Create IBM SmartCloud Orchestrator-compatible images for Windows

Creating images you can deploy through IBM SmartCloud Orchestrator requires knowledge of the operating system, the hypervisor on which the images are going to be deployed, and the corresponding hypervisor manager. Learn how to easily and smoothly prepare a SmartCloud Orchestrator-compatible image for Windows®.


Rossella De Gaetano, IBM SmartCloud Orchestrator Field Quality Management Team Leader, IBM

Rossella De Gaetano is the technical leader for the IBM SmartCloud Orchestrator Field Quality team. She is responsible for supporting proofs of concept, managing customer situations, and improving the overall quality of the product.

Paolo Ottaviano (, IT Specialist, IBM

Paolo Ottaviano is an infrastructure IT specialist at the IBM SWG Rome Tivoli Laboratory. He has 18 years of experience in the IT field. Over the past years, he has been working on IBM cloud solutions oriented to private clouds. His areas of expertise are IBM SmartCloud Orchestrator, OpenStack, IBM Service Delivery Manager and Tivoli Service Automation Manager.

10 June 2014

Also available in Chinese Russian Japanese


Shift from enterprise virtualization to dynamic cloud

Christopher Rosen, IBM Worldwide Cloud and Smarter Infrastructure Cloud team lead, notes that the "deployment of IBM SmartCloud Orchestrator... represented the end of enterprise virtualization and beginning of dynamic cloud." He said this shift will dramatically increase time savings and efficiency gains in five specific areas. Read more in Rosen's Thoughts on cloud blog entry.

Cloud computing can help dramatically increase the speed of delivery of new business services. IBM SmartCloud Orchestrator is an integrated cloud automation platform designed to help orchestrate the development, deployment, and management of robust enterprise cloud services. With SmartCloud Orchestrator, you can:

  • Accelerate the delivery of cloud services using an orchestration engine.
  • Automate the deployment of whole multi-node application topologies.
  • Monitor the health, performance, and planning capabilities of the cloud environment.
  • Track and analyze the cost of your various cloud resources.

An important task in cloud computing is the creation of the image. This requires knowledge of the underlying operating system, the hypervisor you'll use to deploy the images, and the manager controlling that hypervisor. In this article, we'll take you through this task using Windows as the guest OS.

To begin, let's establish some common terminology and summarize the general process to create a SmartCloud Orchestrator-compatible image. You will be able to easily adapt the process to an already existing image you want to deploy through SmartCloud Orchestrator. We'll explain the common issues found while creating an image, how to debug, and fix them.

Because we use a VMware-based system in this article, we use the VMware terminology. However, you can easily extend the procedure to KVM regions.

We use "image" or "virtual image" to identify the image template, while we use "instance" or "virtual instance" to identify a virtual machine (VM) deployed through SmartCloud Orchestrator.

The steps to create a SmartCloud Orchestrator-compatible image are fairly simple:

  1. Create an image template in the hypervisor.
  2. Install the base OS.
  3. Set and check SmartCloud Orchestrator prerequisites.
  4. Import the image into Image Construction and Composition Tool component of SmartCloud Orchestrator (ICCT).
  5. Extend the image in ICCT.
  6. Synchronize the image in ICCT.
  7. Capture the image in ICCT.

We'll go into more detail about what each of these mean in the following sections.

For simplicity, we assume the same user will complete the steps, but because different steps in the procedures could be done by different people with different roles, we will specify the needed privileges and roles for each step.

To create a SmartCloud Orchestrator-compatible image, you must have access with admin role to VMware vCenter, and you must have access to ICCT UI (ICCT is single-user, so no role is specified) and the Virtual Image Library component of SmartCloud Orchestrator (VIL) UI.

You must have access to the ISO file corresponding to the OS you would like to install. See the list of operating systems supported in a SmartCloud Orchestrator environment.

For simplicity, let's assume the image is already created in the VMware hypervisor (Step 1) and that the OS is installed (Step 2). So we are already to Step 3, setting and checking the SmartCloud Orchestrator prerequisites.

