href value of the link.

(Optional) Modify the retrieved subsection.
Subsections that you can modify include a link where rel="edit".

(Optional) To update the subsection, PUT the modified subsection to the href of the link described in
Step 4.

Attach a vCenter Server
A system administrator can register a vCenter server and a companion vShield Manager server for use in a
cloud by making a POST request to the cloud’s action/registervimserver URL and supplying a
RegisterVimServerParams request body.
Prerequisites

240

Verify that you are logged in to the vCloud API as a system administrator.

Verify that you know the name, IP address, and administrator password of the vCenter server and
vShield Manager server.

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Procedure
1

Retrieve the XML representation of the vSphere platform extensions.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension

Examine the response to locate the Link element that contains the URL for adding vCenter servers to
the cloud.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.registerVimServerParams+xml, as shown here:

Create a RegisterVimServerParams element that includes the information required to register the
vCenter server and vShield manager.

POST the RegisterVimServerParams element you created in Step 3 to the URL described in Step 2.
See the request portion of “Example: Register a vCenter Server and vShield Manager,” on page 241.

Example: Register a vCenter Server and vShield Manager
You must supply the user name and password of the vCenter administrator in the request. The response
includes vCloud URLs for the newly registered vCenter and vShield Manager servers, and omits the
password.
Request:
POST https://vcloud.example.com/api/admin/extension/action/registervimserver
Content-Type: application/vnd.vmware.admin.registerVimServerParams+xml
...

Administrator
Pa55w0rd
https://10.100.121.123:443
false

Administrator
Pa55w0rd
https://10.100.121.66

Response:
200 OK
Content-Type: application/vnd.vmware.admin.registerVimServerParams+xml
...

...

Finding Available vCenter Resources
Many of the operations required to import virtual machines or create Provider VDCs, external networks,
and network pools require you to identify vCenter resources and obtain references to them. You use these
references to make the vCenter resources available in the cloud.
Every vCenter server registered to your cloud is represented as a VimServerReference element in the cloud's
vimServerReferences list. You can retrieve one of these references to get a detailed representation of the
server object, including links to the server's resource pools, networks, hosts, and virtual machines.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the list of vCenter servers registered to this cloud.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension/vimServerReferences

Retrieve the representation of a vCenter server.
The response to the request you made in Step 1 contains a list of VimServerReference elements. You can
make a GET request to any of these references to retrieve the XML representation of a vCenter server
registered to this cloud.

The VimServer element returned in response to the request you made in Step 2 includes several Link
elements where rel="down". These links contain URLs that you can use to retrieve lists of references to
vCenter resources on this server.
Table 7‑2. vCenter Resource Lists

242

List URL

List Contents

https://vcloud.example.com/api/admin/extensio
n/vimServer/id/vmsList

References to virtual machines in this vCenter server's
inventory

https://vcloud.example.com/api/admin/extensio
n/vimServer/id/hostReferences

References to hosts in this vCenter server's inventory

https://vcloud.example.com/api/admin/extensio
n/vimServer/id/resourcePoolList

ResourcePool objects

https://vcloud.example.com/api/admin/extensio
n/vimServer/id/networks

VimObjectRef elements of type DV_PORTGROUP and
NETWORK

https://vcloud.example.com/api/admin/extensio
n/vimServer/id/storageProfiles

VMWStorageProfile objects.

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Example: Resources on a vCenter Server
Request:
GET https://vcloud.example.com/api/admin/extension/vimServer/9

Response:
200 OK
...

...

...
administrator
https://10.115.124.37:443
true
true
10.115.124.1
admin
admin
44D5DAAA-7F3E-456D-B1CB-8288D7308AD6
cell1
5.0.0
false

VMware, Inc.

243

vCloud API Programming Guide

Retrieve a List of Resource Pools from a vCenter Server
You can retrieve the list of resource pools available on a vCenter server registered to a cloud. To retrieve the
list, you make a GET request to the server's resourcePoolList link.
The ResourcePoolList of a VimServer element contains an entry for every available resource pool on the
server. Resource pools that a provider VDC is already using are not listed, because they are considered
unavailable. See “Finding Available vCenter Resources,” on page 242.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the XML representation of a vCenter server registered to your cloud. See “Finding Available
vCenter Resources,” on page 242.

Procedure
1

Examine the VimServer element to locate its resourcePoolList link.
The link has the following form:

GET the URL in the value of this link's href attribute to retrieve the list of resource pools.
See “Example: Retrieve a List of Resource Pools from a vCenter Server,” on page 244. If the list is
empty, all resource pools on the server are already in use.

Example: Retrieve a List of Resource Pools from a vCenter Server
Request:
GET https://vcloud.example.com/api/admin/extension/vimServer/9/resourcePoolList

Response:
200 OK
Content-Type: application/vnd.vmware.admin.resourcepoollist+xml
...

resgroup-195
RESOURCE_POOL

244

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

datastore-172
DATASTORE

datastore-173
DATASTORE

resgroup-230
RESOURCE_POOL

datastore-174
DATASTORE

...

Retrieve a List of Available Portgroups and Switches from a vCenter Server
You can retrieve the list of available portgroups and switches that are available on a vCenter server
registered to a cloud. To retrieve the list, make a GET request to the server's networks link.
Retrieving the networks link from a VimServer element returns a VimObjectRefList element that contains
references to available DV_SWITCH, DV_PORTGOUP, and NETWORK objects on the server. Objects that have already
been consumed in the creation of an external network are not listed. See “Finding Available vCenter
Resources,” on page 242.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of a vCenter server registered to your cloud.

Examine the response, a VimServer element, to locate the networks link.
This link has the following form:

VMware, Inc.

245

vCloud API Programming Guide

GET the URL in the value of this link's href attribute to retrieve the list of network resources.
See “Example: Retrieve a List of Available Portgroups and Switches from a vCenter Server,”
on page 246. If the list is empty, all network resources on the server are already in use.

Example: Retrieve a List of Available Portgroups and Switches from a vCenter
Server
Request:
GET https://vcloud.example.com/api/admin/extension/vimServer/9/networks

Response:
200 OK
Content-Type: application/vnd.vmware.admin.vimservernetworks+xml
...

dvportgroup-32
DV_PORTGROUP

network-175
NETWORK

Retrieve a List of External Networks and Network Pools
You can retrieve a list of external networks and network pools that have been created on a vCenter server
registered to a cloud.
A reference to an external network is required when you create an Edge Gateway. A reference to a network
pool is usually required when you create an organization VDC. These resources do not exist in a new
vCloud Director installation. A system administrator must create them, as described in “Create an External
Network,” on page 261 and “Create a Network Pool,” on page 264.
NOTE When you create a Provider VDC, a VxlanPoolType network pool is created automatically on the
vCenter server that backs the Provider VDC. See “Create a Network Pool,” on page 264.

246

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Procedure
1

Retrieve the XML representation of your cloud.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension

Examine the response, a VMWExtension element, to locate the links to lists of external networks and
network pools.
These links have the following form:

Make a GET request to the link that represents the object type of interest.
See “Example: Retrieve a List of External Networks,” on page 247.

Example: Retrieve a List of External Networks
Request:
GET https://vcloud.example.com/api/admin/extension/externalNetworkReferences

Each reference to an external network includes its type, name, and href attributes, as shown in this example.
Response:

...

The corresponding element for network pools, VMWNetworkPoolReferences, is similar. In most cases, you can
supply just the href attribute value when you specify an external network or network pool in an
organization network creation request. You can retrieve additional information about the external network
or network pool by making a GET request to its href attribute value.

Retrieve a List of Virtual Machines from a vCenter Server
You can retrieve the list of virtual machines in the inventory of a vCenter server that is registered to a cloud.
To retrieve the list, make a GET request to the server's vmsList link.
When you import a virtual machine from vCenter, your request must supply a reference to the vCenter
server and a VIM object reference to the virtual machine. See “Finding Available vCenter Resources,” on
page 242.

VMware, Inc.

247

vCloud API Programming Guide

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of a vCenter server registered to your cloud.

Examine the response, a VimServer element, to locate the vmsList link.
This link has the following form:

GET the URL in the value of this link's href attribute to retrieve the list of virtual machines.
See the request portion of “Example: Retrieve a List of Virtual Machines from a vCenter Server,” on
page 248. If the list is empty, there are no virtual machines in the server's inventory.

Example: Retrieve a List of Virtual Machines from a vCenter Server
Request:
GET https://vcloud.example.com/api/admin/extension/vimServer/9/vmsList

Response:
200 OK
Content-Type: application/vnd.vmware.admin.vmsobjectrefslist+xml
...

vm-41
VIRTUAL_MACHINE

vm-43
VIRTUAL_MACHINE

vm-44
VIRTUAL_MACHINE

Retrieve a List of Storage Profiles from a vCenter Server
You can retrieve the list of storage profiles that have been defined on a vCenter server registered to a cloud.
To retrieve the list, you make a GET request to the server's storageProfiles link.
Storage profiles are named configurations of vCenter storage. When you create a Provider VDC, you must
specify the name of at least one storage profile to provide storage capacity for that Provider VDC.
The VMWStorageProfiles of a VimServer element contains an entry for every storage profile that has been
defined on the server. See “Finding Available vCenter Resources,” on page 242.
NOTE Storage profiles are represented as Storage Policies in the vCloud Director Web console.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the XML representation of a vCenter server registered to your cloud. See “Finding Available
vCenter Resources,” on page 242.

Procedure
1

(Optional) Refresh the cached list of storage profiles.
vCloud Director maintains a cache of the storage profiles that have been created on each of its
registered vCenter servers. The cache is refreshed on a regular schedule, and is likely to contain an upto-date list. If a vCenter administrator has recently created a new storage profile, you can force it to be
added to the cache by following these steps.
a

Examine the VimServer element to locate its action/refreshStorageProfiles link.
The link has the following form:

Refresh the cached list of storage profiles from the vCenter server.
Use a request like this one.
POST
https://vcloud.example.com/api/admin/extension/vimServer/9/action/refreshStorageProfiles

The response is a Task. When the task completes, the cached list of storage profiles on the vCenter
server has been updated.
2

Examine the VimServer element to locate its storageProfiles link.
The link has the following form:

VMware, Inc.

249

vCloud API Programming Guide

GET the URL in the value of this link's href attribute to retrieve the list of storage profiles.
See “Example: Retrieve a List of Storage Profiles from a vCenter Server,” on page 250.

Example: Retrieve a List of Storage Profiles from a vCenter Server
Request:
GET https://vcloud.example.com/api/admin/extension/vimServer/9/storageProfiles

This response shows that the specified vCenter server contains three storage profiles, named Gold, Silver,
and Bronze. Storage profile details, including datastore identifiers and capacities, are included in the
response, but only the value of the name attribute of a VMWStorageProfile is needed when adding that
storage profile to a Provider VDC.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.vmwstorageprofiles+xml
...

...

storageProfile-CFAA6D92-36FC-4C16-9B30-FAC79B902371
STORAGE_PROFILE
169203.0
325120.0

datastore-44
DATASTORE

datastore-45
DATASTORE

...

Create a Provider VDC
A Provider VDC is a collection of compute, memory, and storage resources from one vCenter. A Provider
VDC provides resources to organization VDCs.
A Provider VDC is represented as a VMWProviderVdc element in the extension view and a ProviderVdc
element in the admin view. A system administrator can create a VMWProviderVdc or modify it to add or
remove datastores, storage profiles, and resource pools, or change other properties such as its description. A
system administrator cannot change the primary resource pool or vCenter server that was specified when
the Provider VDC was created. An organization administrator can retrieve a read-only representation of a
Provider VDC in a ProviderVdc element. The ProviderVdc element includes a subset of the elements and
attributes that are visible in the corresponding VMWProviderVdc.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Choose a vCenter server to supply a resource pool and storage profiles to this Provider VDC. See
“Finding Available vCenter Resources,” on page 242.

Procedure
1

Retrieve the XML representation of the vSphere platform extensions.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension

Examine the response to locate the Link element that contains the URL for adding Provider VDCs to the
cloud.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.createProviderVdcParams+xml, as shown here:

Create a VMWProviderVdcParams element that specifies the properties of the Provider VDC.
a

Include a VimServer element that references the vCenter server that you have chosen to supply a
resource pool and storage profiles to this Provider VDC.

Include a ResourcePoolRefs element that specifies one resource pool.
The ResourcePoolRef must contain the href attribute value of the VimServer element you created in
Step 3a, as well as the MoRef and VimObjectType values of the resource pool as they appear in the
ResourcePool and element from the resource pool list. See the request portion of “Example: Create
a Provider VDC,” on page 252.
NOTE You must specify exactly one resource pool when you create the Provider VDC. You can
add more resource pools after the Provider VDC is created.

VMware, Inc.

Include at least one StorageProfile element that contains the name of a storage profile that has
been defined on the vCenter server referenced in the VimServer element you created in Step 3a.

251

vCloud API Programming Guide

POST the VMWProviderVdc element you created in Step 3 to the URL described in Step 2.
See the request portion of “Example: Create a Provider VDC,” on page 252.

The server creates and enables the Provider VDC and returns a VMWProviderVdc element that includes
information derived from the contents you POSTed, along with a set of Link elements that you can use to
access, remove, disable, or modify the Provider VDC.
n

The new Provider VDC becomes a member of the ProviderVdcReferences element of the VCloud.

The resource pool you selected is removed from the resource pool list of the vCenter server.

Each storage profile you specified becomes the basis for a ProviderVdcStorageProfile object, and can
be retrieved from the Provider VDC after it has been created, or by using a providerVdcStorageProfile
query.

A VxlanPoolType network pool is created on the vCenter server referenced by the VimServer element
you created in Step 3a and implicitly attached to the new Provider VDC. You can create other types of
network pools on that vCenter server if you want them to be available in the Provider VDC. See “Create
a Network Pool,” on page 264.

Example: Create a Provider VDC
This request creates a Provider VDC specifying a resource pool extracted from the response portion of
“Example: Retrieve a List of Resource Pools from a vCenter Server,” on page 244 and a storage profile
extracted from “Example: Retrieve a List of Storage Profiles from a vCenter Server,” on page 250. The
vCenter server that provides the resources is referenced in the VimServerRef and VimServer elements.
Request:
POST https://vcloud.example.com/api/admin/extension/providervdcsparams
Content-Type: application/vnd.vmware.admin.createProviderVdcParams+xml
...

Example Provider VDC

resgroup-195
RESOURCE_POOL

Gold

The response includes a Task that tracks the creation of the Provider VDC, and a set of Link elements that
you can use to operate on or modify the Provider VDC. It also includes read-only values for
ComputeCapacity and SupportedHardwareVersions, and a list of HostReferences identifying the ESX hosts
that provide the resources.

252

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Response:
201 Created
Content-Type: application/vnd.vmware.admin.vmwprovidervdc+xml
...

Example Provider VDC

...

MHz
0
0
0
0

VMware, Inc.

253

vCloud API Programming Guide

MB
0
0
0
0

vmx-04
vmx-07
vmx-08

true

resgroup-195
RESOURCE_POOL

254

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Retrieve a Provider VDC Resource Pool Set
The VMWProviderVdcResourcePoolSet of a Provider VDC contains information about all of the Provider
VDC's resource pools. Getting this information is usually a prerequisite to adding or removing a resource
pool.
Each reference in a VMWProviderVdcResourcePoolSet lists the vCenter server that provides the resource pool
and indicates whether the resource pool is primary. All resource pools in a VMWProviderVdcResourcePoolSet
must come from the same vCenter server.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the Provider VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/providervdc/35

Locate the resourcePools link in the VMWProviderVdc.
Every VMWProviderVdc element includes a link like this one to the Provider VDC's resource pools.

Retrieve the VMWProviderVdcResourcePoolSet for the Provider VDC.
See “Example: Retrieve a Resource Pool Set,” on page 255.

Example: Retrieve a Resource Pool Set
This example lists the resource pools for the Provider VDC created in “Example: Create a Provider VDC,”
on page 252. The response is a VMWProviderVdcResourcePoolSet that contains two resource pools, one of
which is designated primary. Both reference the same vCenter server at
https://vcloud.example.com/api/admin/extension/vimServer/9.
Request:
GET https://vcloud.example.com/api/admin/extension/providervdc/35/resourcePools

Response:
200 OK
Content-Type: application/vnd.vmware.admin.vmwprovidervdcresourcepoolset+xml
...

resgroup-235
RESOURCE_POOL

true

Update Provider VDC Resource Pools
A system administrator can update the resource pool set of an existing Provider VDC to add or remove
resource pools. Adding resource pools allows organization VDCs that reference the Provider VDC to
consume additional resources during periods of high demand. Removing resource pools frees the
underlying resources.
When you create a Provider VDC, it initially contains a single resource pool, called the primary resource
pool. Adding secondary resource pools allows a Provider VDC to support resource elasticity in organization
VDCs that use the AllocationPool or AllocationVApp (pay as you go) allocation model. Resource elasticity
allows an organization VDC's compute resources to grow or shrink on demand.
All of a Provider VDC's resource pools must come from the same vCenter. See “Retrieve a List of Resource
Pools from a vCenter Server,” on page 244.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the Provider VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/providervdc/35

256

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Locate the updateResourcePools link in the VMWProviderVdc.
Every VMWProviderVdc element includes an action link like this one to the Provider VDC's
updateResourcePools action.

Retrieve the resource pool list from the Provider VDC.
The VMWProviderVdcResourcePoolSet contains references to the Provider VDC's existing resource pools
and the vCenter server that hosts them.

Update the resource pool set.
To add resource pools:
a

Choose another resource pool from the same vCenter server.

Create an UpdateResourcePoolSetParams element that contains an AddItem element for each
resource pool to add.

To remove resource pools:
a

Examine the resource pool list and find the pool to remove.

Verify the pool is not the primary resource pool, and that no virtual machines are using it.
If necessary, use the action/migrateVms link to migrate virtual machines to another resource pool.

c
5

Create an UpdateResourcePoolSetParams element that contains a DeleteItem element for each
resource pool to remove.

POST the UpdateResourcePoolSetParams element to the Provider VDC's resourcePools link.

Example: Update Provider VDC Resource Pools
This request adds a resource pool to the Provider VDC created in “Example: Create a Provider VDC,” on
page 252. The additional resource pool is hosted on the same vCenter server that hosts the existing resource
pool. See “Retrieve a List of Resource Pools from a vCenter Server,” on page 244 for an example that lists the
resource pools available on that server.
Request:
POST https://vcloud.example.com/api/admin/extension/providervdc/35/action/updateResourcePools
Content-Type: application/vnd.vmware.admin.resourcePoolSetUpdateParams+xml
...

resgroup-230
RESOURCE_POOL

VMware, Inc.

257

vCloud API Programming Guide

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

This request removes one of the two resource pools (a secondary resource pool) shown in “Retrieve a
Provider VDC Resource Pool Set,” on page 255. The response is a task.
Request:
POST https://vcloud.example.com/api/admin/extension/providervdc/35/action/updateResourcePools
Content-Type: application/vnd.vmware.admin.resourcePoolSetUpdateParams+xml
...

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Update Provider VDC Storage Profiles
A system administrator can update the storage profiles that are included in a Provider VDC. New storage
profiles can be added, and unused storage profiles can be removed.
Storage profiles can be created by a vCenter administrator on any vCenter server that supports the profiledriven storage feature. A Provider VDC can provide access to any of the storage profiles that have been
created on its vCenter server (the one referenced in its vmext:VimServer element). A vCloud Director system
administrator must specify at least one vCenter storage profile when creating a Provider VDC, and can add
or remove storage profiles later as needed. Organization VDCs reference Provider VDC storage profiles in
much the same way that Provider VDCs reference vCenter storage profiles. Media and Disk objects, as well
as vApps and virtual machines reference organization VDC storage profiles by name.
NOTE Storage profiles are represented as Storage Policies in the vCloud Director Web console.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the Provider VDC.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/providervdc/35

258

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Examine the VMWProviderVdc element to find the storageProfiles link and the vmext:VimServer
element.
The storageProfiles link has the following form:

Create an UpdateProviderVdcStorageProfiles request body that specifies the details of the update.
To add a storage profile:
a

Choose another storage profile from the vCenter server referenced in the vmext:VimServer element
you located in Step 2.

Create an UpdateProviderVdcStorageProfiles element that contains an AddStorageProfile element
for each storage profile to add.

