I’ve moved everything from this blog over to jmattivi.blogspot.com and updated all of the scripts to have straight quotes. If any don’t work as posted, please let me know!
For further posts please see jmattivi.blogspot.com.
Thanks!
This post I’ll explain how to setup SSL on the Orchestration Console (OC) and Web Service (WS) while also redirecting http traffic to https. For these examples, I’ve setup the OC on port 443 and the WS on 8443.
Since the OC and WS are now hosted through IIS, all the settings will be set through IIS. First off you need to setup the bindings on the sites for each like below. I’ll explain in a bit why we want to leave 80 enabled in the bindings.
Orchestration Console Bindings
Within the https port from Edit, you can upload and select the cert you wish to use on the server from the drop down list.
Web Service Bindings
Now that the OC and WS are enabled for https, we need to setup redirection from port 80 over to port 443 on the Orchestration Console. Based on what was previously done, we only need to do this for the OC since the WS is only enabled for port 8443. For a great resource on the redirection, see this link that explains how to do this using the URL Rewrite tool – http://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/.
To have the redirection work successfully using the URL Rewrite tool, it’s necessary that the SSL settings are left at the default NOT to require SSL on the OC. This allows the traffic to hit port 80 and then the redirection will kick in. This is why port 80 is left on the bindings as well.
Finally, we need to edit the OC’s web.config file with the new “https://” address and fqdn path of the WS. You can also see at the bottom of the screenshot below where the URL Rewrite tool adds the redirection.
If you don’t edit the OC’s web.config file, you’ll get this error after opening/logging into the OC since it can’t find the web service.
Now when you browse to the Orchestration Console on port 80 using the server’s host name, IIS will automatically redirect the connection over to https.
By default, the Orchestration Console and Web Service also have pass through authentication enabled. If you use privileged accounts to perform administrative tasks besides the account you regularly login to Windows with, you’ll also want to setup Basic Authentication on both the OC and WS. This way when you browse to the site, it will prompt for a username and password to login with.
I’ve moved everything from this blog over to jmattivi.blogspot.com and updated all of the scripts to have straight quotes. If any don’t work as posted, please let me know!
For further posts please see jmattivi.blogspot.com.
Thanks!
There are many occasions where you may want to prevent someone (or schedule) from starting (queuing up) another instance of a Runbook if it’s already running. There are three ways I’ve found to accomplish this….using counters, the database query activity to look up a running job, and the web service.
While using counters may be the best solution to prevent workflows from running before a prerequisite workflow completes, it’s not the best solution to prevent inadvertently queuing up another runbook instance.
The database query activity can be used in this scenario to query the PolicyInstances table to see if a specific runbook is already running.
The query used would look like this. Note you need to use the specific Runbook name in the query.
Select POLICIES.Name,POLICYINSTANCES.Status,POLICYINSTANCES.TimeStarted,POLICYINSTANCES.TimeEnded
From POLICYINSTANCES,POLICIES
Where (POLICIES.UniqueID = POLICYINSTANCES.PolicyID) AND TimeEnded is null AND POLICIES.Name = ‘0.1 Runbook B’
Based on the query results, you can use the Link logic to either start the Runbook or send an email that the Runbook is already running and cannot start at this time.
The .NET Script activity can be used in this scenario to query the Jobs collection of the Web Service to see if a specific runbook is already running.
The Powershell script to query the Jobs collection is a little different than I’ve used in prior posts. Sometimes it’s tedious to look up the RunbookID guid, so this way you can specify the name of the runbook without the guid. This is accomplished by pointing to the Jobs collection, but also expanding the runbook collection as well to grab it’s associated data. Then you can use the filter and select statements in the odata query to filter on the name of the runbook.
Here is the URL for the GET request. Note you need to specify the collection name and property name together for the collection that’s expanded.