Set and check the SmartCloud Orchestrator prerequisites

To ensure that the image will successfully deploy through SmartCloud Orchestrator, specific configuration changes are needed. Typically, if one or more prerequisites is missing, the instance is powered on; in the SmartCloud Orchestrator UI, it hangs in "Checking to see if virtual system <system's name> is started" status.

Following is an example of how to configure a Windows 2008 R2 so it is SmartCloud Orchestrator-compatible.

IBM Workload Deployer and Image Construction and Composition Tool components use RXA protocol to connect to the deployed image (at deployment and synchronization time, respectively) and to copy over needed files — the activation engine package, for example.

To ensure that the RXA protocol works properly, you must apply a set of configuration steps in the image.

You must configure the Windows firewall to allow incoming ICMP and RDP connections. To enable Remote Desktop Firewall Exception, go to Start > Computer, right-click, and select Properties, go to the Remote tab and ensure that Allow connections from computers running any version of Remote Desktop is selected, then click Apply. You'll get a "Remote Desktop Firewall exception will be enabled" message; click OK twice.

Figure 1.
Screenshot shows the Windows firewall screens

For ICMP, the predefined rule in the Windows firewall is "File and Printer Sharing (Echo Request – ICMPv4-In)." To edit this configuration, go to Start > Control Panel > System and Security > Windows Firewall, click Advanced Settings, then select Inbound Rules. Look for the rule named "File and Printer Sharing (Echo Request – ICMPv4-In)." Open the rule by double-clicking on it and make sure that:

  • Under the Advanced tab, all the profiles (Domain, Private, and Public) to which the rule applies are checked.
  • Under the Scope tab that Any IP address is checked.
Figure 2.
Screenshot shows the Windows Inbound Rules
Figure 3.
Screenshot shows the Advanced tab under File and Printer Sharing
Figure 4.
Screenshot shows the Scope tab under File and Printer Sharing

Port 445 must not be blocked by a firewall. The predefined rule in the Windows firewall for this port is Netlogon Service (NP-In).

Figure 5.
Screenshot of the predefined rule for NP-in in Windows firewall

For OpenStack, to allow incoming RDP connections, make sure port 3389 is not blocked by a firewall.

Figure 6.
Screen shot of the predefined rule for port 3389 in Windows firewall.

You might have to disable User Account Control if your account is not a domain user account. If you have a domain user account, ensure that the local and the target machine are both members of a Windows domain.

If you are a member of a local administrators group and you use a local user account, you must perform administrative tasks on the target machine.

Disable User Account Control when you administer a workstation with a Security Account Manager local user account. If you do not disable this option, you do not connect as a full administrator and cannot perform administrative tasks. To disable User Account Control:

  • Click Start > Run, enter regedit, click OK or press Enter.
  • Locate and click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System.
  • If the LocalAccountTokenFilterPolicy registry entry does not exist, on the Edit menu, choose New and click DWORD Value. Enter LocalAccountTokenFilterPolicy, press Enter, right-click LocalAccountTokenFilterPolicy, and click Modify. In the Value data field, enter 1 and click OK.
  • Restart the computer.
Figure 7.
Screen shot of the Registry Editor

Check that User Account Control is set to default by going to Start, then in Search programs and files, enter uac.

Figure 8.
Screenshot of the User Account Control Settings

Ensure that Enable NetBIOS over TCP/IP is selected for the network connections properties of the computer. From the Control Panel, go to Network and Dial-Up Connections > Properties > Internet Protocol (TCP/IP) > Advanced > WINS > Enable NetBIOS over TCP/IP.

Figure 9.
Screenshot of the network connection path to enable NetBIOS over TCP/IP.

Note: Before you create the template, remember to disconnect any ISO file you may have added to the image (typically to install the OS) because it interferes with the image activation logic (the activation engine passes the configuration instructions through an ISO file).

Figure 10.
Screenshot of the network connection path to enable NetBIOS over TCP/IP

When you create an image template, ensure that it has only one network card; you can add more at deployment time using the NIC add-ons.

Wait for VIL to discover the image

After the template is prepared, you can see the image in VIL UI. Because VIL discovers new images in VMWare every two minutes, a short delay might happen between when the capture completes and when you see the image in VIL. VIL has two operational repositories for the same VMWare region, one for OpenStack and one for VMWare. The latter is identified by the small chain icon.