To remove a storage profile:
a

Retrieve the Provider VDC's availableStorageProfiles list and find the name of the profile to
remove.
Use a request like this one:
GET
https://vcloud.example.com/api/admin/extension/providervdc/35/availableStorageProfiles

Verify that no organization VDCs are using the storage profile you want to remove.

Create an UpdateProviderVdcStorageProfiles element that contains a RemoveStorageProfile
element for each storage profile to remove.

POST the UpdateProviderVdcStorageProfiles element to the Provider VDC's storageProfiles link.

The server returns a Task element that you can use to track the progress of the update. When the update is
complete, the Provider VDC includes the updated set of storage profiles in its StorageProfiles element.
Each storage profile you added becomes the basis for a ProviderVdcStorageProfile object, and can be
retrieved from the Provider VDC after it has been created, or by using a providerVdcStorageProfile query.

Example: Update Provider VDC Storage Profiles
This request adds a storage profile named Bronze to the Provider VDC created in “Example: Create a
Provider VDC,” on page 252. The new storage profile is hosted on the same vCenter server that hosts the
existing storage profile. See “Retrieve a List of Storage Profiles from a vCenter Server,” on page 249 for an
example that lists the storage profiles available on that server.
Request:
POST https://vcloud.example.com/api/admin/extension/providervdc/35/action/updateStorageProfiles
Content-Type: application/vnd.vmware.admin.updateProviderVdcStorageProfiles+xml
...

Bronze

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Merge Provider VDCs
You can merge two Provider VDCs by specifying a target Provider VDC and a contributor Provider VDC to
merge with it. The merged Provider VDC contains all resources from the target and contributor Provider
VDCs
Because merging Provider VDCs is a resource-intensive operation, vCloud Director allows only a single
contributor to a merge. You can merge multiple Provider VDCs into a single target by making multiple
merge requests, each specifying the same target and a new contributor.
When the merge is complete:
Networks, network pools, storage profiles, resource pools, and datastores from the contributor Provider
n
VDC are available in the target Provider VDC.
n

Organization VDCs that were backed by the contributor are now backed by the target.

The contributor Provider VDC is deleted.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Identify the Provider VDCs to merge.
Select a contributor that is not backed by the same resource pool as the target. You can use a query like
this one to discover the resource pools backing each of your Provider VDCs.
GET https://vcloud.example.com/api/query?type=providerVdcResourcePoolRelation&format=records

Construct a ProviderVdcMergeParams element whose ProviderVdcReference references the contributor.
See the request portion of “Example: Merge Provider VDCs,” on page 260.

Make a POST request to the action/merge link of the target Provider VDC and supply the
ProviderVdcMergeParams as the request body.

Example: Merge Provider VDCs
This request merges the Provider VDC at

https://vcloud.example.com/api/admin/extension/providervdc/46 with the target Provider VDC specified

in the request URL.
Request:

POST https://vcloud.example.com/api/admin/extension/providervdc/35/action/merge
Content-Type: application/vnd.vmware.admin.providerVdcMergeParams+xml
...

260

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Create an External Network
An external network is a reference to a portgroup on a vCenter server attached to vCloud Director. To create
an external network, a system administrator must specify the vCenter server and a portgroup associated
with it. External networks provide support for bridged organization networks.
Only a system administrator can create an external network. A system administrator can modify an external
network to change properties such as its description, but cannot change the portgroup that backs the
network. An organization administrator can retrieve a read-only representation of an external network to
examine its properties.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the list of available portgroups. See “Retrieve a List of Available Portgroups and Switches from
a vCenter Server,” on page 245.

Procedure
1

Retrieve the XML representation of the vSphere platform extensions.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension

Examine the response to locate the Link element that contains the URL for adding external networks to
the cloud.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.vmwexternalnet+xml, as shown here:

Choose a vCenter server to provide a portgroup for the network.

Create a VMWExternalNetwork element that specifies the properties of the external network.
These properties include the portgroup you specified in Step 3.

VMware, Inc.

261

vCloud API Programming Guide

POST the VMWExternalNetwork element you created in Step 4 to the URL described in Step 2.
See the request portion of “Example: Create an External Network,” on page 262.

The server creates the external network and returns a VMWExternalNetwork element that includes the contents
you POSTed, along with a set of Link elements that you can use to access, remove, disable, or modify it. A
reference to the new external network is added to the VMWExternalNetworkReferences element of the VCloud.
The portgroup you specified is removed from the VimObjectRefList of the vCenter server.

Example: Create an External Network
This request creates an external network backed by a portgroup listed in the response portion of “Retrieve a
List of Available Portgroups and Switches from a vCenter Server,” on page 245.
Request:
POST https://vcloud.example.com/api/admin/extension/externalnets
Content-Type: application/vnd.vmware.admin.vmwexternalnet+xml
...

ExternalNet

false
10.24.64.126
255.255.255.192
10.115.120.71
10.6.64.29
example.com

isolated

network-175
NETWORK

The response includes a Task that tracks the creation of the network, and a set of Link elements that you can
use to operate on or modify it.
Response:
201 Created
Content-Type: application/vnd.vmware.admin/vmwexternalnet+xml
...

ExternalNet

...

false
10.24.64.126
255.255.255.192
10.115.120.71
10.6.64.29
eng.vmware.com

isolated

network-175
NETWORK

VMware, Inc.

263

vCloud API Programming Guide

Create a Network Pool
Network pools provide support for isolated and routed networks in organization VDCs. Although every
Provider VDC includes a VXLAN network pool that can support most networking use cases, a system
administrator can create other types of network pools if they are needed.
A network pool object represents a collection of vSphere network resources that are contained by a Provider
VDC and available to the organization VDCs backed by that Provider VDC. Traffic on each network in a
pool is isolated at layer 2 from all other networks.
Only a system administrator can create a network pool. A system administrator can modify a network pool
to change properties such as its description, but cannot change the network resources, such as virtual
switches or portgroups, that provide backing for it. After a network pool has been associated with an
organization VDC (typically when the VDC is created), network resources from the pool are consumed as
needed to create isolated or routed organization VDC networks or vApp networks in the VDC.
NOTE When you create a Provider VDC, a VxlanPoolType network pool is created automatically on the
vCenter server that backs the Provider VDC. This pool is given a name derived from the name of the
containing Provider VDC and attached to it at creation. You cannot delete or modify this network pool. You
cannot create aVxlanPoolType network pool by any other method. If you rename a Provider VDC, its
VxlanPoolType network pool is automatically renamed.
vSphere VXLAN networks are based on the IETF draft VXLAN standard. These networks support localdomain isolation equivalent to what is supported by vSphere isolation-backed networks. In addition, they
provide:
n

logical networks spanning layer 3 boundaries

logical networks spanning multiple racks on a single layer 2

broadcast containment

higher performance

greater scale (up to 16 million network addresses)

All network pools are defined by a VMWNetworkPool element. The contents of this element depend on its type,
which is specified in its xsi:type attribute. The following values of xsi:type are supported for pools created
by a system administrator.
VlanPoolType

This pool type is based on ESXi VLANs on the vCenter server that backs the
Provider VDC, and is backed by a range of VLAN IDs.

FencePoolType

This pool type is backed by one or more vCenter isolated networks, and
provides traffic isolation from other hosts. The system provisions isolated
networks automatically. Before creating an isolation-backed network pool,
consider using the VXLAN pool that is created automatically when you
create a Provider vDC

PortGroupPoolType

This pool type is based on distributed port groups of a vSphere distributed
switch or third-party distributed switch on the vCenter server that backs the
Provider VDC.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.

264

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Procedure
1

Retrieve the XML representation of the vSphere platform extensions.
Use a request like this one.
GET https://vcloud.example.com/api/admin/extension

Examine the response to locate the Link element that contains the URL for adding network pools to
your cloud.
This element has a rel attribute value of add and a type attribute value of
application/vnd.vmware.admin.networkPool+xml, as shown here:

Create a VMWNetworkPool element that specifies the pool type and backing vCenter resources.
Details of this element's contents depend on the type of pool you are creating.

POST the VMWNetworkPool element you created in Step 3 to the URL described in Step 2.

The server creates the network pool and returns a VMWNetworkPool element that includes the contents you
POSTed, along with a set of Link elements that you can use to access, remove, disable, or modify it. A
reference to the new network pool is added to the VMWNetworkPoolReferences element of the VCloud.
Network resources you specified in the VMWNetworkPool element are removed from the VimObjectRefList of
the vCenter server.

Create a VLAN-Backed Network Pool
To create a VLAN-backed network pool, create a VMWNetworkPool element whose type attribute has the value
VlanPoolType, and POST the element to your cloud's add link for networkPools.
A VLAN-backed network pool is backed by a range of VLAN IDs.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Verify that you know your cloud's add URL for networkPools. See “Create a Network Pool,” on
page 264.

Verify that at least one vCenter server attached to your cloud has network resources available. See
“Retrieve a List of Available Portgroups and Switches from a vCenter Server,” on page 245

Procedure
1

Choose a vCenter server to provide a switch for the network pool.

Create a VMWNetworkPool element that specifies the properties of the network pool.
See the request portion of “Example: Create a VLAN-Backed Network Pool,” on page 265.

POST the VMWNetworkPool element you created in Step 2 to your cloud's add URL for networkPools.
See the request portion of “Example: Create a VLAN-Backed Network Pool,” on page 265.

Example: Create a VLAN-Backed Network Pool
Use the query service to retrieve a list of DV Switch objects available on vCenter servers registered to this
cloud.
https://vcloud.example.com/api/query?type=dvSwitch&format=records

VMware, Inc.

265

vCloud API Programming Guide

The query response includes the values you'll need for the VimServerRef and MoRef elements. The
VimObjectType for a DV Switch is always DV_SWITCH.
Request:
POST https://vcloud.example.com/api/admin/extension/networkPools
Content-Type: application/vnd.vmware.admin.networkPool+xml
...

Example VLAN-backed network pool

1
4

dvs-33
DV_SWITCH

The response includes a Task that tracks the creation of the network pool, and a set of Link elements that
you can use to operate on or modify it.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.networkPool+xml
...

Example VLAN-backed network pool

...

Create an Isolation-Backed Network Pool
To create an isolation-backed network pool, create a VMWNetworkPool element whose type attribute has the
value FencePoolType, and POST the element to your cloud's add link for networkPools.
An isolation-backed network pool is backed by one or more vCenter isolated networks, and provides traffic
isolation from other hosts. The system provisions isolated networks automatically. Before creating an
isolation-backed network pool, consider using the VXLAN pool that is created automatically when you
create a Provider VDC
vSphere VXLAN networks are based on the IETF draft VXLAN standard. These networks support localdomain isolation equivalent to what is supported by vSphere isolation-backed networks. In addition, they
provide:
n

logical networks spanning layer 3 boundaries

logical networks spanning multiple racks on a single layer 2

broadcast containment

higher performance

greater scale (up to 16 million network addresses)

Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Verify that you know your cloud's add URL for networkPools. See “Create a Network Pool,” on
page 264.

Verify that at least one vCenter server attached to your cloud has network resources available. See
“Retrieve a List of Available Portgroups and Switches from a vCenter Server,” on page 245

Procedure
1

Choose a vCenter server to provide a switch for the network pool.

Create a VMWNetworkPool element that specifies the properties of the network pool.

POST the VMWNetworkPool element you created in Step 2 to your cloud's add URL for networkPools.
See the request portion of “Example: Create an Isolation-Backed Network Pool,” on page 267.

Example: Create an Isolation-Backed Network Pool
Request:
POST https://vcloud.example.com/api/admin/extension/networkPools
Content-Type: application/vnd.vmware.admin.networkPool+xml
...

Example Isolation-backed network pool
5
0

dvs-39
DV_SWITCH

Example isolation-backed network pool

...

268

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Create a Portgroup-Backed Network Pool
To create a portgroup-backed network pool, you create a VMWNetworkPool element whose type attribute has
the value PortGroupPoolType, and POST the element to your cloud's add link for networkPools.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Verify that you know your cloud's add URL for networkPools. See “Create a Network Pool,” on
page 264.

Verify that at least one vCenter server attached to your cloud has network resources available. See
“Retrieve a List of Available Portgroups and Switches from a vCenter Server,” on page 245

Procedure
1

Choose a vCenter server to provide a portgroup for the network pool.

Create a VMWNetworkPool element that specifies the properties of the network pool.
See the request portion of “Example: Create a Portgroup-Backed Network Pool,” on page 269.

POST the VMWNetworkPool element you created in Step 2 to your cloud's add URL for networkPools. See
“Create a Network Pool,” on page 264.
See the request portion of “Example: Create a Portgroup-Backed Network Pool,” on page 269.

Example: Create a Portgroup-Backed Network Pool
Request:
POST https://vcloud.example.com/api/admin/extension/networkPools
Content-Type: application/vnd.vmware.admin.networkPool+xml
...

Example portgroup-backed network pool

dvportgroup-32
DV_PORTGROUP

The response includes a Task that tracks the creation of the network pool, and a set of Link elements that
you can use to operate on or modify it.

VMware, Inc.

269

vCloud API Programming Guide

Response:
201 Created
Content-Type: application/vnd.vmware.admin.networkPool+xml
...

Example portgroup-backed network pool

...

Import a Virtual Machine from vCenter
A system administrator can import virtual machines from the inventory of any vCenter server registered to
vCloud Director. You can import the virtual machines to any VDC in a cloud, and you can import them in
vApp or vApp template form.
When you import a virtual machine from vCenter, you must specify the following items:
n

A target VDC to receive the import.

A form for the imported virtual machine to take. Choose vApp or vApp template.

Whether to remove the source virtual machine from vCenter inventory after the import is complete.

Prerequisites

270

Verify that you are logged in to the vCloud API as a system administrator.

Identify the virtual machine to import. See “Retrieve a List of Virtual Machines from a vCenter Server,”
on page 247.

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Procedure
1

Choose whether to import the virtual machine as a vApp or vApp template.
The VimServer element that represents the vCenter server from which you import the virtual machine
contains two links that import virtual machines. One has the following form, and imports the virtual
machine as a vApp.

The other has the following form, and imports the virtual machine as a vApp template.

(Optional) If you plan to import the virtual machine as a vApp template, identify a catalog where you
want to place a reference to the template.

Import a Virtual Machine as a vApp
To import a virtual machine as a vApp, a system administrator can make a request to the importVmAsVApp
link of the VimServer that manages the virtual machine.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Identify the virtual machine to import. See “Retrieve a List of Virtual Machines from a vCenter Server,”
on page 247.

Procedure
1

Create an ImportVmAsVAppParams element that specifies the VmMoRef of the source virtual machine and a
target VDC to hold the imported vApp.

POST the ImportVmAsVAppParams element to the importVmAsVApp link of the source vCenter server.

Example: Import a Virtual Machine as a vApp
This example imports one of the virtual machines shown in the response portion of “Example: Retrieve a
List of Virtual Machines from a vCenter Server,” on page 248. The request body is an ImportVmAsVAppParams
element whose sourceMove attribute specifies that the source virtual machine should remain in vCenter
inventory after the import is complete. The request body includes the href of the VDC that receives the
import and a VmMoRef element that contains the managed object reference of the virtual machine to import.
The response is an unresolved vApp body that contains a Task that tracks the import.
Request:
POST https://vcloud.example.com/api/admin/extension/vimServer/9/importVmAsVapp
Content-type: application/vnd.vmware.admin.importVmAsVAppParams+xml
...

VMware, Inc.

271

vCloud API Programming Guide

vm-43

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vApp+xml
...

...

Import a Virtual Machine as a vApp Template
To import a virtual machine as a vApp template, a system administrator can make a request to the

importVmAsVAppTemplate link of the VimServer that manages the virtual machine.

Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Identify the virtual machine to import. See “Retrieve a List of Virtual Machines from a vCenter Server,”
on page 247.

Procedure
1

Create an ImportVmAsVAppTemplateParams element that specifies the VmMoRef of the source virtual
machine, a target VDC to hold the imported vApp template, and an optional catalog where you want to
place a reference to the template.

POST the ImportVmAsVAppTemplateParams element to the importVmAsVAppTemplate link of the source
vCenter server.

Example: Import a Virtual Machine as a vApp Template
This example imports one of the virtual machines shown in the response portion of “Example: Retrieve a
List of Virtual Machines from a vCenter Server,” on page 248 as a vApp template. The request body is an
ImportVmAsVAppTemplateParams element whose sourceMove attribute specifies that the source virtual machine
should remain in vCenter inventory after the import is complete. The request body includes the href of the
VDC that receives the import, a VmMoRef element that contains the managed object reference of the virtual
machine to import, and a Catalog element that references the catalog to which the imported template should
be added. The response is an unresolved VAppTemplate body that contains a Task that tracks the import.

272

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Request:
POST https://vcloud.example.com/api/admin/extension/vimServer/9/importVmAsVappTemplate
Content-type: application/vnd.vmware.admin.importVmAsVAppTemplateParams+xml
...

vm-43

Response:
201 Created
Content-Type: application/vnd.vmware.vcloud.vAppTemplate+xml
...

...

Relocate a Virtual Machine to a Different Datastore
If the datastore that contains a virtual machine has been disabled by the system administrator or is no longer
associated with virtual machine's designated storage profile, you must update the Vm element that represents
the virtual machine. That update revalidates the storage profile and relocates the virtual machine if
necessary.
Every Vm element includes a StorageProfile element. The value of the href attribute of that element is a
reference to the virtual machine's storage profile. The initial value of this attribute is inherited from the VDC
that contains it unless you specify the value when the virtual machine is created. To change the value, you
must update the entire Vm element that contains it.
NOTE When the system administrator changes the datastore that stores a virtual machine, you must update
the Vm element as shown in “Example: Update the Storage Profile for a Virtual Machine,” on page 146, but
leave the href of the current StorageProfile unchanged. This action, which replaces the deprecated
relocate action, forces revalidation of the existing storage profile. If the current datastore is disabled or no
longer supports the specified storage profile, the system relocates the virtual machine to a different
datastore that supports the referenced storage profile. After the returned Task completes, the validation and,
if necessary, relocation is complete.

VMware, Inc.

273

vCloud API Programming Guide

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or the object owner.
Procedure
1

Retrieve the Vm element.
Make a GET request to the URL in the value of the href attribute of the Vm.

Update the Vm with your modifications.
a

Find the Link element in the Vm where rel="edit".

Make a PUT request to the URL in that link's href attribute value, and supply the modified Vm as
the request body.

...

Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

274

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Truststore and Keytab Maintenance
You can use the vCloud API to upload and manage SSL certificates, keystores, and Kerberos keytabs for
your organization's LDAP service.
The OrgLdapSettings element includes links that you can use to manage the organization's LDAP truststore
and keystore by uploading new certificates and keytabs.

Similar links contained by the SystemSettings element allow the system administrator to manage the system
LDAP truststore and keystore.

All of these links implement similar operations. They either upload a new certificate, keytab, or keystore, or
reset or remove an existing one. vCloud Director imposes limits on upload sizes.
Table 7‑3. Truststore, Certificate, and Keytab Upload Limits
Upload Type

Maximum Size in Megabytes

vCenter truststore

LDAP certificate

LDAP keystore

LDAP SSPI keytab

AMQP certificate

AMQP truststore

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Create the request body that the request requires.
For details on these request bodies, see the schema reference.

POST the request body to the request URL.
The response includes an uploadLocation parameter whose value is a URL to which you can upload the
certificate, keytab, or keystore.

Use a PUT request to upload the certificate, keytab, or keystore.

Example: Upload an SSL Certificate for an Organization LDAP Service
This example uploads an SSL certificate whose size is 2048 bytes. The first step obtains an upload URL by
POSTing a CertificateUpdateParams element to the organization's
settings/ldap/action/updateLdapCertificate URL.
Request:
POST: https://vcloud.example.com/api/admin/org/26/settings/ldap/action/updateLdapCertificate
Content-type: application/vnd.vmware.admin.certificateUpdateParams+xml
...