$url = “http://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Jobs()?`$expand=Runbook&`$filter=(Status eq ‘Running’) and (Runbook/Name eq ‘0.1 Runbook B’)&`$select=Runbook/Name,Status”
Here is the complete script to query the web service (fields in red would need to be updated per your environment):
#########################################################################################
$user = “domain\username”
$pass = ConvertTo-SecureString “password” -AsPlainText -Force
$creds = New-Object System.Management.Automation.PsCredential($user,$pass)
$url = “http://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Jobs()?`$expand=Runbook&`$filter=(Status eq ‘Running’) and (Runbook/Name eq ‘0.1 Runbook B‘)&`$select=Runbook/Name,Status”
$request = [System.Net.HttpWebRequest]::Create($url)
$request.Credentials = $creds
$request.Timeout = 120000
$request.ContentType = “application/atom+xml,application/xml”
$request.Headers.Add(“DataServiceVersion”, “2.0;NetFx”)
$request.Method = “GET”
$response = $request.GetResponse()
$requestStream = $response.GetResponseStream()
$readStream=new-object System.IO.StreamReader $requestStream
$Output = $readStream.ReadToEnd()
$readStream.Close()
$response.Close()
$Output
#########################################################################################
Here is the output from the request when Runbook B is NOT running:
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<feed xml:base=”https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/” xmlns:d=”http://schemas.microsof
t.com/ado/2007/08/dataservices” xmlns:m=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata” xmlns=”http://
http://www.w3.org/2005/Atom”>
<title type=”text”>Jobs</title>
<id>https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Jobs</id>
<updated>2012-02-19T18:59:26Z</updated>
<author>
<name />
</author>
<link rel=”self” title=”Jobs” href=”Jobs” />
</feed>
Here is the output when Runbook B is currently running:
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<feed xml:base=”https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/” xmlns:d=”http://schemas.microsof
t.com/ado/2007/08/dataservices” xmlns:m=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata” xmlns=”http://
http://www.w3.org/2005/Atom”>
<title type=”text”>Jobs</title>
<id>https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Jobs</id>
<updated>2012-02-19T19:01:19Z</updated>
<link rel=”self” title=”Jobs” href=”Jobs” />
<entry m:etag=”W/"datetime’2012-02-19T19%3A00%3A53.29’"”>
<id>https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Jobs(guid’4f104fcd-d626-421d-9f75-c8c83200
48e0′)</id>
<title type=”text”></title>
<published>2012-02-19T19:00:49-05:00</published>
<updated>2012-02-19T19:00:53-05:00</updated>
<author>
<name />
</author>
<link rel=”edit” title=”Job” href=”Jobs(guid’4f104fcd-d626-421d-9f75-c8c8320048e0′)” />
<link rel=”http://schemas.microsoft.com/ado/2007/08/dataservices/related/Runbook” type=”application/atom+xml;type=e
ntry” title=”Runbook” href=”Jobs(guid’4f104fcd-d626-421d-9f75-c8c8320048e0′)/Runbook”>
<m:inline>
<entry m:etag=”W/"datetime’2012-02-19T03%3A57%3A55’"”>
<id>https://scorch.domain:81/Orchestrator2012/Orchestrator.svc/Runbooks(guid’034d6f78-0529-4111-b31
7-24d75fb42493′)</id>
<title type=”text”>0.1 Runbook B</title>
<published>2012-02-19T03:57:20-05:00</published>
<updated>2012-02-19T03:57:55-05:00</updated>
<author>
<name />
</author>
<link rel=”edit” title=”Runbook” href=”Runbooks(guid’034d6f78-0529-4111-b317-24d75fb42493’)” />
<category term=”Microsoft.SystemCenter.Orchestrator.WebService.Runbook” scheme=”http://schemas.microsoft.com/
ado/2007/08/dataservices/scheme” />
<content type=”application/xml”>
<m:properties>
<d:Name>0.1 Runbook B</d:Name>
</m:properties>
</content>
</entry>
</m:inline>
</link>
<category term=”Microsoft.SystemCenter.Orchestrator.WebService.Job” scheme=”http://schemas.microsoft.com/ado/2007/0
8/dataservices/scheme” />
<content type=”application/xml”>
<m:properties>
<d:Status>Running</d:Status>
</m:properties>
</content>
</entry>
</feed>
So you can see in the output above, you can use link logic to find “<d:Status>Running</d:Status>” in the output from the query to determine if 0.1 Runbook B can be started.
SCOrch 