The OpenStack repository is populated collecting information from Glance. The VMWare repository is populated by talking directly to VMWare. At the end, their content should be exactly the same. If there are discrepancies (for example, the image is shown in one repository and not the other) you can force the synchronization from VIL UI by selecting an operational repository, then selecting Actions > Synchronize repositories. Wait for the synchronization task to complete before issuing the synchronization on the second repository.

You cannot import the image into ICCT until you see it in the VIL.

Figure 11.
Screenshot showing the Images tab in the VIL

Note: If you plan to manage a large environment, to help accelerate VIL performance, we suggest you configure VIL not to see the deployed images.

Import the image in ICCT

VMware templates are not immediately consumable by SmartCloud Orchestrator because they are lacking the activation engine. The activation engine is a set of binaries responsible for the personalization and de-personalization of the image. It is responsible for assigning, at deployment time, the correct network configuration to the instance (for example, hostname, IP address, DNS, gateway), and the new password to the administrator user, setting up the product key, and triggering the setup of the specific software customization scripts you may have added into the image through ICCT software bundles. This piece of software is installed and configured inside the image template by ICCT.

For simplicity, let's assume that no software bundles and no personalities are added to the image. For more information, see Working with IBM Image Construction and Composition Tool.

The image must be listed in the VIL OpenStack operational repository and successfully basic-indexed before you can import the image in ICCT.

Despite its name, the import process is not copying and retrieving the disks of the image. Instead, it involves creating a pointer to that image and generating the proper image metadata. By metadata, we mean the collection of artifacts that describe that image at pattern design time and at image deploy time — how many parts (personalities) are included in the image, which parameters are configurable by the end user at deployment time (root password, for example), and which parameters are configured by the provisioning engine at deployment time (DNS, for example).

To import the image, log in to ICCT UI. We do not specify any role here since ICCT is single-user. Click Build and manage images.

Figure 12.
Screenshot of the ICCT welcome page with the build and manage images link highlighted

If you have multiple systems, ensure that you are pointing to the right cloud provider (select it from the upper-right drop-down list) and click the Import from Cloud Provider icon.

Figure 13.
Screenshot of the ICCT Images page with the Import from CloudProvider icon highlighted

Select the newly created image and click Add.

Figure 14.
Screenshot of the Import from CloudProvider window and the image to add is highlighted

Click Import.

Extend the image in ICCT

The extension process is the first step in the creation of a new SmartCloud Orchestrator-compatible virtual image. This step does not involve OpenStack or the hypervisor; it is self-contained in ICCT. It creates another image object inside ICCT and copies the metadata from the base image.

To extend an image from ICCT, click the Extend icon from the image window into the GUI.

Figure 15.
Screenshot of the opened image details window in ICCT with the extend icon highlighted

The status of the image in ICCT being "Out of sync" reflects that there is no image in the hypervisor that corresponds to the extended one.

Figure 16.
Screenshot showing that the image details are now extended and out of sync

Also of note is that the extended image has an additional software bundle.

Figure 17.
Screenshot showing that the image details and additional software bundle

ICCT at the extension stage is promising to install that software bundle, but so far nothing has been added to the image. Remember the image is not yet existing in the hypervisor.

The Enablement Bundle is responsible to install the correct version of the activation engine if not already installed and to configure it.

Synchronize the image in ICCT

Synchronizing the image in ICCT creates a virtual instance starting from the base image, and adds the Enablement Bundle and all the software bundles you may have added during the previous step to that instance. While performing this action, ICCT interacts only with OpenStack (through iaasgateway); no other components are directly involved in this process. (Workload Deployer does not enter in to the synchronization game.)

To start the synchronization, click the Synchronize button.

Figure 18.
Screenshot showing the image details and highlighting the sychronize button

You are asked to select a flavor, a network, a cloud provider, and to specify the root password. This password is the one set into the image when you installed the OS. Click Next.