276

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

The response contains an uploadLocation parameter whose value is a URL to which you can upload the
certificate.
Response:

To upload the certificate, make a PUT request to the uploadLocation URL and supply the certificate in the
request body.
Request:
PUT https://vcloud.example.com/transfer/53bc1/ldapCertificate
Content-length: 2048
...serialized contents of certificate...
EOF

Response:
200 OK

Retrieve the vSphere URL of an Object
If you know the VimObjectType and MoRef of an object represented in the vCloud API, you can use that
information to retrieve a URL that you can use to access the object with the vSphere Web Client.
Using the vSphere Web Client to examine an object vCloud Director uses can help a system administrator
diagnose problems with resource consumption and allocation. To retrieve the vSphere URL of an object, you
must construct a request URL in the following format.
API-URL/admin/extension/vimServer/id/vimObjType/vimObjMoref/vSphereWebClientUrl
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122. The vimServer object that has
this id must be the one that hosts the object that vimObjType and vimObjMoref identify.

vimObjType is the vSphere object type, expressed as one of the following strings:

VMware, Inc.

CLUSTER_COMPUTE_RESOURCE

DATASTORE

DATASTORE_CLUSTER

DV_PORTGROUP

DV_SWITCH

FOLDER

277

vCloud API Programming Guide

HOST

NETWORK

RESOURCE_POOL

STORAGE_PROFILE (available from vCenter 5.1 and later)

VIRTUAL_MACHINE

vimObjMoref is the vSphere managed object reference of the object, as returned by the vCloud API.

For an example request URL, see the request portion of “Example: Retrieve the vSphere URL of a Resource
Pool,” on page 278. All of the information you need to construct the URL is available when you retrieve the
XML representation of any of the supported object types. See “Example: Retrieve a Resource Pool Set,” on
page 255, “Example: Retrieve a List of Available Portgroups and Switches from a vCenter Server,” on
page 246, and “Example: Retrieve a List of Storage Profiles from a vCenter Server,” on page 250.
NOTE See “Mapping a vCloud Director Object to a vSphere Object,” on page 279 for a list of
vCloud Director objects and corresponding vSphere objects.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Verify that the vSphere Web Client URL is enabled for all vCenter servers from which you want to retrieve
the vSphere URL of an object. You can manage this feature on the General tab of the vSphere Properties
page of the vCloud Director Web console.
Procedure
1

Retrieve the VimObjectType and MoRef elements of the object, and the VimServerRef element of the
vSphere server that hosts the object.

Construct a request URL that includes the VimServerRef, VimObjectType, and MoRef elements.
You can use the value of the href attribute of the VimServerRef element as the vimServer/id part of the
request URL.

Make a GET request to the URL you constructed in Step 2.
The response contains a URL you can use with the vSphere Web Client. See “Example: Retrieve the
vSphere URL of a Resource Pool,” on page 278.

Example: Retrieve the vSphere URL of a Resource Pool
This request retrieves the vSphere URL of one of the resource pools referenced in “Example: Retrieve a
Resource Pool Set,” on page 255.
Request:
GET
https://vcloud.example.com/api/admin/extension/vimServer/9/RESOURCE_POOL/resgroup-195/vSphereWebC
lientUrl

278

VMware, Inc.

Chapter 7 Managing and Monitoring a Cloud

Response:

https://10.147.22.134:8443/vsphere-client/#extensionId=vsphere.core.sp.summary;...

Use the URL that the vmext:URL element contains to access the object with the vSphere Web Client. The URL
is truncated in this example.

Mapping a vCloud Director Object to a vSphere Object
When using the vSphere Web Client to examine a vCloud Director object, you can use this table to map the
object to its representation in vSphere.
Table 7‑4. Mapping a vCloud Director Object to a vSphere Object
vCloud Director Object

vSphere Object

Provider VDC:Hosts

Host

Provider VDC:Datastores

Datastore

Provider VDC:Storage Profiles

Storage Profile

Provider VDC:External Network (portgroup-backed)

Standard virtual switch

Provider VDC:External Network(VLAN-backed)

Distributed virtual switch

Provider VDC:Resource Pool (root resource pool or
Cluster)

Cluster

Provider VDC:Resource Pool (sub-resource pool only)

Resource Pool

External Network (Portgroup-backed)

Standard virtual switch

Direct Org VDC Networks (Portgroup)

Standard virtual switch

External Network (VLAN-backed)

Distributed virtual switch

Direct Org VDC Networks (VLAN)

Distributed virtual switch

Network Pool (VLAN-backed)

Distributed virtual switch

Network Pools (Portgroup-backed)

Standard virtual switch

vCenter

vCenter Server

Resource Pool (root resource pool or Cluster)

Cluster

Resource Pool (sub-resource pool only)

Resource Pool

Host

Datastores

Datastore

Datastore Clusters

Datastore Cluster

Storage Profiles

N/A

vDSwitch

Distributed virtual switch

Port Group

Standard virtual switch

Home:vApp

Folder

vApp

Folder

vApp:vApp Diagram

Folder

vApp:vApp Diagram:VM

VMware, Inc.

279

vCloud API Programming Guide

Table 7‑4. Mapping a vCloud Director Object to a vSphere Object (Continued)

280

vCloud Director Object

vSphere Object

vApp:VM List:VM

vApp:Networking:vApp Networks

Distributed Port Group

Expired Items:vApps

Folder

Expired Items:vApp Templates

Folder

Catalog:vApp Template

Folder

Catalog:vApp Template:VM

Catalog:vApp Template:Shadow VMs

Organization VDC:vApp

Folder

Organization VDC:vApp Template

Folder

Organization VDC:Storage Profiles

Storage Profile

Organization VDC:Org VDC Networks (VLAN-backed)

Distributed virtual switch

Organization VDC:Org VDC Networks (Portgroup-backed)

Standard virtual switch

Organization VDC:Resource Pools (root resource pool or
Cluster)

Cluster

Organization VDC:Resource Pools (sub-resource pool only)

Resource Pool

VMware, Inc.

Working With Object Metadata

The vCloud API provides a general-purpose facility for associating user-defined metadata with an object. A
system administrator or the owner of an object can use the metadata link in the object's representation to
access object metadata.
The representations of most first-class objects in the vCloud API include a link to a Metadata element, which
contains up to 1024 name=value pairs that the owner of an object can create, retrieve, update, and delete. It
also contains an additional group of name=value pairs that are under the control of the system administrator.
Object metadata gives cloud operators and cloud tenants a flexible way to apply user-defined properties to
objects and use property values to help integrate the use and management of those objects with a variety of
applications. Object metadata is preserved when objects are copied, and can be included in query filter
expressions (see “Add a Metadata Filter to a Query,” on page 303).

vCloud API Object Metadata Links
The representation of any object that supports metadata includes a link that you can use to retrieve the
object's Metadata element. This example shows the metadata link from an Org element.

vCloud API Object Metadata Contents
A Metadata element can contain up to 1024 MetadataEntry elements. Each MetadataEntry includes a single
name=value pair, represented in its Key and TypedValue elements. Key names are specified by Key element
contents. A key name is a UTF-8 (Unicode) string encoded as described in RFC3986 (pct-encoded).
The key name must be unique within the scope of the containing Metadata element. Because key names are
implicitly qualified by the Domain value of the containing MetadataEntry, the two key names in this example
are considered to be unique.

SYSTEM
Foo
...

GENERAL

VMware, Inc.

281

vCloud API Programming Guide

Foo
...

See “Access Control for vCloud API Object Metadata,” on page 282 for more information about the Domain
element.
The type of a Value is expressed in the xsi:type attribute of the containing TypedValue element. Values have
various restrictions, based on their type.
Table 8‑1. Metadata TypedValue Types
Type Name

Restrictions on Value

Size of Value

MetadataStringValue

UTF-8 character set. Strings
longer than 1000 characters
cannot be searched for in a
query.

Depends on length of string.

MetadataNumberValue

Must be a signed 8-byte integer.

8 bytes

MetadataDateTimeValue

UTC date and time in the
format defined by
http://www.w3.org/TR/xmlsche
ma-2/#dateTime. For example,
2012-06-18T12:00:00-05:00

8 bytes

MetadataBooleanValue

Must be one of: 1, 0, true, false

1 byte

The following rules apply when you update a Metadata element.
n

When the content of a Key element in the update does not match the content of an existing Key element
in the same Domain, the MetadataEntry containing that Key is added to the Metadata element.

When the content of Key element in the update matches the content of an existing Key element in the
same Domain, the MetadataEntry containing that Key is replaced.

Access Control for vCloud API Object Metadata
The Domain element of a MetadataEntry controls access to that entry by users and system administrators.
There are two access domains.
GENERAL

User access to metadata in the GENERAL domain is controlled by the user's
rights to the object to which the Metadata is attached. The owner of the object
can create, read, update, or delete any MetadataEntry in the GENERAL domain.
A MetadataEntry that does not include a Domain element is considered to be
in the GENERAL domain.

SYSTEM

Metadata in the SYSTEM domain can be created, updated, and deleted only by
a system administrator. User access to metadata in the SYSTEM domain is
controlled by the value of the visibility attribute of the Domain element.
Table 8‑2. Domain Visibility Attribute Values

282

Value

Meaning

PRIVATE

The metadata is visible to system
administrators only.

READONLY

the metadata is visible to system
administrators and the object owner.

VMware, Inc.

Chapter 8 Working With Object Metadata

vCloud API Object Metadata Limits
The following limits apply to vCloud API object metadata:
Metadata key size

The contents of a Key element in a MetadataEntry cannot exceed 256 UTF-8
characters.

Metadata size

The size of all Metadata for an object, computed as the sum of all Key and
TypedValue UTF-8 strings in all MetadataEntry elements in the GENERAL
domain, cannot exceed 128 KB. An additional 16KB of MetadataEntry content
can be created in the SYSTEM domain.

MetadataEntry limit

The total metadata associated with an object cannot exceed 1024

MetadataEntry elements in the GENERAL domain and 128 MetadataEntry
elements in the SYSTEM domain.

This chapter includes the following topics:
n

“Retrieve or Update a Metadata Element,” on page 283

“Retrieve or Update a Metadata Value,” on page 286

Retrieve or Update a Metadata Element
A system administrator or the owner of an object can create, retrieve, or update the object's Metadata
element. This element contains all object metadata, and operations that modify it merge the modifications
with existing contents.
When you create an object, its representation contains an empty Metadata element. A system administrator
or the object owner can add metadata by updating the Metadata element with new MetadataEntry elements.
Each of these elements contains a Key and a TypedValue. The contents of the Key element define the key
name, which must be unique within the scope of the object's metadata. You can modify the value associated
with an existing key. See “Retrieve or Update a Metadata Value,” on page 286.
NOTE The Key element cannot contain a semicolon character (;). In addition, several other character
sequences are not allowed, or not allowed in certain positions.
Table 8‑3. Content Restrictions for Key
Cannot Contain

Cannot Start with

Cannot End with

/../

/./

../

/..

Prerequisites
Verify that you have rights to read or modify the metadata. See “Access Control for vCloud API Object
Metadata,” on page 282
Procedure
1

Retrieve the representation of the object.
Examine the response to find its metadata link. This example shows the metadata link from an AdminOrg.

VMware, Inc.

283

vCloud API Programming Guide

Retrieve the Metadata element.
If the object has no metadata, the element contains only a rel="add" link that you can use to add
metadata and a rel="up" link that references the containing object, as shown in this example.

Modify the retrieved Metadata element.
You can add new MetadataEntry elements or modify existing ones. If you modify existing ones, your
modifications are merged into the object's Metadata following the rules listed in “vCloud API Object
Metadata Contents,” on page 281.

POST the Metadata element to the rel="add" link described in Step 2.
See “Example: Update a Metadata Element,” on page 284.

Example: Update a Metadata Element
This example updates the empty Metadata element shown in Step 2 to create two MetadataEntry elements
specific to this organization. In this example, the Metadata element contains MetadataEntry elements for
which the Domain is SYSTEM. Only the system administrator can update these elements.
Request:
POST https://vcloud.example.com/api/admin/org/26/metadata
Content-Type: application/vnd.vmware.vcloud.metadata+xml
...

SYSTEM
Organization Web Page

http://internal.example.com/orgs/Finance

SYSTEM
LOS

bronze

The response is a Task.
Response:

...

After the task is complete, the Metadata element is updated to contain the entries specified in the request,
along with links that you can use to retrieve or update individual MetadataEntry elements.
GET https://vcloud.example.com/api/admin/org/26/metadata
...

SYSTEM
Organization Web Page

http://internal.example.com/orgs/Finance

SYSTEM
LOS

bronze

Retrieve or Update a Metadata Value
Each name=value pair in an object's metadata is represented as a MetadataEntry element, which includes
links that a system administrator or object owner can use to retrieve or update the metadata value, or delete
the MetadataEntry.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator or the object owner.

Retrieve the object's Metadata element. See “Retrieve or Update a Metadata Element,” on page 283

Procedure
1

Examine the retrieved Metadata element to find the MetadataEntry you want.
Each MetadataEntry contains a link of the following form, which you can use when updating the Value
of the entry:

For example:

silver

The response is a task.
Response:

...

VMware, Inc.

287

vCloud API Programming Guide

288

VMware, Inc.

Using the Query Service

You can use the vCloud API query service to query the vCloud Director database for information about
objects in the cloud.
The query service provides the following kinds of queries:
n

Typed queries, which require you to construct a query URL that specifies a query type and optional
parameters.

Packaged queries, which have well-known URLs and can accept many of the same parameters used
with typed queries.

Both typed and packaged queries allow you to specify one of the following formats in which to display the
result set:
n

A records format that returns name=value pairs for all properties of each matching object. This is the
default. A name can be either a static or dynamic. Static names are predefined object property names,
and are returned in an object-specific QueryRecordResultType element. For a list of these names, see the
Queries reference pages in the vCloud API Schema Reference. Dynamic names are user-defined metadata
key names. Dynamic name=value pairs are not returned unless the object includes a non-empty Metadata
element. See Chapter 8, “Working With Object Metadata,” on page 281.

An idrecords format that is identical to the records format, except that object reference values are
returned in id format rather than href format. See “Objects, References, and Representations,” on
page 12.

A references format that returns a reference in href format to each object that matches the query
criteria.

Query results are paginated, and include links to previous and next pages where needed. Page size can be
specified in the query request. Default and maximum page sizes are specified in the vCloud Director
configuration. You can also apply filter criteria to the list of items returned.
This chapter includes the following topics:
n

“Typed Queries,” on page 290

“Packaged Queries,” on page 294

“Query Parameters,” on page 299

“Add a Metadata Filter to a Query,” on page 303

VMware, Inc.

289

vCloud API Programming Guide

Typed Queries
Typed queries require you to construct a request URL that specifies an object type and optional parameters.
Use this URL with a GET request to return query results.

Query Syntax
Typed queries have the following syntax:
API-URL/query?type=name[¶m][¶m ... ][&filter]
n

API-URL is a URL of the form https://vcloud.example.com/api.

name is the name of a query type. Type names are case-sensitive.

param is an optional query parameter. Zero or more parameters are allowed. See “Query Parameters,”
on page 299.

filter is an optional filter expression. At most one filter expression is allowed. See “Filter Expressions,”
on page 300.

Query Types
Each query type returns its result set as an XML document in which objects are represented as elements and
object properties are represented as attributes, pairing the name of the property with its value at the time the
request was made. By default, result sets are returned in the records format, which shows all database
records for each object. Most queries also support the references format, which returns a set of object
references, including name, type, and href attributes. All queries that support the records format also
support the idrecords format. For more information about the format parameter, see “Query Parameters,”
on page 299.

Query Reference
The vCloud API schema reference includes reference material for all queries.

Example: Listing All Queries
You can retrieve a summary list of all typed queries types accessible to the currently authenticated user by
making a request like this one:
GET https://vcloud.example.com/api/query

The response is a QueryList element that contains a Link for every query. The href value of each Link is a
URL you can GET to run the query specifying the default format.

...

If you make a query whose result set you do not have rights to view, a response code of
ACCESS_TO_RESOURCE_IS_FORBIDDEN (403) is returned.

Example: Simple Typed Query
This simple typed query retrieves a list of all users in your organization and returns a response in the
default (records) format.
GET https://vcloud.example.com/api/query?type=user

Response:

This simple typed query retrieves the same list of all users in your organization and returns a response in
the references format.
GET https://vcloud.example.com/api/query?type=user&format=references

Response:

Example: Query With Parameters
This query retrieves a list of all users in your organization and returns a response in the records format. The
query includes a sortAsc=name parameter, so the result set is sorted by object name.
GET https://vcloud.example.com/api/query?type=user&format=references&sortAsc=name

Response:

This query retrieves a list of all users in your organization and returns a response in the records format. The
query includes a filter=ldapUser==true parameter, so the result set lists the subset of users who are
imported from LDAP. Note that you can filter on a record (attribute) value even though you specify the
references format.
GET https://vcloud.example.com/api/query?type=adminUser&format=references&filter=ldapUser==true

Response:

Packaged Queries
Packaged queries have well-known URLs and can accept most of the parameters used with typed queries.

Query Syntax
Packaged queries have the following syntax:
API-URL/query-url[?param][¶m ... ][&filter]
n

API-URL is a URL of the form https://vcloud.example.com/api.

query-url is the packaged query URL.

param is an optional query parameter. Zero or more parameters are allowed. See “Query Parameters,”
on page 299.

filter is an optional filter expression. At most one filter expression is allowed. See “Filter Expressions,”
on page 300.

Query Categories
Packaged queries are divided into the following categories:
User queries

The queries have the form API-URL/object-type/query. Any user can run these
queries.

Administrator queries

The queries have the form API-URL/admin/object-type/query. An
organization administrator can run these queries.

Extension queries

The queries have the form API-URL/admin/extension/object-type/query. A
system administrator can run these queries.

The response is a QueryList element that contains a Link for every query. The href value of each Link is a
URL you can GET to run the query specifying the default format.

294

VMware, Inc.

Chapter 9 Using the Query Service

Each query type returns its result set as an XML document in which objects are represented as elements and
object properties are represented as attributes, pairing the name of the property with its value at the time the
request was made. By default, result sets are returned in the records format, which shows all database
records for each object. Most queries also support the references format, which returns a set of object
references, including name, type, and href attributes. All queries that support the records format also
support the idrecords format. For more information about the format parameter, see “Query Parameters,”
on page 299.
Table 9‑1. Packaged Queries
Query URL

Result Set

API-URL/catalogs/query

All catalogs in your organization that you have rights to
view or modify

API-URL/mediaList/query

All media that you can view or modify

API-URL/vAppTemplates/query

All vApp templates that you can view or modify

API-URL/vApps/query

All vApps that you can view or modify

API-URL/vms/query

All virtual machines that you can view or modify

API-URL/admin/groups/query

Groups in all organizations in the system

API-URL/admin/users/query

Users in all organizations in the system

API-URL/admin/strandedUsers/query

Stranded users in the organization. When you delete an
LDAP group, users who were imported from that group
become stranded and cannot log in.

API-URL/admin/roles/query

All roles defined in the system

API-URL/admin/rights/query

All rights defined in the system

API-URL/admin/orgs/query

All organizations visible to you

API-URL/admin/vdcs/query

All VDCs in the system

API-URL/admin/extension/hostReferences/query

All hosts registered to the system

API-URL/admin/extension/datastores/query

All datastores in the system

APIURL/admin/extension/externalNetworkReferences/query

External networks in the system

API-URL/admin/extension/networkPoolReferences/query

All network pools in the system

API-URL/admin/extension/providerVdcReferences/query

All provider VDCs in the system

API-URL/admin/extension/vimServerReferences/query

All vCenter servers registered to the system

API-URL/admin/extension/orgNetworks/query

All organization networks in the system

API-URL/admin/extension/vapps/query

All vApps in the system

API-URL/admin/extension/orgVdcs/query

All VDCs in the system

Examples
Simple packaged query using the records format, which is the default.
GET https://vcloud.example.com/api/catalogs/query

Response:

Packaged query using references format.
GET https://vcloud.example.com/api/catalogs/query?format=references

Response:

VMware, Inc.

297

vCloud API Programming Guide

Packaged query with sorting and filtering. This query adds parameters and a filter expression to produce a
list of catalogs that contain one or more vApp templates. The query sorts the result set in ascending order by
number of vApp templates:
GET https://vcloud.example.com/api/catalogs/query?
format=records&sortAsc=numberOfTemplates&filter=numberOfTemplates!=0

Response:

Query Parameters
Query parameters specify result set properties such as pagination, sort order, and filter criteria.

Query Parameters
Typed queries must include a type parameter, which specifies the type of query to run. Packaged queries
cannot specify a type parameter. All other parameters are optional. If a parameter is omitted, a default value
is assumed.
Table 9‑2. Query Parameters
Parameter Name

Parameter Description

Default

type

The type of the query. Type names are case-sensitive. See
“Query Types,” on page 290.

None. This parameter is
required for all typed
queries, and is not allowed
for any packaged query.

sortAsc=attribute-name

Sort results by attribute-name in ascending order. attributename cannot include metadata. See the vCloud API Schema
Reference for infomation about which attributes can be used
with sortDesc.

Sorted by database ID

sortDesc=attribute-name

Sort results by attribute-name in descending order. attributename cannot include metadata. See the vCloud API Schema
Reference for infomation about which attributes can be used
with sortDesc.

Sorted by database ID

page

If the query results span multiple pages, return this page.

page=1

pageSize

Number of results per page, to a maximum of 128.

pageSize=25

format

One of the following types:

format=records

references

Returns a reference to each object,
including its name, type, and href
attributes.

records

Returns all database records for each
object, with each record as an attribute.

idrecords

Identical to the records format, except
that object references are returned in id
format rather than href format.

fields

Comma-separated list of attribute names or metadata key
names to return. For example, fields=name,isEnabled or
fields=metadata:rank. See “Specifying Metadata in a
Query or a Filter Expression,” on page 300.

Returns all static attribute
names. Returns metadata
only if the object has a nonempty Metadata element.

offset

Integer value specifying the first record to return. Record
numbers < offset are not returned.

offset=0

filterEncoded

Specify whether the filter expression is encoded as described
in RFC3986 (pct-encoded). See “Encoding Filter
Expressions,” on page 302

filterEncoded=false

filter

Filter expression. See Table 9-3

None

VMware, Inc.

299

vCloud API Programming Guide

Filter Expressions
For queries that do not examine object metadata, you can filter results using string matching or numeric
comparison operations. A filter comprises one or more subexpressions drawn from the following set of
operators.
Table 9‑3. Query Filter Expressions
Operator

Example

Operation

attribute==value

Matches. The example evaluates to true if attribute
has a value that matches value in a case-sensitive
comparison.
NOTE Asterisk (*) characters that appear anywhere
in value are treated as wildcards that match any
character string. When value includes wildcards,
the comparison with attribute becomes caseinsensitive.

attribute!=value

Does not match. The example evaluates to true if
attribute has a value that does not match value in a
case-sensitive comparison. Wildcard characters are
not allowed.

;

attribute1==value1;attribute2!=value2

Logical AND. The example evaluates to true only if
attribute1 has a value that matches value1 and
attribute2 has a value that does not match value2 in
a case-sensitive comparison.

attribute1==value1,attribute2==value2

Logical OR. The example evaluates to true if
attribute1 has a value that matches value1 or
attribute2 has a value that matches value2 in a casesensitive comparison.

=gt=

attribute=gt=value

Greater than. The example evaluates to true if
attribute has a value that is greater than value. Both
attribute and value must be of type int, long, or
dateTime.

=lt=

attribute=lt=value

Less than. The example evaluates to true if attribute
has a value that is less than value. Both attribute and
value must be of type int, long, or dateTime.

=ge=

attribute=ge=value

Greater than or equal to. The example evaluates to
true if attribute has a value that is greater than or
equal to value. Both attribute and value must be of
type int, long, or dateTime.

=le=

attribute=le=value

Less than or equal to. The example evaluates to
true if attribute has a value that is less than or equal
to value. Both attribute and value must be of type
int, long, or dateTime.

Not all attributes can be used in a filter expression. For details, see the reference pages for query result types
in the vCloud API Schema Reference.

Specifying Metadata in a Query or a Filter Expression
Because metadata values are dynamic and metadata names have an optional domain qualifier queries that
filter metadata must specify a qualified name, a value, and the type of the value.
n

300

The domain must be specified for any MetadataEntry that is in the SYSTEM domain. If no DOMAIN is
specified, the query returns the value for key name in the GENERAL domain, if it exists.

VMware, Inc.

Chapter 9 Using the Query Service

The type of the value must be specified, using one of the following keywords.
Table 9‑4. Metadata Type Specifiers in Query Filters
Type Name as Specified in TypedValue

Type Name as a Filter Expression Keyword

MetadataStringValue

STRING

MetadataNumberValue

NUMBER

MetadataDateTimeValue

DATETIME

MetadataBooleanValue

BOOLEAN

For queries that examine object metadata, you can filter query results using numeric comparison operations
when a metadata value has type NUMBER or DATETIME. Because object metadata types are dynamic, filter
expressions for metadata queries require additional parameters that define the attribute part of the
expression as metadata, and specify the type of the value part of the expression.
Table 9‑5. Metadata Query Filter Expressions
Operator

Example

Operation

=gt=

metadata:attribute=gt=[NUMBER |
DATETIME]:value

Greater than. The example evaluates to true if value
is of type NUMBER or DATETIME and the value
of the metadata key named attribute is greater than
value.

=lt=

metadata:attribute=lt=[NUMBER |
DATETIME]:value

Less than. The example evaluates to true if value is
of type NUMBER or DATETIME and the value of
the metadata key named attribute is less than value.

=ge=

metadata:attribute=ge=[NUMBER |
DATETIME]:value

Greater than or equal to. The example evaluates to
true if value is of type NUMBER or DATETIME and
the value of the metadata key named attribute is
greater than or equal to value.

=le=

metadata:attribute=le=[NUMBER |
DATETIME]:value

Less than or equal to. The example evaluates to
true if value is of type NUMBER or DATETIME and
the value of the metadata key named attribute is
less than or equal to value.

You can specify up to 8 metadata fields in a single query. You cannot use a metadata value as a sort key
when sorting query output.
The syntax for specifying metadata in a fields parameter is:
fields=metadata[@SYSTEM]:key-name

For example:
fields=metadata:rank
fields=metadata@SYSTEM:expiry

The syntax for specifying a metadata field in a filter expression is:
metadata[@SYSTEM]:key-name operator type-keyword:value

For example:
metadata:rank=ge=NUMBER:1
metadata@SYSTEM:expiry=le=DATETIME:2012-06-18T12:00:00-05:00

VMware, Inc.

301

vCloud API Programming Guide

Encoding Filter Expressions
When you are comparing a key with a literal value that includes characters that might be subject to
interpretation when used in a URL (often termed unsafe characters), the value must be encoded as described
in RFC3986 (pct-encoded). For example, to create a filter expression to match a hostName property whose
value is 12&345, encode the value as shown here:
filter=hostName==12%26345

When a filter expression includes metadata, you must encode both the key and the value this way. In
addition, if you specify filterEncoded=true as part of a query that includes metadata, you must encode the
% symbol as %25. For example, this query, which includes metadata would require this sort of additional
encoding if you specified filterEncoded=true.
https://vcloud.example.com/api/query?
type=organization&format=records
&fields=metadata:rank,metadata@SYSTEM:expiry
&filter=metadata%40SYSTEM%3Aexpiry%3Dlt%3DDATETIME%3ADATETIME
%253A2012-05-01T00%253A00%253A00.000-04%253A00DATETIME
%253A2012-05-01T00%253A00%253A00.000-04%253A00&filterEncoded=true

If you did not specify filterEncoded=true, you would not need the additional encoding.
https://vcloud.example.com/api/query?
type=organization&format=records
&fields=metadata:rank,metadata@SYSTEM:expiry
&filter=metadata@SYSTEM:expiry=lt=DATETIME:DATETIME%3A2012-05-01T00%3A00%3A00.000-04%3A00

Grouping Filter Subexpressions
Group filter subexpressions with parentheses. Separate grouped subexpressions with a semicolon (no
spaces).
(attribute1==value1;attribute2!=value2);(attribute3==value3;attribute4!=value4)...

For example:
https://vcloud.example.com/api/query?
type=providerVdcResourcePoolRelation&format=records&filter=(numberOfVMs!=0;isPrimary==true)

Attribute Names and Values
Several parameters and all filter expressions require you to specify an attribute name. You can use the
schema reference to find the attribute names included in a particular result set.

302

In the vCloud API Schema Reference, select All Queries.

Type the query name (or any part of it) in the Quick Index window, then open the query reference
page.

On the query reference page, click the link in the Record Result section to open a page that shows the
name, type, description, and other information for each attribute returned by the query. Attributes that
can be used in a filter expression have a YES in the FILTER column. Attributes that can be used with
sortAsc or sortDesc have a YES in the SORT column.

VMware, Inc.

Chapter 9 Using the Query Service

Add a Metadata Filter to a Query
All packaged queries and most typed queries return object metadata if it exists for an object in the result set.
You can add metadata-specific filter criteria to a query.
To query an object's metadata, add a metadata field specifier to the query. This specifier follows the fields
parameter and consists of the string metadata: followed by the name of a metadata key.
Procedure
1

Create the filter expression.

Add a fields parameter that specifies metadata.
The syntax for specifying a metadata field is:
fields=metadata:key-name [, metadata:key-name ] ...

Add a filter expression to the query.
All of the standard filter expressions are supported for metadata queries. In addition, a set of numeric
comparisons are available for values of type NUMBER or DATETIME.

Example: A Query With a Metadata Filter
Assume that the system administrator adds metadata specifying an expiry date and a priority rank to every
organization in a cloud. The key name for the expiry date is expiry, and its value expressed as a
MetadataDateTimeValue. The key name for the rank is rank, and its value is expressed as a
MetadataNumberValue. The following query includes a fields parameter specifying those metadata keys by
name.
NOTE You must use a metadata@SYSTEM parameter to specify metadata keys in the SYSTEM domain. Metadata
in the GENERAL domain does not require a qualifier. Up to eight metadata parameters can be included in a
query.
Request:
GET https://vcloud.example.com/api/query?
type=organization&format=records&fields=metadata:rank,metadata@SYSTEM:expiry"

The response includes an OrgRecord for each organization in the cloud. Each OrgRecord includes a Metadata
element that contains MetadataEntry elements for each of the requested keys.
Response:

SYSTEM
expiry

2012-05-01T00:00:00.000-04:00

rank

expiry

2012-06-01T00:00:00.000-04:00

rank

To filter the query result set so that it contains only those organizations whose expiry date is later than May
1, 2012, add a filter for the expiry value, as this example shows.
Request:
GET https://vcloud.example.com/api/query?
type=organization&format=records&fields=metadata:rank,metadata@SYSTEM:expiry"
&filter="metadata@SYSTEM:expiry=lt=DATETIME:2012-05-01T00:00:00.000-04:00

Response:

expiry

2012-06-01T00:00:00.000-04:00

rank

NOTE When a filter expression includes metadata, you must encode both the key and the value as described
in RFC3986. See “Encoding Filter Expressions,” on page 302.

VMware, Inc.

305

vCloud API Programming Guide

306

VMware, Inc.

Configuring and Using Blocking
Tasks and Notifications

vCloud Director allows a system administrator to configure many operations as blocking tasks, which are
suspended until a system administrator acts on them or a preconfigured timer expires. Blocking tasks also
generate AMQP messages that you can use to automate the handling of the underlying user request. A
system administrator can also enable nonblocking AMQP notifications of all system events.
When a user requests an operation that has been configured as a blocking task, the system sends a message
about the task to the configured AMQP broker. The system also creates a reference to the task in the cloud's
BlockingTaskReferences container. A system administrator can retrieve the list of BlockingTask elements by
making a GET request to the system's blockingTasks link, or to a URL included in the AMQP message.

About AMQP
AMQP, the Advanced Message Queuing Protocol, is an open standard for message queuing that supports
flexible messaging for enterprise systems. vCloud Director includes an AMQP service and defines a set of
events that, when notifications are enabled, trigger publication of messages by this service. A cloud operator
can configure the service to work with RabbitMQ and other AMQP brokers to provide a stream of
notifications about events in the cloud. By configuring specific tasks as blocking and writing AMQP clients
that process the messages generated when these tasks are launched, cloud operators can create a
programmatic facility for reviewing and acting on tenant requests.
By default, the vCloud Director AMQP service sends unencrypted messages. If you configure it to encrypt
these messages using SSL, it verifies the broker's certificate by using the default JCEKS trust store of the Java
runtime environment on the vCloud Director server. The Java runtime environment is typically located in
the $JRE_HOME/lib/security/cacerts directory.
To use SSL with the vCloud Director AMQP service, select Use SSL on the AMQP Broker Settings section of
the Extensibility page of the vCloud Director Web console, and provide either of the following:
n

an SSL certificate pathname

a JCEKS trust store pathname and password

If you do not need to validate the AMQP broker's certificate, you can select Accept all certificates.
For more information about AMQP, see http://www.amqp.org.

Subscribing to Notifications
Notifications of system events are sent to the AMQP message broker that was configured in the system
AMQP settings. Notifications are always generated in two formats:
n

An XML document, which is sent to the AMQP exchange specified in the system AmqpSettings.

A JSON object, which is sent to an AMQP exchange whose name has the form prefix.notifications20,
where prefix is the value of the AmqpPrefix element in the system AmqpSettings.

VMware, Inc.

307

vCloud API Programming Guide

See “Notification Message Format,” on page 312.
AMQP client programs can connect to the broker and specify components of the AMQP routing key to
indicate their interest in messages based on content. For example, a client can use the routing key to request
the broker to send it all messages from a specific organization, or all messages that indicate a failed task. See
“Routing Key Format,” on page 312.

Processing Messages from Blocking Tasks
Messages from blocking tasks are also sent to the configured message broker, and clients can use the routing
key to indicate their interest in these messages. See “Subscribing to Notifications,” on page 307. Messages
from blocking tasks contain additional information about the task itself. Clients that process these messages
can use the vCloud API to authenticate to the system and act on the blocked task.
This chapter includes the following topics:
n

“Configure Notifications and AMQP Settings,” on page 308

“Retrieve or Update Blocking Task Settings,” on page 318

“Monitor Blocking Tasks,” on page 324

“Take Action on a Blocking Task,” on page 325

“Extend The Timeout Expiration of an Active Task,” on page 327

Configure Notifications and AMQP Settings
The system administrator can enable or disable AMQP notification messages for events in a cloud. The
system administrator can also configure settings that the vCloud Director AMQP service uses when it sends
messages generated by notifications and blocking tasks.
AMQP broker settings are established when you install and configure RabbitMQ or another AMQP broker
to use with vCloud Director. These values include the following items:
n

The fully-qualified domain name of the RabbitMQ server host, for example amqp.example.com.

A username and password that are valid for authenticating with RabbitMQ.

The port at which the broker listens for messages. The default is 5672.

The RabbitMQ virtual host. The default is "/".

NOTE It is a good practice to test the AMQP settings before you change the configuration. See “Test AMQP
Settings,” on page 310.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the SystemSettings element.

Examine the response to locate the links that you can use to retrieve the system's
NotificationsSettings and AmqpSettings elements.
These links have a rel attribute value of down and a type attribute value of
application/vnd.vmware.admin.notificationsSettings+xml for NotificationsSettings or
application/vnd.vmware.admin.amqpSettings+xml for AmqpSettings, as shown here:

308

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Enable or disable notifications.
a

Retrieve the NotificationsSettings element.
Make a GET request to the href value of the
application/vnd.vmware.admin.notificationsSettings+xml link.

Modify the value of the EnableNotifications element to enable or disable notifications.

Update the modified element with the new contents.
PUT the modified element to the href value of its rel="edit" link.

Review or modify system AMQP settings.
a

Retrieve the AmqpSettings element.
Make a GET request to the href value of the application/vnd.vmware.admin.amqpSettings+xml link
described in Step 2.

Modify the contents of this element as necessary.
See the schema reference for details of element contents.

Update the modified element with the new contents.
PUT the modified element to the href value of its rel="edit" link. See “Example: Update AMQP
Settings,” on page 309

Example: Update AMQP Settings
This request modifies the AMQP settings for a cloud to require the use of SSL for AMQP connections. It also
overrides the default value for AmqpPrefix, vcd, with a new value, myCloud.
Request:
PUT https://vcloud.example.com/api/admin/extension/settings/amqp
Content-Type: application/vnd.vmware.admin.amqpSettings+xml
...

5672
guest
Pa55w0rd
systemExchange
/
true
false
myCloud

The response includes information supplied in the request, and contains a number of Link elements inserted
by the server. The value of AmqpPassword, which you must supply when you modify AmqpSettings (even if
you are not changing its value), is never returned when you retrieve AmqpSettings.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.amqpSettings+xml
...

5672
guest

systemExchange
/
true
false
myCloud

Test AMQP Settings
The settings/amqp/action/test link of the AmqpSettings element allows you to test AMQP settings before
configuring them for the cloud.
Prerequisites

310

Verify that you are logged in to the vCloud API as a system administrator.

Verify that you know the AMQP broker password.

Retrieve the SystemSettings element. See “Retrieve or Update System Settings,” on page 239.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Procedure
1

Examine the SystemSettings element to locate the link that you can use to retrieve the system's
AmqpSettings element.
This link has a rel attribute value of down and a type attribute value of
application/vnd.vmware.admin.amqpSettings+xml as shown here:

Retrieve the AmqpSettings element and locate the settings/amqp/action/test link it contains.
The response portion of “Example: Update AMQP Settings,” on page 309 includes this link.

Create a new AmqpSettings element that contains the values you want to test.
You can use the existing AmqpSettings element as a template. Whether you want to test the existing
values or create new ones, you must include the AMQP broker password in the AmqpPassword element.
This element is always returned empty when you retrieve the system's AmqpSettings.

Test the AMQP settings.
POST the AmqpSettings element to the settings/amqp/action/test link described in Step 2.

Example: Test AMQP Settings
This example tests the settings shown in the request portion of “Example: Update AMQP Settings,” on
page 309
Request:
POST https://vcloud.example.com/api/admin/extension/settings/amqp/action/test
Content-Type: application/vnd.vmware.admin.amqpSettings+xml
...

5672
guest
Pa55w0rd
systemExchange
/
true
false
myCloud

The response is an AmqpSettingsTest element whose Valid element contains a Boolean indication of whether
the settings are valid. This response indicates that they are. If a value in the POSTed AmqpSettings element is
incorrect, the AmqpSettingsTest response has a Valid value of false.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.amqpSettingsTest+xml
...

true

Notification Message Format
All messages that the vCloud Director AMQP service sends contain an AMQP routing key and a
Notification element.
The Notification element is defined in the vCloud API schema. The routing key format is defined by the
AMQP specification.

Routing Key Format
The routing key for a vCloud Director AMQP message has the following form:
operationSuccess.entity.org.user.subType1.subType2...subTypeN.[taskName]

Routing key components include:
operationSuccess
entity

A Boolean value denoting whether the operation that triggered the
notification succeeded or failed.
The object identifier of the object on which an operation, an event of type

com/vmware/vcloud/event/, triggered the notification. For more information

about object identifiers, see “Objects, References, and Representations,” on
page 12.
org

The object identifier of the organization that owns the affected object.

user

The object identifier of the user who made the request.

subType1-subTypeN

Each subType is a single component of the event type name. See “Notification
Types,” on page 314.

taskName

If entity is a task or blocking task, the task name is appended to the routing
key.

The following routing key, in which the object identifiers are truncated to save space, is an example of a
routing key that might have been created for a successful com/vmware/vcloud/event/vapp/create event:
true.dc6a-xxx.0b8a-xxx.832c-xxx.com.vmware.vcloud.event.vapp.create

Notification Headers
The vCloud API defines notification headers and prepends them to every notification.
Table 10‑1. Notification Headers

312

Header

Value

notification.type

See “Notification Types,” on page 314.

notification.entityType

The type of vCloud entity is associated with this
notification. For example, vm.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Table 10‑1. Notification Headers (Continued)
Header

Value

notification.entityUUID

The object identifier of the object on which an operation, an
event of type com/vmware/vcloud/event/, triggered the
notification.

notification.orgUUID

The object identifier of the organization that owns the
affected object.

notification.userUUID

The object identifier of the user who made the request.

notification.operationSuccess

A Boolean value denoting whether the operation that
triggered the notification succeeded or failed.

Example: Notification Message Format
A notification message can be formatted as XML or JSON. XML notifications are published on the AMQP
exchange specified in the system AMQP settings. The JSON notifications are published on an exchange
created by vCloud Director with a name of the form prefix.notifications20 where prefix is the value of the
AmqpPrefix element in the system AmqpSettings.
Here is an example of a message generated by a blocking task, delivered as an XML document.