Figure 19.
Screenshot showing the parameter choices to select from password fields to enter before the image is sychronized

Be careful entering information in the Synchronize the image panel. The majority of synchronization failures happen because of data entered incorrectly. For example: Using a password that is not the actual administrator password or specifying the wrong network prevents ICCT connecting (through RXA) to the image and moving the binaries for the enablement bundle and the other software bundles you added when extending the image. Specifying a too-small flavor also prevents OpenStack from creating the image.

Be sure to enter the product key, then click Done.

Figure 20.
Screenshot showing the values for bundle parameters choices to enter, with the Product Key field highlighted..

After synchronization completes, the status of the image is set to synchronized.

Figure 21.
Screenshot showing the image details window and status is now shown as synchronized

Note: It is important to correctly configure the hostname resolution otherwise the RXA connection between ICCT and the deployed image times out and the synchronization fails.


In case of synchronization failure, you can:

  • Look at ICCT traces (/drouter/ramdisk2/mnt/raid-volume/raid0/logs/trace/trace.log).
  • Check that the instance is actually created in OpenStack. Run nova list, ensure that the image (named ICCT <a number>) is present in the output and its status is ACTIVE.
  • Check that you can connect by Remote Desktop to the instance.
  • If the image is in ERROR state in OpenStack, use nova show <image UUID> to get additional details on the failure. If there is nothing meaningful there, consider that what ICCT does is the analogous of this command: nova boot –flavor<flavor id> --image <image id> --net-id net-if=<net uuid> <a name of your choice>, where <flavor id> is the flavor ID that corresponds to the flavor you selected at synchronization time; <image id> is the UUID of the base image in Glance (you can check it using glance image-list), and <net uuid> is the UUIS of the network that corresponds to the network selected at synchronization time. (You can check it using nova-manage network list.) If this command fails, investigate /var/log/nova/smartcloud.log and/or /root/.SCE31/logs/skc-0.log for the root cause.
  • If you use SmartCloud Orchestrator 2.3 without fixpack 1, note the name of the network connection, it must be Local Area Connection or the image will not have an assigned IP address.
    Figure 22.
    Screenshot of the Network and Sharing Center window with Local Area indication highlighted

    Fixpack 1 removed this limitation.

Capture the image in ICCT

This is the final step that actually generates a new image you can later import in SmartCloud Orchestrator and deploy as part of a pattern.

Capturing an image through ICCT triggers actions to:

  • Depersonalize the instance — that is, /opt/ibm/ae/ –reset is run in the instance
  • Shut down the instance
  • Convert the VM in a template
  • Create an image in OpenStack
  • Associate its own metadata to the image in OpenStack

All of these actions are automatically done and do not require human interaction. For the capture step, ICCT talks only to OpenStack through iaasgateway; no other components are involved. OpenStack "talks" to VMWare (through SmartCloud driver and SmartCloud Entry).

To capture, simply click Capture.

Figure 23.
Screenshot showing the image details window with the Capture button highlighted

After the capture process is done, the status shows as completed.

Figure 24.
Screenshot showing the image details window with Completed status hightlighted

The image is ready to be used in SmartCloud Orchestrator:

  • Wait for the newly created image to be discovered and indexed by VIL.
  • Register the image in Workload Deployer.
  • Create a virtual system pattern.
  • Add the newly registered image to the pattern.
  • Deploy the pattern.

Note: When provisioning, be sure to specify a valid product key and administrator password that adhere to Windows policies and thereby avoid a sysprep fail.


Now you know how to create a SmartCloud Orchestrator-compatible image for a Windows environment. We've provided instruction for the mechanisms needed to complete the process to satisfy OS, hypervisor, and hypervisor manager requirements for various images to deploy in a Windows environment.

You should now be able to easily and smoothly prepare a SmartCloud Orchestrator-compatible image for Windows.





developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Cloud computing on developerWorks

  • developerWorks Premium

    Exclusive tools to build your next great app. Learn more.

  • Cloud newsletter

    Crazy about Cloud? Sign up for our monthly newsletter and the latest cloud news.

  • Try SoftLayer Cloud

    Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.

Zone=Cloud computing, Java technology
ArticleTitle=Create IBM SmartCloud Orchestrator-compatible images for Windows