2011-06-18T14:33:27.787+03:00
true

VMware, Inc.

313

vCloud API Programming Guide

An XML Notification contains an entityResolver URL and EntityLink elements that provide more
information about the entity, org, and user components of the routing key. Attributes of those elements
show the name, type, and id of each component. After you authenticate to the cloud as a system
administrator, you can retrieve any of the entities represented in an EntityLink by making a GET request to
a URL you create by appending the value of an id attribute to the entityResolver URL. See “Retrieve an
Object as an Entity,” on page 362.
Here is the same message delivered as a JSON object.
{
"eventId" : "a1440dd8-60ae-46c7-b216-44693bc00c90",
"type" : "com/vmware/vcloud/event/blockingtask/create",
"timestamp" : "2011-06-18T14:33:27.787+03:00",
"operationSuccess" : true,
"user" : "urn:vcloud:user:44",
"org" : "urn:vcloud:org:70",
"entity" : "urn:vcloud:blockingTask:25"
"task" : "urn:vcloud:task:34",
"taskOwner" : "urn:vcloud:vapp:26"
}

This request retrieves the blocking task that generated this notification.
GET https://vcloud.example.com/api/entity/urn:vcloud:blockingtask:25

The response to this request is identical to the one shown in the response portion of “Example: Handling a
Blocking Task,” on page 326.

Notification Types
The value of the type attribute of a vCloud Director notification is a string of the form
com/vmware/vcloud/event/object-type/event-type. Notification types can be grouped based on the object
type affected by the event.

User, Group, Role, and Session Events
Table 10‑2. User, Group, Role, and Session Events

314

Type (com/vmware/vcloud/event/)

Description

session/login

A login session was created.

user/import

A user was imported from LDAP.

user/remove

An imported user was removed from the organization.

user/modify

One or more properties of a user were modified.

user/lockout

An account was locked based on the organization's
password policy settings.

user/unlock

A locked account was unlocked.

user/lock_expired

The lock on an account has expired.

user/create

A local user was created in an organization.

user/delete

A local user was removed from the organization.

group/import

A group was imported from LDAP.

group/remove

A group was removed from an organization.

role/create

A new role was created.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Table 10‑2. User, Group, Role, and Session Events (Continued)
Type (com/vmware/vcloud/event/)

Description

role/modify

An existing role was modified.

role/delete

A role was deleted.

Organization, Network, Catalog, and VDC Events
Table 10‑3. Organization, Network, Catalog, and VDC Events
Type (com/vmware/vcloud/event/)

Description

org/create

An organization was created.

org/modify

An organization was modified.

org/delete

An organization was deleted.

network/create

A network was created.

network/modify

A network was modified.

network/delete

A network was deleted.

network/deploy

A network was deployed.

network/undeploy

A network was undeployed.

catalog/create

A catalog was created.

catalog/delete

A catalog was deleted.

catalog/modify

One or more properties of a catalog were modified

catalog/publish

A catalog was published.

catalogItem/create

An item was added to a catalog.

catalogItem/delete

An item was removed from a catalog.

vdc/create_request

A request to create a VDC was blocked pending
administrative action.

vdc/create

A VDC was created.

vdc/modify

One or more properties of a VDC was modified.

vdc/delete_request

A request to delete a VDC was blocked pending
administrative action.

vdc/delete

A VDC was deleted.

vdc/fast_provisioning/modify

The UsesFastProvisioning value of a VDC was
modified.

vdc/thin_provisioning/modify

The IsThinProvision value of a VDC was modified.

vApp, vApp Template, Vm, and Media Events
Table 10‑4. vApp, vApp Template, Vm, and Media Events
Type (com/vmware/vcloud/event/)

Description

vappTemplate/create

A vApp template was created.

vappTemplate/import

A virtual machine was imported from vSphere as a vApp
template.

vappTemplate/modify

One or more properties of a vApp template were modified.

vappTemplate/delete

A vApp template was deleted.

VMware, Inc.

315

vCloud API Programming Guide

Table 10‑4. vApp, vApp Template, Vm, and Media Events (Continued)

316

Type (com/vmware/vcloud/event/)

Description

vappTemplate/create_request

A request to create a vApp template was blocked pending
administrative action.

vappTemplate/import_request

A request to import a vApp template was blocked pending
administrative action.

vappTemplate/modify_request

A request to modify a vApp template was blocked pending
administrative action.

vappTemplate/delete_request

A request to delete a vApp template was blocked pending
administrative action.

vapp/create

A vApp was created (instantiated)

vapp/import

A virtual machine was imported from vSphere as a vApp.

vapp/modify

One or more properties of a vApp were modified.

vapp/delete

A vApp was deleted.

vapp/deploy

A vApp was deployed.

vapp/undeploy

A vApp was undeployed.

vapp/runtime_lease_expiry

The runtime lease of a vApp has expired.

vapp/create_request

A request to instantiate a vApp template was blocked
pending administrative action.

vapp/import_request

A request to import a vApp was blocked pending
administrative action.

vapp/modify_request

A request to modify a vApp was blocked pending
administrative action.

vapp/delete_request

A request to delete a vApp was blocked pending
administrative action.

vapp/deploy_request

A request to deploy a vApp was blocked pending
administrative action.

vapp/undeploy_request

A request to undeploy a vApp was blocked pending
administrative action.

vm/create_request

A request to create a virtual machine was blocked pending
administrative action.

vapp/quarantine_reject

An uploaded OVF was rejected after quarantine.

vapp/upload_timeout

An OVF upload has timed out.

vapp/lease_expiration_changed

The lease expiration of a vApp has changed.

vm/ip_address_changed

The IP address of a virtual machine has changed.

vm/create

A virtual machine was created by instantiating a vApp.

vm/modify_request

A request to modify a virtual machine was blocked
pending administrative action.

vm/modify

One or more properties of a virtual machine were
modified.

vm/delete

A virtual machine was deleted.

vm/change_state

The power state of a virtual machine has changed.

vm/deploy_request

A request to deploy a virtual machine was blocked
pending administrative action.

vm/deploy

A virtual machine was deployed.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Table 10‑4. vApp, vApp Template, Vm, and Media Events (Continued)
Type (com/vmware/vcloud/event/)

Description

vm/undeploy_request

A request to undeploy a virtual machine was blocked
pending administrative action.

vm/undeploy

A virtual machine was undeployed.

vm/consolidate_request

A request to consolidate a virtual machine was blocked
pending administrative action.

vm/consolidate

A virtual machine was consolidated.

vm/relocate_request

A request to relocate a virtual machine was blocked
pending administrative action.

vm/relocate

A virtual machine was relocated.

media/create

A media object was created by upload or import.

media/import

A media object was imported.

media/modify

One or more properties of a media object were modified.

media/delete

A media object was deleted.

media/create_request

A request to create a media object was blocked pending
administrative action.

media/import_request

A request to import a media object was blocked pending
administrative action.

media/modify_request

A request to modify a media object was blocked pending
administrative action.

media/delete_request

A request to delete a media object was blocked pending
administrative action.

media/upload_timeout

A media upload has timed out.

media/quarantine_reject

An uploaded media object was rejected after quarantine.

Other System Events
Table 10‑5. Other System Events
Type (com/vmware/vcloud/event/)

Description

providerVdc/create_request

A request to create a provider VDC was blocked pending
administrative action.

providerVdc/create

A provider VDC was created.

providerVdc/modify

One or more properties of a provider VDC were modified.

providerVdc/delete_request

A request to delete a provider VDC was blocked pending
administrative action.

providerVdc/delete

A provider VDC was deleted.

vc/create

A vCenter server was registered.

vc/modify

One or more properties of a registered vCenter server were
modified.

vc/delete

A registered vCenter server was registered.

task/create

A task was created.

task/start

A non-blocking task has started or a blocking task has
resumed.

task/abort

A task was aborted.

task/complete

A task has completed.

VMware, Inc.

317

vCloud API Programming Guide

Table 10‑5. Other System Events (Continued)
Type (com/vmware/vcloud/event/)

Description

task/fail

A task has failed.

blockingtask/create

A task was blocked and a notification created.

blockingtask/resume

A blocking task was resumed.

blockingtask/abort

A blocking task was aborted.

blockingtask/fail

A blocking task was failed.

datastore/modify

One or more properties of a datastore object were
modified.

datastore/delete

A datastore object was deleted.

Retrieve or Update Blocking Task Settings
Timeout settings, default actions, and related messages for blocking tasks are properties of a cloud. They
apply to all organizations in the cloud. Only a system administrator can view or modify them.
When a user requests an operation that is configured to create a blocking task, the system creates a reference
to the operation in the cloud's BlockingTaskReferences container. The system also sends a message about
the task to the configured AMQP broker. A system administrator can retrieve the list of
BlockingTaskReferences by making a GET request to the system's blockingTasks link. An AMQP client can
use information in the message to construct a URL that it can use to retrieve the task. See
#unique_177_Connect_42_EXAMPLE_B07B54418FAF480980ED867A833E22CC.
If no action is taken on the blocking task within a specified timeout interval, it is subject to a default action.
You can specify the timeout interval and default action for all blocking tasks by modifying the system's
BlockingTaskSettings element. To configure an operation as a blocking task, add the operation name to the
BlockingTaskOperations element contained by BlockingTaskSettings. See “Task Operations,” on page 320.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Retrieve the SystemSettings element. See “Retrieve or Update System Settings,” on page 239.

Procedure
1

Examine the response to locate the link that you can use to retrieve the system's BlockingTaskSettings
element.
This link has a rel attribute value of down and a type attribute value of
application/vnd.vmware.admin.blockingTaskSettings+xml, as shown here:

Retrieve the element.
Make a GET request to the href value of the link.

(Optional) Modify the element as needed to change the settings it controls.
See the schema reference.

(Optional) Update the modified element with the new contents.
PUT the modified element to the href value of its rel="edit" link. See “Example: Update Blocking Task
Settings,” on page 319.

318

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Example: Update Blocking Task Settings
This request modifies the blocking task settings for a cloud to set the time-out period to 24 hours and adds
media upload as an operation that creates a blocking task. See “Task Operations,” on page 320 for a list of
operation names.
Request:
PUT https://vcloud.example.com/api/admin/extension/settings/blockingTask
Content-Type: application/vnd.vmware.admin.blockingTaskSettings+xml
...

abort

vdcUploadMedia

86400000

The response contains information extracted from the request, and adds the href attributes and edit links
for the BlockingTaskSettings element and the BlockingTaskOperations element it contains.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.blockingTaskSettings+xml
...

abort

vdcUploadMedia

VMware, Inc.

319

vCloud API Programming Guide

Task Operations
Requests that you can configure as blocking tasks are represented by task operation names.
To configure a request type as a blocking task, place the operation name in an Operation element and add
that element to the cloud's BlockingTaskOperations element. See “Retrieve or Update Blocking Task
Settings,” on page 318.
NOTE These operation names also appear in the operationName attribute of the Task element that tracks the
operation.
Table 10‑6. Blocking Task Operations for vApp Tasks
Operation Name

Description

vappAttachDisk

Attach an independent disk to any virtual machine in a vApp.

vappCheckVmCompliance

Check the storage profile compliance of a virtual machine.

vappConsolidateVm

Consolidate the disks of any virtual machine in a vApp.

vappCreateSnapshot

Create a snapshot for the vApp

vappDeleteShadowVm

Delete a shadow VM for any virtual machine in a vApp.

vappDeploy

Deploy a vApp.

vappDetachDisk

Detach an independent disk from any virtual machine in a vApp.

vappDiscardSuspendedState

Discard the suspended state of any virtual machine in a vApp.

vappEjectCdFloppy

Eject media from any virtual machine in a vApp.

vappInsertCdFloppy

Insert media in any virtual machine in a vApp.

vappInstallTools

Install VMware Tools on any virtual machine in a vApp.

vappMigrateVms

Migrate the virtual machines in a vApp to a new host.

vappPowerOff

Power-off a vApp.

vappRebootGuest

Reboot any virtual machine in a vApp.

vappRelocateVm

Relocate any virtual machine in a vApp.

vappRemoveAllSnapshots

Remove all snapshots for this vApp

vappReset

Reset any virtual machine in a vApp.

vappResume

Resume any virtual machine in a vApp.

vappRevertToCurrentSnapshot

Revert the vApp to its current snapshot

vappShutdownGuest

Shut down any virtual machine in a vApp.

vappSuspend

Suspend any virtual machine in a vApp.

vappUndeployPowerOff

Undeploy any virtual machine in a vApp by powering it off.

vappUndeploySuspend

Undeploy any virtual machine in a vApp by suspending it.

vappUpdateVm

Modify one or more properties of a virtual machine.

vappUpgradeHwVersion

Upgrade the hardware version of any virtual machine in a vApp.

Table 10‑7. Blocking Task Operations for VDC Tasks

320

Operation Name

Description

vdcCaptureTemplate

Capture a vApp as a vApp template.

vdcComposeVapp

Compose a vApp.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Table 10‑7. Blocking Task Operations for VDC Tasks (Continued)
Operation Name

Description

vdcCopyMedia

Copy a media object.

vdcCopyTemplate

Copy a vApp template.

vdcCopyVapp

Clone a vApp.

vdcCreateDisk

Create an independent disk.

vdcCreateVdc

Create an organization VDC.

vdcDeleteDisk

Delete an independent disk.

vdcDeleteMedia

Delete a media object.

vdcDeleteTemplate

Delete a vApp template.

vdcDeleteVapp

Delete a vApp.

vdcDeleteVdc

Delete an organization VDC.

vdcEnableDownload

Enable a vApp template for download as OVF.

vdcInstantiateVapp

Instantiate a vApp template.

vdcRecomposeVapp

Recompose a vApp.

vdcUpdateDisk

Update an independent disk.

vdcUpdateMedia

Update one or more properties of a media object.

vdcUpdateStorageProfiles

Update the storage profiles of a VDC

vdcUpdateTemplate

Update one or more properties of a vApp template.

vdcUpdateVapp

Update any section of a vApp.

vdcUpdateVappNetworkSection

Update the NetworkSection of a vApp.

vdcUpdateVdc

Modify one or more properties of an organization VDC.

Table 10‑8. Blocking Task Operations for Network Tasks
Operation Name

Description

networkCreateExternalNetwork

Create an external network.

networkCreateFencePoolTypeNetworkPool

Create an isolation-backed FencePoolType network pool.

networkCreateNetworkPool

Create a network pool.

networkCreateOrgNetwork

Create an organization network.

networkCreateOrgVdcNetwork

Create an organization VDC network.

networkCreateVappNetwork

Create a vApp network.

networkDelete

Delete a network.

networkDeleteNetworkPool

Delete a network pool.

networkMergeNetworkPools

Merge network pools.

networkRepairNetworkPool

Repair a network pool.

networkReset

Reset any network.

networkResetOrgNetwork

Reset an organization network.

networkResetOrgVdcNetwork

Reset an organization VDC network.

networkSyncSyslogSettings

Synchronize syslog settings for a network.

networkUpdateIpsecVpnTunnelStatus

Update the status of a VPN tunnel

VMware, Inc.

321

vCloud API Programming Guide

Table 10‑8. Blocking Task Operations for Network Tasks (Continued)
Operation Name

Description

networkUpdateNetwork

Modify one or more properties of a network object.

networkUpdateNetworkPool

Modify one or more properties of a VlanPoolType network pool
object.

networkUpdateVlanPool

Modify one or more properties of any network pool object.

Table 10‑9. Blocking Task Operations for Edge Gateway Tasks
Operation Name

Description

edgeGatewayUpdate

Update an Edge Gateway.

edgeGatewayUpdateProperties

Update Edge Gateway properties.

networkConfigureEdgeGatewayServices

Configure services on an Edge Gateway.

networkEdgeGatewayCreate

Create an Edge Gateway.

networkEdgeGatewayDelete

Delete an Edge Gateway.

networkEdgeGatewayRedeploy

Redeploy an Edge Gateway.

networkEdgeGatewaySynchronizeSyslog

Synchronize syslog settings for an Edge Gateway.

networkEdgeGatewayUpgradeConfiguration

Upgrade the configuration of an Edge Gateway

networkReapplyEdgeGatewayServices

Reapply services on an Edge Gateway.

Table 10‑10. Blocking Task Operations for System Tasks

322

Operation Name

Description

systemForceDisconnectVimserver

Force disconnection of a vCenter server.

systemForceReconnectVimserver

Force reconnection of a vCenter server.

systemPurgeAllStrandedItems

Purge all stranded items.

systemPurgeStrandedItem

Purge a specific stranded item.

systemRefreshStorageProfiles

Refresh vCenter storage profiles.

systemRefreshVimserver

Refresh a vCenter server.

systemRegisterLookupService

systemRegisterVimserver

systemUnregisterLookupService

Unregister with the vCenter lookup service.

systemUnregisterVimserver

Unregister a vCenter server.

systemUpdateAmqpCertificate

Update the system AMQP certificate.

systemUpdateAmqpTruststore

Update the system AMQP truststore.

systemUpdateLdapCertificate

Update the system LDAP certificate.

systemUpdateLdapKeystore

Update the system LDAP keystore.

systemUpdateLdapSspiKeytab

Update the system LDAP SSPI keytab.

systemUpdateVcTruststore

Update the vCenter truststore.

systemUpdateVimserver

Update a vCenter server.

VMware, Inc.

Chapter 10 Configuring and Using Blocking Tasks and Notifications

Table 10‑11. Blocking Task Operations for Resource Creation Tasks
Operation Name

Description

rclCreateProviderVdc

Create a provider VDC.

rclDeleteProviderVdc

Delete a provider VDC.

rclDisableHost

Disable a host.

rclEnableHost

Enable a host.

rclEnableVxlanForProviderVdc

Enable a VXLAN pool associated with a new Provider VDC.

rclMergePvdc

Merge Provider VDCs.

rclPrepareHost

Prepare a host

rclRedeployAllVms

Redeploy all virtual machines on this host.

rclRepairHost

Repair a host.

rclUnprepareHost

Unprepare a host

rclUpdateHost

Update host operating system.

rclUpdateProviderVdcStorageProfiles

Update provider VDC storage profiles in this cluster.

rclUpdateResourcePoolSet

Update resource pools in this cluster.

rclUpgradeHostAgent

Upgrade the host agent on a host.

Table 10‑12. Blocking Task Operations for Miscellaneous Tasks
Operation Name

Description

commonPurgeDeletedItem

Purge a deleted item.

importIntoExistingVapp

Import a virtual machine from vCenter to an existing vApp.

importLocalizationResource

Import external localization resources.

importMedia

Import a media object from vSphere.

importSingletonTemplate

Import a virtual machine from vCenter as a vApp template.

importSingletonVapp

Import a virtual machine from vCenter as a vApp.

catalogDelete

Delete a catalog.

catalogDeleteBacking

Delete the file(s) representing a catalog item.

catalogItemEnableDownload

Enable a catalog item for download

catalogSync

Update a subscribed catalog item from its external source.

catalogSyncAll

Update an externally subscribed catalog from its source.

metadataDelete

Delete a metadata item.

metadataUpdate

Update a metadata item.

vdcUploadMedia

Upload media.

vdcUploadOvfContents

Upload other OVF package contents

vdcUploadOvfDescriptor

Upload an OVF descriptor

VMware, Inc.

323

vCloud API Programming Guide

Monitor Blocking Tasks
A system administrator can retrieve a list of all pending and active blocking tasks. Links in the returned
BlockingTask element allow the administrator to take action on the request.
In addition to being subject to programmatic action by an AMQP client (see “Notification Message Format,”
on page 312), blocking tasks can be monitored and managed by a system administrator using the vCloud
API.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the list of blocking tasks.
See the request portion of “Example: Retrieve a List of Blocking Tasks,” on page 324. If the

BlockingTaskReferences element contains no Reference elements, no blocking tasks are currently active

in the system.

Retrieve an individual blocking task from one of the Reference elements in the response.
See the request portion of “Example: Handling a Blocking Task,” on page 326.

Use one of the action links in the BlockingTask to take action on the task.
See the response portion of “Example: Handling a Blocking Task,” on page 326.

Example: Retrieve a List of Blocking Tasks
Request:
GET https://vcloud.example.com/api/admin/extension/blockingTasks/

Response:
200 OK
Content-Type: application/vnd.vmware.admin.blockingTaskList+xml
...

Take Action on a Blocking Task
The BlockingTask element includes links that you can use to take action on a blocking task.
A BlockingTask element is primarily a collection of Link elements that allow you to take action on the task.
When a user requests an operation that is configured to create a blocking task, the system sends a message
about the task to the configured AMQP broker, and also creates a reference to the task in the cloud's
BlockingTaskReferences container. A system administrator can retrieve the list of BlockingTask elements by
making a GET request to the system's extension/blockingTasks link. See “Monitor Blocking Tasks,” on
page 324.
After authenticating to the cloud as a system administrator, the AMQP client can retrieve a blocking task.
The AMQP client makes a GET request to a URL that the task creates by appending the value of the id
attribute of the task to the entityResolver URL in the Notification. See
#unique_177_Connect_42_EXAMPLE_B07B54418FAF480980ED867A833E22CC.
The following actions are allowed:
resume

Unblock the task and allow it to continue.

abort

End the task, cleaning up any transient objects that it created. Task status is
set to ABORTED.

fail

End the task, setting the status of any transient objects that it created to
ERROR. Task status is set to ERROR.

updateProgress

Reset the timeout value and timeout action for an active task. Use this action
to keep the task alive when it might become subject to a timeout action.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the list of active blocking tasks.
See “Monitor Blocking Tasks,” on page 324. If you are using an AMQP client to handle blocking tasks,
skip this step. Each blocking task creates its own AMQP message, which contains a reference to the
BlockingTask.

Retrieve an individual BlockingTask.
See the request portion of “Example: Handling a Blocking Task,” on page 326.

VMware, Inc.

Make a request.
Action

Request

resume

POST a BlockingTaskOperationParams element to the Link where
rel="resume"

abort

POST a BlockingTaskOperationParams element to the Link where
rel="abort"

325

vCloud API Programming Guide

Action

Request

fail

POST a BlockingTaskOperationParams element to the Link where
rel="fail"

updateProgress

POST a BlockingTaskUpdateProgressParams element to the Link
where rel="updateProgress"

Example: Handling a Blocking Task
This request shows how to retrieve a blocking task without using an AMQP client.
#unique_177_Connect_42_EXAMPLE_B07B54418FAF480980ED867A833E22CC shows how to retrieve the
same task using information in the AMQP message.
Request:
GET https://vcloud.example.com/api/admin/extension/blockingTask/25

Response:
200 OK
Content-Type: application/vnd.vmware.admin.blockingTask+xml
...

The following request allows the task to resume with a message indicating administrative approval.
POST https://vcloud.example.com/api/admin/extension/blockingTask/25/action/resume
Content-Type: application/vnd.vmware.admin.blockingTaskOperationParams+xml
...

Approved by system administrator.

Extend The Timeout Expiration of an Active Task
You can use the updateProgress link in a BlockingTask to extend the expiration time of an active task.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the list of active blocking tasks.
See “Monitor Blocking Tasks,” on page 324. If you are using an AMQP client to handle task extension
requests, skip this step. Each blocking task creates its own AMQP message, which contains a reference
to the BlockingTask mentioned in Step 1.

Retrieve an individual BlockingTask.
See the request portion of “Example: Handling a Blocking Task,” on page 326.

Provide a new timeout value, relative to now, for the task.
Create a BlockingTaskUpdateProgressParams element that specifies the number of milliseconds until the
task times out. See “Example: Extend The Timeout Expiration of an Active Task,” on page 327.

POST the BlockingTaskUpdateProgressParams to the updateProgress URL from the BlockingTask.
The new timeout value is set to now (the time when the updateProgress request is executed)
plusTimeoutValueInMilliseconds.

Example: Extend The Timeout Expiration of an Active Task
This request resets the expiration time of the BlockingTask shown in “Example: Handling a Blocking Task,”
on page 326 to ten minutes after the request is processed.

VMware, Inc.

327

vCloud API Programming Guide

Request:
POST https://vcloud.example.com/api/admin/extension/blockingTask/34/action/updateProgress
Content-Type: application/vnd.vmware.admin.blockingTaskUpdateProgressOperationParams+xml
...

Giving you ten more minutes...
600000

The response includes the entire BlockingTask and shows the new value of the timeoutDate attribute. The
value assumes that the request was made at time 2011-05-11T11:50:55. This example omits most of the
response.
Response:
200 OK
Content-Type: application/vnd.vmware.admin.blockingTask+xml
...

328

VMware, Inc.

vCloud Director Extension Services

vCloud Director and the vCloud API include a framework for integration of extension services that a
vCloud API client can access as though they were native services. In addition to service-specific objects or
operations they provide, extension services can implement new operations for existing API objects.
A vCloud Director extension service is a program that presents a REST interface to vCloud API clients.
When you register an extension service with the vCloud API, you specify one or more URL patterns that the
vCloud Director REST service treats as extension requests. When it receives an extension request, the
vCloud Director REST service creates an AMQP notification with a service-specific exchange and routing
key, and sends it to the vCloud Director AMQP service. Each extension service subscribes to AMQP
notifications that have its service-specific routing key. A service processes its notifications, takes whatever
actions they require, and returns a response to the AMQP service, where the vCloud Director REST service
retrieves it and uses its contents to generate a response to the client that made the request.

Message Routing
Extension services use the vCloud Director AMQP service to communicate with vCloud Director. Every
extension service must register a unique AMQP routing key, which vCloud Director prepends to AMQP
messages destined for that service. To collect replies from services, vCloud Director creates a single reply
exchange for all services, creates a separate reply queue for each cell, and binds each of those queues to the
reply exchange.
vCloud Director extension services can also be vCloud API clients, authenticating to the vCloud API and
making their own REST requests to the vCloud API URL. This type of interaction is required when creating
tasks and events that track the progress of requests made to the service. It is also required by services that
operate on vCloud Director objects like vApps and virtual machines.

Creating Events and Tasks
The vCloud API extension framework implements operations that allow an extension service to create and
update an organization's lists of tasks and events, so the status of asynchronous events running in extension
services can be displayed with the same kinds of information posted by native services.

Authorization Framework
All requests to extension services are processed through the vCloud Director authentication framework. A
user making a request to an extension service must be authenticated by vCloud Director as a system
administrator or a member of a vCloud Director organization.
An extension service can add service-specific rights and associate those rights with operations on its own
objects or with operations it adds to vCloud API objects .

VMware, Inc.

329

vCloud API Programming Guide

Service APIs
An extension service can define its own request and response body elements if it needs to. API schema files
can be specified as part of service registration or can be added later. Schema files can reside at any location
that is reachable by the extension service.

Support for Idempotent Operations
Most requests to extension services can include an operationKey attribute, which is a string meant to
uniquely identify the operation so that if it is invoked multiple times, the result will be the same as if it had
been invoked only once. The following types support use of the operationKey attribute:
n

AclRuleType

ApiDefinitionType

ApiFilterType

FileDescriptorType

ResourceClassActionType

ResourceClassType

ServiceLinkType

ServiceResourceType

ServiceType

This chapter includes the following topics:
n

“Summary of vCloud API Extension Services Framework Requests,” on page 330

“Register an Extension Service,” on page 332

“Adding or Removing Service Links,” on page 336

“Service-Specific Tasks and Events,” on page 339

“Authorization Framework for Extension Service Operations,” on page 342

“Localization Framework for Extension Services,” on page 350

“REST APIs for Extension Services,” on page 353

Summary of vCloud API Extension Services Framework Requests
vCloud API extension services framework requests extend the vCloud API to allow you to extend existing
vCloud Director services and integrate new services with vCloud Director.
n

API-URL is a URL of the form https://vcloud.example.com/api.

id is a unique identifier in the form of a UUID, as defined by RFC 4122.

330

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Table 11‑1. Summary of vCloud API Extensibility Requests
Operation

Request

Request Body

Response

POST APIURL/admin/extension/serv
ice

Service

Retrieve a list of registered
extension services.

GET APIURL/admin/extension/serv
ice

None

ExtensionServices

Update a registered
extension service.

PUT APIURL/admin/extension/serv
ice/id

Service

Delete a registered extension
service.

DELETE APIURL/admin/extension/serv
ice/id

None

204 No Content

POST APIURL/admin/extension/serv
ice/id/links

ServiceLink

Create resource class
definitions for a registered
extension service.

POST APIURL/admin/extension/serv
ice/id/resourceClasses

ResourceClass

Associate actions with a
resource class.

POSTAPIURL/admin/extension/serv
ice/resourceClass/id/resour
ceClassActions

ResourceClassAction

Create an ACL rule for a
resource class.

POSTAPIURL/admin/extension/serv
ice/resourceClassAction/id
/aclRules

AclRule

Associate a right with an
extension service.

POSTAPIURL/admin/extension/serv
ice/id/rights

Right

RightRight

Update a right associated
with an extension service.

PUTAPIURL/admin/right/id

Right

Delete rights no longer
associated with a role or
ACL rule after the
associated extension service
has been deleted.

POSTAPIURL/admin/extension/serv
ice/action/clearUnusedRig
hts

None

204 No Content

List the access rights for a
specific combination of user
and entity

POSTAPIURL/admin/user/id/entity
Rights

EntityReferences

UserEntityRights

Create a Task object in the
organization/id

POSTAPI-URL/tasksList/id

Task

Update a Task object

PUTAPI-URL/task/id

Task

Post an extension service
event to the system.

POSTAPIURL/admin/org/id/events

Event

204 No Content

Initiate the upload of a
localization bundle for an
extension service.

POSTAPIURL/admin/extension/serv
ice/id/localizationBundles

BundleUploadParams

BundleUploadSocket

VMware, Inc.

331

vCloud API Programming Guide

Table 11‑1. Summary of vCloud API Extensibility Requests (Continued)
Operation

Request

Request Body

Response

Create API definitions for a
registered extension service.

POST APIURL/admin/extension/serv
ice/id/definitions

ApiDefinition

Create file descriptors for a
registered extension service.

POSTAPIURL/admin/extension/serv
ice/definition/id/files

FileDescriptor

Register an Extension Service
Register an extension service to specify its namespace, AMQP exchange and routing key, and URL patterns.
You can specify additional service properties during registration or update them later.
An extension service typically authenticates with the vCloud API as a system administrator, then registers
itself with vCloud Director by POSTing a Service element to the system's .../api/admin/extension/service
URL. A Service element must include the following elements.
Namespace

The service namespace, which must be unique among all registered
extension services. Service namespace names that follow the naming
convention used for Java packages (for example,
com.example.service.backup) are more likely to be unique. If a service tries
to register a namespace that is already registered with this vCloud Director
installation, registration fails.

RoutingKey

The AMQP routing key that vCloud Director must use when routing
messages to the service.

Exchange

The AMQP exchange name that vCloud Director must use when routing
messages to the service. The service must create the specified exchange on
the AMQP service that vCloud Director uses. The exchange type must be
direct.

ApiFilters

Specifies one or more URL patterns that the vCloud Director REST service
must treat as extension requests. URL patterns can include regular
expressions that java.util.regex.Pattern recognizes. See “Create an API
Filter for an Extension Service,” on page 354.

Registration can also specify the following optional properties:
n

Definitions of Link elements that the service adds to the representations of vCloud API objects. See
“Adding or Removing Service Links,” on page 336

Authorization framework for controlling access to the service's objects and operations. See
“Authorization Framework for Extension Service Operations,” on page 342.

Locations of schema files if the service provides its own API. See “REST APIs for Extension Services,”
on page 353

You can also create or update these properties after you register the service.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the cloud.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension

332

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Examine the response to find the Link for adding extension services.
This URL is present in the VMWExtension element, and has the following form.

Construct a Service element.
See the request portion of “Example: Register an Extension Service,” on page 333.

POST the Service element to the URL described in Step 2.
See the request portion of “Example: Register an Extension Service,” on page 333.

Example: Register an Extension Service
This request registers an extension service named SDK-BackupExtension. The request specifies the service
namespace and routing key, and several URL patterns to be used as API filters. Messages for the service are
sent to the AMQP exchange named sdkext with routing key sdkbackup.
NOTE If the specified exchange does not exist on the AMQP service that vCloud Director uses, an internal
server error occurs whenever vCloud Director receives a request that matches one of the service's API filters.
This request also includes several ServiceLink elements. For information about the contents of these
elements, see “Adding or Removing Service Links,” on page 336.
Request:
POST https://vcloud.example.com/api/admin/extension/service
Content Type: application/vnd.vmware.admin.service+xml

org.example.vcd.backup
true
true
backup
50
sdkext

(/api/org/.*/backups)|(/api/vApp/vapp-.*/backups)|
(/api/vApp/vapp-.*/action/backup)|(/api/backup/.*)

{baseUri}org/{resourceId}
application/vnd.example.vcd-backup.backupList+xml
down
application/vnd.example.vcd-backup.org+xml

{baseUri}api/vApp/vapp-{resourceId}/backups

VMware, Inc.

333

vCloud API Programming Guide

application/vnd.example.vcd-backup.backupList+xml
down
application/vnd.example.vcd-backup.vApp+xml

{baseUri}vApp/vapp-{resourceId}/action/backup
application/vnd.example.vcd-backup.createBackupParams
+xml
backup
application/vnd.example.vcd-backup.vApp+xml

The server registers the service and returns a Service element that includes information derived from the
contents you POSTed, and a set of Link elements that you can use to access, remove, disable, or modify the
extension service.
Response:
201 Created
Content Type: application/vnd.vmware.admin.service+xml
...

...

The following elements are never returned as part of a response body. Instead, they are returned as Link
elements in the body of their container.
n

AclRules

ApiDefinitions and Files

ApiFilters

ResourceClassActions

ResourceClasses

ServiceLinks

ServiceResources

For example, to retrieve the contents of the ServiceLinks element POSTed with the request body in this
example, GET the URL in this Link:

VMware, Inc.

335

vCloud API Programming Guide

Adding or Removing Service Links
A service can add its own Link elements to the representations of vCloud API objects. You can create these
service links when you register a service. You can also add or remove the links after you register the service.
You can create multiple service links as part of registering a service. After you register a service, you can
add or remove individual links. Service links typically appear in the representations of all objects of a
specific type, but you can constrain them to appear in a particular object of that type. Service links are not
included in object representations unless the service that created them is enabled.
NOTE You cannot update a service link, but you can remove existing links and create links.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.

Add a Service Link
You can add a service link to an existing service.
A ServiceLink element must contain the following child elements:
LinkHref

The value of href attribute of the Link. This can be any URI, and can include
the variables {baseUri} and {resourceId}. When constructing the href value
of the Link, vCloud Director replaces {baseUri} with the vCloud Director
REST API base URL, and replaces {resourceId} with the UUID portion of
the id attribute value of the resource in which the Link is inserted. The
following example might expand to the string
https://vcloud.example.com/org/17.

{baseUri}/org/{resourceId}

MimeType

The value, specified as a MIME content type, of the type attribute of the Link.

Rel

ResourceType

The object type, specified as a MIME content type, of the object in which the
Link appears.

NOTE You can constrain the Link to appear in a specific resource by including a ResourceId element in the
ServiceLink. This element contains the id of the resource in which the Link will appear. This resource must
be of the type specified in the ResourceType element of the ServiceLink.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.

336

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Procedure
1

Retrieve the XML representation of the service.
This request retrieves the XML representation of the service created in “Example: Register an Extension
Service,” on page 333:
GET https://vcloud.example.com/api/admin/extension/service/45

Examine the response to find the Link for adding service links.
This Link has the following form:

Create a ServiceLink element that specifies the properties of the new link.

POST the ServiceLink element to the URL described in Step 2
See “Example: Add a Service Link,” on page 337.

Example: Add a Service Link
This request adds a ServiceLink to the service created in “Example: Register an Extension Service,” on
page 333
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/links
Content-type: application/vnd.vmware.admin.serviceLink+xml

{baseUri}vApp/vapp-{resourceId}/action/deleteBackup
application/vnd.example.vcd-backup.createBackupParams+xml
deleteBackup
application/vnd.example.vcd-backup.vApp+xml

Response:
200 OK
Content-type: application/vnd.vmware.admin.serviceLink+xml
...

...

Delete a Service Link
Delete a service link when you no longer want it to appear in the representation of an vCloud API objects, or
when you want to replace it with a new service link.
When you retrieve the list of service links associated with a service, the response is a QueryResultRecords
element in which each service link is represented as a ServiceLinkRecord element. The value of the href
attribute of a ServiceLinkRecord is a URL you can use to retrieve or delete the service link.

VMware, Inc.

337

vCloud API Programming Guide

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Examine the response to find the Link for listing service links.
This Link has the following form:

Make a GET request to the link described in Step 2.

Examine the response to find the ServiceLinkRecord that represents the service link to delete.

Make a DELETE request to the URL in the href attribute value of that ServiceLinkRecord.

Example: Delete a Service Link
Start by getting the service's list of service links.
Request:
GET https://vcloud.example.com/api/admin/extension/service/45

Response:

...

NOTE Link id values are truncated in this example.
Using this information, find the ServiceLinkRecord that represents the service link you want to delete, and
make a DELETE request to that URL.
DELETE https://vcloud.example.com/api/admin/extension/service/link/f62e...

Service-Specific Tasks and Events
An extension service can create Task objects in a vCloud Director organization, and can post events to the
organization's event stream.
Tasks and events are created in the context of an organization. Each task or event is associated with exactly
one user, who must be a system administrator or a member of the organization in which the task or event is
created. Tasks and events can also have an owner, which is a reference to the subject of the task or event (for
example, an object being created or updated by a task).

Task and Event Workflow
vCloud Director native services typically create Task objects to track the progress of asynchronous events.
These objects are returned to clients as Task elements, which can be embedded in a container that represents
an object under construction, or simply returned in Task form.
Tasks are also reported in the organization's event stream. A service can also add its own events to this
stream, in addition to the ones added as a side-effect of creating a task.
Extension services act as vCloud API clients when creating tasks and events, even if those tasks and events
are created to track service-specific objects or operations. After a task is created in vCloud Director, an
extension service can use its AMQP connection to vCloud Director to return a Task as the response, or part
of the response, to a client request.

Localizing Task and Event Message Content
Message strings included in tasks and events can be localized. See “Localization Framework for Extension
Services,” on page 350.

VMware, Inc.

339

vCloud API Programming Guide

Create or Update a Service-Specific Task
When a user requests an asynchronous operation from an extension service, the service can create a task
object and add it to an organization's tasks list.
Every vCloud Director organization has a tasks list and accepts requests to add a task to the list. When a
client requests an asynchronous operation from a service, the service starts to process the request and also
POSTs a Task element to the organization's tasksList URL. vCloud Director adds information such as an id
and startTime to the Task, places it on the organization's TasksList, creates an event in the organization's
event stream, and returns the Task to the service. The service can then send the Task, as an AMQP message,
to vCloud Director, which sends it as a response to the client that made the original request.
NOTE Because of the diversity of sources from which an extension service can draw references to the User,
Owner, and Organization elements of a Task, it may not always be possible for every client to resolve such

references. For example, if a service creates an object in an organization of which you are not a member, you
will not be able to resolve the reference to the object in the Owner element of the Task.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the organization in which you want to create the Task.
Use a request like this one:
GET https://vcloud.example.com/api/admin/org/26

Examine the response to locate the Link element that contains the URL for adding tasks to the
organization's tasks list.
This element has a rel attribute value of task:create and a type attribute value of
application/vnd.vmware.vcloud.task+xml, as shown here:

Create a Task element that specifies the details of the task.

POST the Task element to the organization's tasksList URL.

The server creates a task object and adds it to the organization's tasks list, and returns the representation of
the object to the service. To return the XML representation of the task object to the client that made the
original request, the service must create a JSON representation of the Task and return it to vCloud Director
AMQP service.

Example: Add a Task to an Organization's Tasks List
Request:
POST https://vcloud.example.com/api/tasksList/26
Content-Type: application/vnd.vmware.vcloud.task+xml
...

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.task+xml
...

...

Create a Service-Specific Event
An extension service can request that vCloud Director add an event message to the event stream of an
organization.
The system always creates an event message when a service posts a Task to an organization's tasks list. To
create additional event messages, a service can POST an Event element to an organization's events URL.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the organization in which you want to create the event.
Use a request like this one:
GET https://vcloud.example.com/api/admin/org/26

Examine the response to locate the Link element that contains the URL for adding events to the
organization's events stream.
This element has a rel attribute value of event:create and a type attribute value of
application/vnd.vmware.vcloud.event+xml, as the following example shows:

VMware, Inc.

Create an Event element that specifies the details of the task.

341

vCloud API Programming Guide

POST the Event element to the organization's events URL.

Example: Add an Event to an Organization's Event Stream
Request:
POST https://vcloud.example.com/api/admin/org/26/events
Content-Type: application/vnd.vmware.admin.event+xml
...

Response:
204 No Content

Authorization Framework for Extension Service Operations
All requests to extension services must be authenticated through the vCloud API. Extension services can
participate in vCloud API REST authorization by controlling access to their objects and operations through
new or existing rights and roles.
An extension service that does not enable the use of vCloud Director REST authorization implicitly grants
permission for all users to perform all operations that the service uses. A service can use the native
vCloud Director REST authorization model by taking the following steps:
1

Define resource classes that represent references to service-specific object types.

Define resource class actions that specify the actions that are implemented for those object types.

Define ACL rules specifying the rights required to perform an operation on objects of a specific type.

Participation in the Authorization Framework
To participate in the authorization framework, a service must include an AuthorizationEnabled element
with a value of true in its registration request.
true

It must also define at least one resource class, specify at least one action for that class, and define an ACL
rule that constrains use of the action on the class.

342

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Resource Classes and Actions
A service uses the following constructs to define the objects, operations, and permissions that constitute its
authorization model.
Resource Classes

Set of rules for creating references to service-specific objects. Like other object
references in the vCloud API, resource classes are a Link element that
specifies the MIME type of the resource and includes an href,URL, that can
be used to retrieve the resource. The rules include a MIME type, a URL
pattern, and a template for creating an id attribute value in URN form.

Resource Class Actions

Combination of a URL pattern that specifies a resource class and an HTTP
method that implements an action on a resource of that class. The action uses
the specified method in a request to a URL that matches the specified
pattern.

ACL Rules

Specifies the rights that an organization or user have to an operation defined
as a resource class action.

Querying for Organization and User Rights
The vCloud API query service implements several queries that return a list of rights that a specified user or
organization is granted. A user can make a request that specifies one or more entity references and returns a
summary of user rights to the specified entities.

Create an Extension Service Resource Class
To configure your extension service to provide access control for the objects it creates, define a resource class
for each of its object types.
A ResourceClass element contains the information needed to construct a URL that a client can use to access
the resource in a specific context. It must contain the following child elements:
MimeType

The MIME content type of all instances of the resource class.

UrlTemplate

The value of href attribute value for resources of this class. This can be any
URI, and can include the variables {baseUri} and {resourceId}. When
constructing the href value, vCloud Director replaces {baseUri} with the
vCloud Director REST API base URL, and replaces {resourceId} with the
UUID portion of the id attribute value of the resource.

Nid

The Namespace Identifier for resources of this type, as specified in
http://www.ietf.org/rfc/rfc2141.txt.

UrnPattern

The Namespace Specific String for resources of this type, as specified in
http://www.ietf.org/rfc/rfc2141.txt. You can provide a string or a named
regular expression, where (?) matches the resource identifier.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the service.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/service/45

VMware, Inc.

343

vCloud API Programming Guide

Examine the response to find the Link for adding resource classes.
This Link has the following form:

Construct a ResourceClass element.
See the request portion of “Example: Create an Extension Service Resource Class,” on page 344 for
information about the contents of this element.

POST the ResourceClass element to the URL described in Step 2.

Example: Create an Extension Service Resource Class
This request defines a resource class named Backup.
n

The MimeType is specified using the standard form for vnd type names.

The UrlTemplate uses the {baseUri} and {resourceId} variables, and could expand to a URL like
https://vcloud.example.com/backup/27

The Nid and UrnPattern elements provide rules for constructing an URN of the form:
urn:vcloud:backup:id

as shown in the response.
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/resourceclasses
Content-type:application/vnd.vmware.admin.resourceClass+xml

application/vnd.vmware.vcloud.backup+xml
{baseUri}backup/{resourceId}
vcloud
^backup(?<id>[0-9]*)

Response:
201 Created
Content-Type: application/vnd.vmware.admin.resourceClass+xml
...

BackupType+xml
{baseUri}backup/{resourceId}
nidBackup
^myNssBackup(?<id>[0-9]*)

Define an Action for a Resource Class
After you define a resource class, you can specify the actions that are permitted on resources of that class.
A ResourceClassAction object defines an HTTP method that is allowed on a specific UrlPattern.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the service.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/service/45

Examine the response to find the Link for specifying resource class actions.
This Link has the following form:

Construct a ResourceClassAction element.
See the request portion of “Example: Define an Action for a Resource Class,” on page 345 for
information about the contents of this element.

POST the ResourceClassAction element to the URL described in Step 2.

Example: Define an Action for a Resource Class
This request specifies a GET action for a URL matching the pattern could expand to a URL like

https://vcloud.example.com/backup/27.

VMware, Inc.

345

vCloud API Programming Guide

Request:
POST https://vcloud.example.com/api/admin/extension/service/45/resourceclassactions
Content-type:application/vnd.vmware.admin.resourceClassAction+xml

GET
/api/backup/(?<id>[-,a-g,0-9]*)

The response is a ResourceClassAction element that includes information derived from the contents you
POSTed, along with a set of Link elements that you can use to remove the ResourceClassAction or add ACL
rules that control access to the resource class via the action.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.resourceClassAction+xml
...

GET
/api/backup/(?<id>[-,a-g,0-9]*)

Define an ACL Rule for a Resource Class Action
Permission to execute an extension service operation is controlled by an AclRule contained in the
ResourceClassAction.
An ACL rule specifies the access controls that apply to a ResourceClassAction. Access controls can be
defined for any of the following principals:

346

an individual user

a member of a specified organization

any user whose role includes a specific right

VMware, Inc.

Chapter 11 vCloud Director Extension Services

any resource defined by the service that created the ACL rule

Rights for specific entity types are specified in the following container elements:
ServiceResourceAccess

This specification is optional.

OrganizationAccess

Access for the organizations. This specification is required.

PrincipalAccess

Access control for users, or for any role that includes a specified right. This
specification is required.

If the Access element in any of these containers has the value Entity, the container must also include an
Entity element that provides a reference to a resource entity, organization, user, or right.
Table 11‑2. ACL Rules
Container Element

Access

Comments

ServiceResourceAccess

Shared

The action is authorized for all resources in this resource class

Entity

The action is authorized for the service resource referenced in the Entity
element in this container.

Shared

The action is authorized for all members of the organization that owns the
resource.

Published

The action is authorized for all members of any organization in the cloud.

Entity

The action is authorized for members of the organization referenced in the
Entity element in this container.

Shared

The action is authorized for all users

Entity

The action is authorized for the User referenced in the Entity element in
this container, or for any role that includes the Right referenced in the
Entity element in this container.

OrganizationAccess

PrincipalAccess

A ResourceClassAction can include an arbitrary number of AclRule elements. The action is permitted if the
user or resource attempting the action matches any rule.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the resource class action.
This request retrieves the XML representation of the resource class action created in “Example: Define
an Action for a Resource Class,” on page 345:
GET https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268

Examine the response to find the Link for specifying ACL rules for the resource class action.
This Link has the following form:

Construct an AclRule element.
See the request portion of “Example: Define an ACL Rule for a Resource Class Action,” on page 348 for
information about the contents of this element.

VMware, Inc.

347

vCloud API Programming Guide

POST the ResourceClassAction element to the URL described in Step 2.

Example: Define an ACL Rule for a Resource Class Action
This example adds an ACL rule to the resource class action created in “Example: Define an Action for a
Resource Class,” on page 345. The rule specifies that all members of a specific organization who have a role
that includes a specific right can execute the action.
Request:
POST https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules
Content-type: application/vnd.vmware.admin.aclRule+xml

Only users in org/26 who have right/2 can read backups

Shared

Entity

The response contains information supplied in the request, along with several Link elements created by the
server.
Response:
201 Created
Content-Type: application/vnd.vmware.admin.aclrule+xml
...

Only users in org/26 who have right/2 can read backups
...

Create a Service-Specific Right
A service can create rights that apply to its operations. You can add these rights to existing roles or new
roles.
In the vCloud API, a right is simply a name that a service attaches to a privilege. When a service specifies an
ACL rule for a resource class action, the rule can reference a right. A user who is assigned a role that
includes the right is authorized to take the specified action.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the service.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/service/45

Examine the response to find the Link for adding or listing service-specific rights
This Link has the following form:

Construct a Right element.
For information about the contents of this element, see the request portion of “Example: Create a
Service-Specific Right,” on page 349.

POST the Right element to the URL described in Step 2.

Example: Create a Service-Specific Right
This request creates a right named DeleteBackup. The name attribute and Category element are required, and
can have any string value. Include a BundleKey if any messages associated with the right appear in a
localization bundle.
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/rights
Content-type:application/vnd.vmware.admin.right+xml

Right to remove a backup object
VcdBackup
BackupBundle

The response is a Right element that includes information derived from the contents you POSTed. The
service namespace name is prepended to the name of the right.

VMware, Inc.

349

vCloud API Programming Guide

Response:
201 Created
Content-Type: application/vnd.vmware.admin.right+xml
...

Right to remove a backup object
VcdBackup
BackupBundle

Localization Framework for Extension Services
Extension service developers can provide localized content for service-specific tasks and events by creating
and uploading a localization bundle.
An extension service localization bundle is a file in zip format that contains one or more properties files.
Each file in the bundle has a name that indicates the locale to which it applies, and contains an arbitrary
number of key=value pairs, where the key is the value of an attribute of a service-specific task operation or
event, and the value is a localized string to display in log messages posted by the service.

Upload or Update a Localization Bundle
Each service provides a link that an administrator can use to upload a new or modified localization bundle
for the service.
A localization bundle is a file in ZIP format that contains one or more localized message files that your
service uses. Each line in one of these files provides localized text that replaces the text that your service
posts in the values of certain attributes for service-specific events and tasks. See “Message File Content,” on
page 351.
Prerequisites
n

Verify that you are logged in to the vCloud API as a system administrator.

Create a localization bundle.

Procedure
1

Create a localization bundle.

Find the localizationbundles URL for your service.
a

Retrieve the XML representation of the service.

Examine the representation for a Link of the following form:

The localizationbundles URL is the value of the href attribute of this link.

350

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Create a BundleUploadParams element that specifies the size of the bundle and the service namespace of
the service.

POST the BundleUploadParams element to the localizationbundles URL of your service.

Example: Upload a Localization Bundle
This example uploads a localization bundle for the service created in “Example: Register an Extension
Service,” on page 333. The initial request specifies the size of the ZIP file in bytes and the name of the service
namespace.
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/localizationbundles
Content-type: application/vnd.vmware.admin.bundleUploadParams+xml
...

The response body includes an uploadLocation URL. You can use a procedure similar to the one in
“Example: Uploading File Data,” on page 66 to upload the ZIP file to this location.
Response:

To update a bundle, follow the same procedure using a new bundle that contains updated message files.
When you upload a new localization bundle for a service that already has one, new key=value pairs are
added, and the values of existing keys are updated.

Message File Content
Message files provide localized text for certain attribute values in Task and Event objects.
Each file in a localization bundle can include an arbitrary number of lines. Each line must have the following
form, where key is any of the values that the service might assign to one of its service-specific Task or Event
elements and value is the localized string to display.
key=value

The value string can contain parameters that provide the resourceId, resourceName, and resourceType of the
subject of the Task or Event.
The following restrictions apply to each message file in a localization bundle:
n

File contents must be encoded in the UTF-8 character set.

key length cannot exceed 2000 UTF-8 characters.

value length cannot exceed 2000 UTF-8 characters.

File size cannot exceed 10MB.

File name must be the locale code for the language used in the value strings. For example, the file
containing English text must be named en_US. The file containing French text must be named fr_FR.

VMware, Inc.

351

vCloud API Programming Guide

Whenever a localizable attribute appears in a log message, vCloud Director takes the following steps to find
text to display:
1

If the service has a localization bundle, open the file in that bundle whose name corresponds to the
current client locale and display the value as it appears in the file.

If the service has a localization bundle but no file exists in that bundle whose name corresponds to the
current client locale, open the file in that bundle named en_US and display the value as it appears in the
file. The default locale for vCloud Director is en_US.

Otherwise, display a predefined string.

A Task or Event that a service posts can also include a passthrough key=value pair that is always displayed as
posted by the service, regardless of the current client locale or the presence or absence of a localization
bundle.

Message File Keys and Parameters
Message file contents (key=value pairs) apply to all Task and Event objects that the service creates. If a Task
and an Event both use the same key, the same message appears for both.
Table 11‑3. Localization Keys for Service-Specific Tasks
Attribute Values Matched for key
operationName

Available Parameters
resourceId

The value of the id attribute of the
Owner of the Task.

resourceNam
e

The value of the name attribute of the
Owner of the Task.

resourceTyp
e

The value of the type attribute of the
Owner of the Task.

Owner:type

None

serviceNamespace

None

operation (passthrough)

None

To create a message that appears only when a Task has status="running", append the string _PROGRESS to
the key.
Table 11‑4. Localization Keys for Service-Specific Events
Attribute Values Matched for key
type

Available Parameters
resourceId

The value of the id attribute of the
Owner of the Event.

resourceNam
e

The value of the name attribute of the
Owner of the Event.

resourceTyp
e

The value of the type attribute of the
Owner of the Event.

Owner:type

None

serviceNamespace

None

typeFull (passthrough)

None

To create a message that appears only for a failed Event (one where success="false"), prepend the string

FAILED. to the key.

352

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Example: Example Message File Content
The following lines are appropriate in the en_US message file for a service that meets the following
conditions:
n

Its Namespace is registered as org.example.vcd.backup.

It defined a Task whose operationName attribute can have a value of backupInProgress.

It defined an Event whose type attribute can have a value of backupComplete.

org.example.vcd.backup=vCloud Backup Service
backupInProgress=Backup in progress for ${resourceName} ({resourceType}) with id: {resourceId}
backupInProgress_PROGRESS=Backup in progress for ${resourceName} ({resourceType}) with id:
{resourceId}
backupComplete=Backup complete for entity {resourceName} ({resourceType}) with id: {resourceId}
FAILED.backupComplete=Backup failed for entity {resourceName} ({resourceType}) with id:
{resourceId}

If the localization bundle for this service contained a file named fr_FR that included the following line, the
Task posted in “Example: Add a Task to an Organization's Tasks List,” on page 340 returns this localized
value for the operationName attribute when the client locale is set to fr_FR. The passthrough value for
operation is not localized.
backupInProgress_PROGRESS=Sauvegarde en cours pour entity {resourceName} ({resourceType}) avec
id: {resourceId}

Request:
GET https://vcloud.example.com/api/task/604

Response:
200 OK
Content-Type: application/vnd.vmware.vcloud.task+xml
...

REST APIs for Extension Services
A simple extension service does not need a REST API. You can define a service-specific REST API
entrypoint and one or more schema definition files.
An extension service that does not require request or response bodies other than those that the vCloud API
defines, Task, for example, can simply define the URL patterns that constitute its API filters and the service
links that implement its operations.
A service that defines its own request or response bodies must also specify a URL to which clients can direct
requests. The service must specify locations of the files, such as XML schema definition (XSD) files, to which
its clients require access.

VMware, Inc.

353

vCloud API Programming Guide

Create an API Filter for an Extension Service
When you register an extension service with vCloud Director, you specify one or more API filters, which are
URL patterns or MIME content types that the vCloud Director REST service should treat as extension
requests. You cannot update the API filter for a registered service, but you can replace it with a new one.
An API filter can be either a URL pattern, typically in the form of a regular expression, or a content type,
typically in the form of a MIME content-type string. Requests whose URL matches the specified UrlPattern
are sent to the service that has registered the filter. An API filter that specifies ResponseContentType is
applied only to responses whose Content-type attribute has a value that matches the specified
ResponseContentType. An extension service that receives such a response must return it, after making any
service-specific modifications, to the AMQP service as a JSON message, so that it can be returned to the
vCloud Director client that made the request.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Examine the response to find the Link for adding API filters
This Link has the following form:

Construct an ApiFilter element.
This ApiFilter overwrites any existing ApiFilter defined by the service. See the request portion of
“Example: Create an API Filter for an Extension Service,” on page 354 for information about the
contents of this element.

POST the ApiFilter element to the URL described in Step 2.

Example: Create an API Filter for an Extension Service
This request adds a new UrlPattern to set of patterns defined in the request portion of “Example: Register
an Extension Service,” on page 333. The request replaces the existing set of filter expressions with a new one
that includes the original set and one additional expression.
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/apifilters
Content-type:application/vnd.vmware.admin.apiFilter+xml

(/api/org/.*/backups)|(/api/vApp/vapp-.*/backups)|
(/api/vApp/vapp-.*/action/backup)|(/api/backup/.*) |
(/api/vApp/vapp-.*/action/recoverBackup)

354

VMware, Inc.

Chapter 11 vCloud Director Extension Services

Response:
201 Created
Content-Type: application/vnd.vmware.admin.resourceClass+xml
...

(/api/org/.*/backups)|(/api/vApp/vapp-.*/backups)|
(/api/vApp/vapp-.*/action/backup)|(/api/backup/.*) |
(/api/vApp/vapp-.*/action/recoverBackup)

Create or Update an Extension Service API Definition
You can define an API for an extension service when you register the service. You can also create or update
the service API definition later.
An API definition for an extension service includes an API entry point (A URL at which a client can send
requests to the API) and a set of file descriptors, each of which consists of a description and a reference to a
schema definition file.
An ApiDefinition element must contain the following child elements:
EntryPoint

The URL to which a client can send requests to the service API. This can be
any URL, and can include the variable {baseUri}, which represents the
vCloud Director REST API base URL.

Namespace

The service namespace. See “Register an Extension Service,” on page 332

Files

One or more references to schema definition files. The references must be
accessible to vCloud Director.

Prerequisites
Verify that you are logged in to the vCloud API as a system administrator.
Procedure
1

Retrieve the XML representation of the service.
Use a request like this one:
GET https://vcloud.example.com/api/admin/extension/service/45

Examine the response to find the Link for adding API definitions.
This Link has the following form:

Construct an ApiDefinition element.
For information about the contents of this element, see the request portion of “Example: Create an
Extension Service API Definition,” on page 356.

VMware, Inc.

POST the ApiDefinition element to the URL described in Step 2.

355

vCloud API Programming Guide

Example: Create an Extension Service API Definition
This request defines an API for a backup service. The definition includes two FileDescriptor elements that
reference files available on the vendor's public Website. The entrypoint for requests to the service is the
vCloud Director API login URL.
Request:
POST https://vcloud.example.com/api/admin/extension/service/45/apidefinitions
Content-type:application/vnd.vmware.admin.apiDefinition+xml

Backup service API
{baseUri}/login
org.example.vcd.backup

Master schema definition file.

Schema definition file for backup devices.

Response:
201 Created
Content-type:application/vnd.vmware.admin.apiDefinition+xml
...

...

356

VMware, Inc.

XML Representations in the vCloud
API

The vCloud API represents objects in a cloud as XML documents in which object properties are contained in
elements and attributes that have typed values and an explicit object hierarchy defined by an XML schema.
Client programs of RESTful Web services must be able to request object representations from the server,
parse the server’s responses to extract the information they contain, and compose requests that, in many
cases, are based on the information extracted from a response. Developers of such clients must understand
the structure of each representation that might be part of a request or response, and any requirements that
the network protocol (HTTP) places on client-server interaction.

Schemas
Each vCloud API object is defined in an XML schema document. Some objects are defined in their own
schema documents. Others are defined in the context of the larger schema in which they are used. Still
others are defined in a common schema document, from which other schemas inherit. Schema files and
reference information about all elements, types, operations, and queries is included in the vCloud API Schema
Reference. See “About the Schema Reference,” on page 22.
vCloud Director uses a validating XML parser that requires elements in XML documents to agree in order
and number with the schema. Required elements must appear in request bodies. All elements that appear in
request bodies must appear in the order established by the schema, and with content that conforms to the
type constraint specified in the schema. Default values, where defined, are supplied for elements that are
empty. See “XML Namespace Identifiers,” on page 359.

Date and Time Values
Values of type xs:dateTime are always interpreted as UTC if a timezone has not been explicitly specified.

Length Limits on Element and Attribute String Values
String values for the name attribute and the Description and ComputerName elements have length limitations
that depend on the object to which they are attached.
Table 12‑1. Length Limits on Element and Attribute String Values
Object

Element or Attribute Name

Maximum Length in Characters

Catalog

name

128

Catalog

Description

256

EdgeGateway

name

Media

name

128

Media

Description

256

VMware, Inc.

357

vCloud API Programming Guide

Table 12‑1. Length Limits on Element and Attribute String Values (Continued)
Object

Element or Attribute Name

Maximum Length in Characters

VApp

name

128

VApp

Description

256

VAppTemplate

name

128

VAppTemplate

Description

256

Vdc

name

256

Vdc

Description

256

name

128

ComputerName

15 on Windows, 63 on all other platforms

API Versioning
vCloud API schema version information appears in the values of the xsi:schemaLocation and xmlns
attributes in a response document. For example, a response body that used schema version 1.5 would
include the following attributes:
xmlns="http://www.vmware.com/vcloud/v1.5"
xsi:schemaLocation="https://vcloud.example.com/api/v1.5/schema/master.xsd"

To discover the API versions that a server supports, a client can make an unauthenticated GET request to a
well-known URL on the server, as shown in “Example: Versions Request and Response,” on page 43.
NOTE Starting with API version 1.5, all vCloud API requests are processed in the
http://www.vmware.com/vcloud/v1.5 XML namespace. Treatment of version-specific elements and attributes
in requests is controlled by the value of the Accept header. For example, this Accept header specifies that the
request body is presumed to be valid for vCloud API version 5.5 and a version 5.5 response is expected:
Accept: application/*+xml;version=5.5

Requests are validated against the elements and attributes defined in the specified version. Responses are
filtered to remove elements and attributes that are not defined in the specified version. In general, client
requests can access objects defined by any version of the vCloud API that is less than or equal to the version
specified in the Accept header. Exceptions to this rule are mentioned in the vCloud Director Release Notes.
The vCloud API Schema Reference indicates the deprecation status of elements and attributes, and also
indicates when each element or attribute was added to the API. See “About the Schema Reference,” on
page 22.

Extensibility
The vCloud API provides complete programmatic access to the vCloud Director Extension Services facility
described at Chapter 11, “vCloud Director Extension Services,” on page 329.
In addition, there is a more general extensibility mechanism, VCloudExtension, that clients are free to use.
VCloudExtensibleType is an abstract type that all complex types defined in the vCloud API namespace
extend. It can contain an arbitrary number of elements and attributes, and provides a way for you to add
custom attributes and elements to any type.
The VCloudExtension element has an attribute named required that specifies how clients and servers
proceed when they see an unknown extension. All VCloudExtension elements are assumed to require a
server that understands them. The required attribute is optional, but if omitted is assumed to be present
with a value of true. This extensibility mechanism allows new servers to extend the XML representations
native to the vCloud API without requiring existing clients to understand those extensions.

358

VMware, Inc.

Chapter 12 XML Representations in the vCloud API

A client might encounter a VCloudExtension element in any response. If the element declares
required=”true” and the client does not know how to interpret the contents of the element, the client can
ignore it, but it must include the VCloudExtension in any request to modify the element that contains it. A
server must return a failure when a request includes a VCloudExtension element that declares
required=”true” but the server does not understand the extension. For more information about
VCloudExtension, see the schema reference.
This chapter includes the following topics:
n

“XML Namespace Identifiers,” on page 359

“Common vCloud API Attributes,” on page 360

“Retrieve an Object as an Entity,” on page 362

XML Namespace Identifiers
Elements used as request or response bodies contain a set of attributes that enable XML validation. The
body of a PUT or POST request must contain all XML namespace identifiers required to validate the
elements it contains. A response body typically includes all the XML namespace identifiers that the server
used to validate it, in addition to other attributes that specify the schema locations searched during
validation.
The vCloud API uses these XML namespace identifier attributes and prefixes.
Table 12‑2. XML Namespace Identifiers in the vCloud API
Name

Value

Requirement

xmlns

http://www.vmware.com/vcloud/v1.5

Required in all request bodies.

xmlns:vmext

http://www.vmware.com/vcloud/extension/v1.5

Required in request bodies that include
elements from the vSphere platform
extensions.

xmlns:ve

http://www.vmware.com/schema/ovfenv

Required in request bodies that include
an ovf:Environmentelement.

xmlns:ovf

http://schemas.dmtf.org/ovf/envelope/1

Required in request bodies that include
elements defined in OVF schema
http://schemas.dmtf.org/ovf/envelop
e/1/dsp8023.xsd.

xmlns:rasd

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/
CIM_ResourceAllocationSettingData

Required in request bodies that include
elements defined in OVF schema
CIM_ResourceAllocationSettingData.x
sd.

xmlns:oe

http://schemas.dmtf.org/ovf/environment/1

Required in request bodies that include
elements defined in OVF schema
dsp8027_1.1.0.xsd.

xmlns:vssd

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/
CIM_VirtualSystemSettingData

Not required in request bodies.

xsi:schemaLocati
on

An installation-dependent schema location search path.
See http://www.w3.org/TR/xmlschema-0/.

Not required in request bodies.

xmlns:xsi

http://www.w3.org/2001/XMLSchema-instance

Not required in request bodies.

XML Namespace Prefixes in Request and Response Bodies
When a request or response includes elements from multiple XML namespaces, each element name is
prefixed with a namespace identifier. Unless all elements in a request or response originate in the same XML
namespace, these prefixes are required in request bodies, and are always included in response bodies.

VMware, Inc.

359

vCloud API Programming Guide

The examples omit XML namespace identifiers from most responses. The following fragment shows how
some of them appear in a typical response body.

...>
...

Common vCloud API Attributes
Most vCloud API objects have a number of common attributes. With the exception of name, none of these
attributes are required in request bodies, and are ignored if included. All of them are included in response
bodies.

Object Name
Every object requires a name attribute. The string value of this attribute is included in all object references,
and can be used as the display name for the object. The value of name must be unique within a given scope.
Table 12‑3. Requirements for Unique Object Names

360

Object Type

Name Scope

ProviderVdc

Cloud

Org

Cloud

Vdc

Organization

Catalog

Organization

CatalogItem

Catalog

vAppTemplate

None

vApp

Organization

vApp

Media

Catalog

Disk

None

Network

Container (Organization VDC, vApp, or cloud)

VMware, Inc.

Chapter 12 XML Representations in the vCloud API

Object Identifier, Type, and Reference
These attributes are common to all object representations.
id

type

The object type, specified as a MIME content type.

href

Object Creation Status
Objects such as VAppTemplate, VApp, and Vm, that extend the ResourceEntity type have a status attribute
whose value indicates the state of the object. In this table, YES indicates that a status value is allowed for the
object listed in the column header. The status value for a VAppTemplate or VApp, which contain Vm objects
that each have a status attribute of their own, is computed from the status of the contained objects. When
returned in an XML representation, status has a numeric value. When returned by the query service, it has
a string value.
Table 12‑4. status Attribute Values for VAppTemplate, VApp, Vm, and Media Objects
Num
eric
Valu
e

String Value

Description

vAppTem
plate

vApp

Media

-1

FAILED_CREATIO
N

The object could not be created.

YES

UNRESOLVED

The object is unresolved.

YES

RESOLVED

The object is resolved.

YES

DEPLOYED

The object is deployed.

SUSPENDED

The object is suspended.

YES

POWERED_ON

The object is powered on.

YES

WAITING_FOR_IN
PUT

The object is waiting for user
input.

YES

UNKNOWN

The object is in an unknown
state.

YES

UNRECOGNIZED

The object is in an
unrecognized state.

YES

POWERED_OFF

The object is resolved and
powered off.

YES

INCONSISTENT_ST
ATE

The object is in an inconsistent
state.

YES

VMware, Inc.

361

vCloud API Programming Guide

Table 12‑4. status Attribute Values for VAppTemplate, VApp, Vm, and Media Objects (Continued)
Num
eric
Valu
e

String Value

Description

MIXED

vAppTem
plate

vApp

Media

Children do not all have the
same status.

YES

DESCRIPTOR_PEN
DING

Upload initiated, OVF
descriptor pending.

YES

COPYING_CONTE
NTS

Upload initiated, copying
contents.

YES

DISK_CONTENTS_
PENDING

Upload initiated , disk contents
pending.

YES

QUARANTINED

Upload has been quarantined.

YES

QUARANTINE_EX
PIRED

Upload quarantine period has
expired.

YES

REJECTED

Upload has been rejected.

YES

TRANSFER_TIMEO
UT

Upload transfer session timed
out.

YES

VAPP_UNDEPLOY
ED

The vApp is resolved and
undeployed.

YES

VAPP_PARTIALLY
_DEPLOYED

The vApp is resolved and
partially deployed.

YES

VDC objects have their own set of status values and mappings.
Table 12‑5. status Attribute Values for VDC Objects
Numeric
Value

String Value

Description

-1

FAILED_CREATION

The VDC could not be created.

NOT_READY

The VDC is not ready for use

READY

The VDC Is ready for use

UNKNOWN

The VDC status could not be retrieved

UNRECOGNIZED

The VDC status cannot be mapped to a known state.

Retrieve an Object as an Entity
You can use the vCloud API entity resolver with an object's id attribute value to retrieve a context-free
reference to the object.
Every first-class object that the vCloud API defines includes an id attribute whose value is the object
identifier expressed in URN format. The value of the id attribute uniquely identifies the object, persists for
the life of the object, and is never reused.
You can append the value of the id attribute to the vCloud API entityResolver URL to retrieve a contextfree representation of the underlying object as an Entity element.
Prerequisites
Verify that you are logged in to the vCloud API as a system administrator or member of an organization in
the cloud.

362

VMware, Inc.

Chapter 12 XML Representations in the vCloud API

Procedure
1

Retrieve the current Session object to get the entityResolver URL.
Use a request like this one:
GET https://vcloud.example.com/api/session

The response is a Session element like the one shown in “Example: Create a Login Session Using the
Integrated Identity Provider,” on page 45. The Session element contains the entityResolver URL in the
href of the Link element in this excerpt.

...

Append the value of the object's id attribute to the entityResolver URL.

Make a GET request to the URL you created in Step 2
See the request portion of “Example: Using the entityResolver URL,” on page 363.

Example: Using the entityResolver URL
This example retrieves the Vapp object shown in the excerpt “Example: Object id, type, and href Attributes,”
on page 12 as an Entity.
Request:
GET https://vcloud.example.com/api/entity/urn:vcloud:vapp:490af534-1491-452e-8ed6-a5eb54447dac

Response:

VMware, Inc.

363

vCloud API Programming Guide

364

VMware, Inc.

Index

A
access control 84
access rights 87
administrative tasks, about 149
administrator, system 152
AMQP
about 307
certificate and truststore 275
AMQP settings
to test 310
to configure 308
API client, to develop 21
attributes
custom 124
name 360
status 360

B
blocking task, to configure 307
blocking task requests, to monitor 324
blocking task settings, to configure 318
browsing 41

C
catalog
change owner 83
controlling access to 84
for external publication 201
removing items 79
storage profile for 205
subscription endpoint 212
to change owner 149
to delete 149
to administer 197
to create 149, 198
to find 26
to publish externally 211
to retrieve 27, 41
to share 208
to share with specific organizations 209
to synchronize with external source 56, 79,
203
with external subscription 203
catalog item
about 76
to copy 76

VMware, Inc.

to move 76
to change name or description 78
to copy or move 56
to remove 79
to retrieve 28, 41
to synchronize with external source 56, 79
client, REST 21
cloud, administrative view of 50
console, displaying 37

D
datastore
to delete 235
to enable or disable 235
to retrieve or update 235
DHCP 181, 187
dhcp service, in vApp network 131
DHCP service, in Edge Gateway 187
disk, independent 80
download URL 71

E
Edge Gateway
about 169
interface capacity 191
syslog server settings 196
to create 172
to create or update 149
entity, retrieve object as 12
entity resolver, about 362
event, service-specific 341
examples, conventions for 22
extension framework 329
extension services
ACL rules 330, 346
and events 339
and tasks 339
API definition 355
API filters for 354
authorization frameworks for 342
custom rights for 330
links in 330
localization bundles 350
localization of 350
message files 351
resource class actions 345

365

vCloud API Programming Guide

resource classes 343
REST APIs for 353
to register 330, 332
to retrieve list of 330
to unregister 330
URL patterns for 354
external network
to retrieve or update 235
to create 261

F
firewall service
and syslog 196
in Edge Gateway 179
in vApp network 131

G
group
to create, update, or remove 149
to import 223
to import from SAML 225
groups, to administer 219

H
host
to update or repair 235
to enable or disable 235

I
id attribute, and entity resolver 362
independent disk
about 80
list virtual machines using 56
to attach or detach 91, 112
to create 80
to create or update 56
to remove 82
instantiation parameters
in instantiateOvf request 97
in instantiateVAppTemplate request 93
sections allowed in 116
IP address, of virtual machine NIC 134
IP addresses, allocated to network 41

K
keytab, to upload 275

L
LDAP, certificate and keystore 275
Link element, rel attribute 12
load balancer service 184
logging, of firewall actions 179
login
integrated identity provider 44
SAML identity provider 46

366

M
maintenance mode, vApp 116
media
downloading 74
retrieve owner 83
supported formats 72
to copy, move, or delete 56
to insert or remove virtual 91
to upload 55
to upload or download 56
uploading 72
metadata
about 281
to retrieve or modify 283
to search for 303
metadata value, to retrieve or modify 286

N
NAT service
in Edge Gateway 181
in vApp network 131
network
list IP addresses allocated to 41
to create, update, or remove 149
to reset 149
to retrieve 41
network pool
and organization VDC network 169
isolation-backed 267
list of 246
portgroup-backed 269
to create 264
to retrieve or update 235
VLAN-backed 265
VxlanPoolType 251, 264, 267
network services
in Edge Gateway 177
in vApp network 131
list of 169
networks
about 169
DHCP service 187
NAT services 181
to retrieve list from vCenter 245
VPN 186
notifications
format of 312
to enable or disable 308

O
object hierarchy, diagram of 10

VMware, Inc.

Index

object identifiers 12
object references, about 12
organization
retrieve or update settings 157
system 152
to create, update, or remove 149
to retrieve administrative view of 149
to administer 153
to create 153
to enable or disable 149, 160
to remove 160
organization VDC network
about 169
direct 188
isolated 194
routed 191
to administer 169
to configure static routes 182
to create 187
to create, update, or remove 149
organizations
federation of 157
to list 41, 49
OVF, to instantiate 97
OVF descriptor
to download 70
upload URL for 62
OVF environment 139
OVF package
manifest file 60, 66
to upload or download 55
uploading 58
OVF specification 89
OVF upload
initiating 60
to monitor progress of 66
using ranged PUTs 67

P
ProductSection element, to retrieve or
update 91
Provider VDC
resource pool set 255
to retrieve or update 235
to add or remove storage profiles 258
to create 251
to merge 235, 260

Q
queries
packaged 294
typed 290
query service
about 289

VMware, Inc.

and metadata 303
attribute names 299
query parameters 299
query encoding rules 299
query types 290

R
requests
about 18
headers 18, 357
login 24
resource pool
adding 256
list of 235
removing 256
to enable or disable 235
to migrate virtual machines to or from 235
resource pool set, Provider VDC 255
resource pools, to retrieve list from vCenter 244
responses, about 20
right
reference format 231
to create 349
role, to create 227, 231
roles and rights 227

S
SAML
identity provider 46, 219
organization settings for 157
schema files
accessing 22
retrieving 43
schema reference 22
SectionType element, to retrieve or update 127
service
DHCP 187
NAT 181
service links
required and optional elements 336
to add 336
to add or remove 336
to delete 337
Session object, to delete 40
snapshot, of vApp 91
SSL certificate, to upload 275
static routing service
in Edge Gateway 182
in vApp network 131
status attribute
of vApp or vApp template 58
values 360
storage profiles
and storage policies 166, 258
compliance check for virtual machine 91

367

vCloud API Programming Guide

to retrieve list from vCenter 249
to refresh list of 249
system settings, to retrieve or update 239

T
task
blocking 325
service-specific 340
to cancel 149
to retrieve 149
update progress 327
task list, to retrieve 149
task operations 320
timezone, in dateTime values 357
truststore, to upload 275

U
user
list of rights granted 149
to import from SAML 225
to retrieve 149
to update or remove 149
to create 149, 220
to import 222
users, to administer 219

V
vApp
access control for 110, 207
add virtual machines 103
capturing 75, 108
changing owner 83
cloning 106
composing 101
configuration links in 118
controlling access to 84
datacenter operations 89
importing 75, 271
importing from vCenter 270
list of power operations 91
maintenance mode 116
recompose 103
remove virtual machines 103
to change owner 149
to download 56
to import from vCenter as template 235
to import from vSphere 235
to undeploy 38
to capture or clone 91
to change name or description 91
to compose or recompose 91
to configure 116
to create from OVF 91

368

to delete 38
to deploy or undeploy 91
to download as OVF package 68
to enable for download 69
to enter or exit maintenance mode 235
to instantiate 93
to modify vApp network configuration 128
to operate 115
to power off 38
to retrieve 34
to view or modify lease settings 119
to view or modify network settings 119
to view or modify startup settings 119
Vm snapshots 91
vApp network
about 169
to modify 128
to retrieve 169
to view or modify configuration 119
vApp snapshot 114
vApp template
captured from vApp 108
hardware customization 95
retrieve owner 83
to change name or description 56
to copy, move, or delete 56
to create from OVF 56
to download 56
to download as OVF package 68
to enable for download 69
to enable or disable for download 56
to import virtual machine as 272
to instantiate 31, 91
to relocate virtual machine from 91
to retrieve 41
to update 116
to upload or download 55
upload URL 64
uploading vmdk files 66
vCenter server
to attach 240
to register or unregister 235
to update settings 235
vCenter resources, to discover 242
vCloud API
and RESTful programming style 9
revision history 7
VDC
allocation models 161
instantiateVAppTemplate action 30
networks in 30
SupportedHardwareVersion elements 161

VMware, Inc.

Index

to create, update, or remove 149
to add or remove storage profiles 166
to administer 160
to create 161
to enable or disable 149, 168
to find 26
to remove 168
to retrieve 41
virtual hardware, vmx versions supported by
Provider VDC 251
virtual machine
available for import 247
CPU configuration 136
disks 142
guest customization for 137
hard disk configuration 143
importing 271
importing from vCenter 270
network cards 142
question from 111
to update NetworkConnectionSection 134
to update storage profile 146
to attach or detach independent disk 91
to consolidate 91
to import into existing vApp 235
to install VMware tools 91
to relocate 91, 273
to relocate to a new instance of a storage
profile 146
to update multiple sections 125
to upgrade hardware version 91
to view or modify CPU properties 122
to view or modify guest customization
properties 122
to view or modify memory settings 122
to view or modify network cards 122
to view or modify network connection 122
to view or modify operating system
properties 122
to view or modify virtual disks 122
Vm
configuration links in 120
list of power operations 91
pending question 91
to reboot or reset 91
to retrieve 41
vmdk file, to download from template 71
VMware Tools
to install 91
to retrieve installed version 91
vSphere
operations 52
retrieve object URL 277

VMware, Inc.

vSphere client, to generate URL for use by 235
vSphere object, retrieve URL to access
directly 235
vSphere object map 279
vSphere platform, to manage 235

W
workflow, example of 23

X
XML
compressed responses 18
validation of 18
XML namespaces 359
XML schemas, reference information 357

369

vCloud API Programming Guide

370

VMware, Inc.

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Author                          : VMware, Inc.
Create Date                     : 2013:09:16 05:01:23-08:00
Modify Date                     : 2013:09:16 05:01:23-08:00
Creator                         : AH XSL Formatter V5.3 MR5 for Windows : 5.3.6.0 (2012/12/04 12:44:48)
Producer                        : Antenna House PDF Output Library 2.6.0 (Windows)
Title                           : vCloud API Programming Guide - vCloud Director 5.5
Trapped                         : False
Page Count                      : 370
Page Mode                       : UseOutlines
Page Layout                     : SinglePage
Language                        : EN

EXIF Metadata provided by EXIF.tools

Vmware VCloud API Programming Guide Director 5.5 V Cloud Vcd 55

Navigation menu

Versions of this User Manual:

Views

Navigation