Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance
Article ID: 328404
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article explains how to configure Platform Services Controller High Availability for vSphere 6.0 when using vCenter Server 6.0 Appliances.
If you are using Platform Services Controllers installed on a Windows Server system, see Configuring Windows PSC 6.0 High Availability for vSphere 6.0 (2113085).
Notes:
- If you upgrade from vSphere 5.5 Single Sign-On, see Configuring PSC 6.0 High Availability after upgrading from SSO 5.5 High Availability (2110879).
- To configure Platform Services Controller High Availability for vSphere 6.5 when using vCenter Server 6.5 Appliances, see Configuring Platform Service Controller HA in vSphere 6.5 (2147018)
Resolution
A - Deploy two PSC 6.0 Appliances in the same site:
Deploy the first PSC 6.0 Appliance.
Deploy the additional PSC 6.0 Appliance joining the first PSC under the same site.
B - Perform the following on the first PSC Node:
- Download the PSC HA Scripts available at VMware Download Platform Services Controller 6.0.
- Extract the contents to /ha on the first PSC.
Notes:
- The scripts being run expect /ha to exist.
- To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
- (Optional) The command in Step 5 generates a certificate issued by the VMCA with a CN value for the load balanced fully qualified domain name (FQDN). If you want to configure the VMCA as a subordinate of an existing CA, VMware recommends to stop and perform that action now, on both PSCs, before proceeding with Step 5. For more information, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).
Notes:
- Use each local FQDN when configuring each VMCA as a subordinate CA. Do not use the Load Balanced FQDN when configuring each VMCA as a subordinate CA.
- If you are using a trusted certificate on the Load Balancer, VMware also recommends to use a trusted certificate for the Platform Services Controller Machine SSL.
- (Optional) If you want to exclusively use your own CA, and not leverage VMCA, perform these steps to create the certificates. Otherwise proceed to step 5.
- Save a copy of the /usr/lib/vmware-vmca/share/config/certool.cfg file to the /ha folder.
- Edit the copy of certool.cfg file located at /ha and edit the values as required, ensuring the value for Name and Hostname are set to the correct Load Balanced FQDN.
For example:
#
# Template file for a CSR request
#
# Country is needed and has to be 2 characters
Country = US
Name = hostname.example.com
Organization = AcmeOrg
OrgUnit = AcmeOrg Engineering
State = California
Locality = Palo Alto
IPAddress = 127.0.0.1
Email = [email protected]
Hostname = hostname.example.com - Run this command to generate a Certificate Signing Request (CSR) and Private Key paring based off the certool.cfg file edited above:
/usr/lib/vmware-vmca/bin/certool --initcsr --privkey=/ha/psc-ha.privkey --pubkey=/ha/psc-ha.pubkey --csrfile=/ha/psc-ha.csr --config=/ha/certool.cfg
For example:
/usr/lib/vmware-vmca/bin/certool --initcsr --privkey=/ha/psc-ha.privkey --pubkey=/ha/psc-ha.pubkey --csrfile=/ha/psc-ha.csr --config=/ha/certool.cfg
This is deprecated. Use gencsr instead.
Using config file : /ha/certool.cfg
Status : Success - Provide the CSR file to your CA and obtain the certificate file. For more information on obtaining a Microsoft CA, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).
- Save the certificate to /ha/custom_lb.crt.
- Rename psc-ha.privkey to custom_lb.key.
- Save the Root CA certificate as custom_root.crt.
- Run this command on the first PSC Node:
python gen-lb-cert.py --primary-node --lb-fqdn=load_balanced_fqdn
Note: The load_balanced_fqdn is the FQDN of the Load Balanced Address. The password of the resulting lb.p12 file is changeme.
For example:
python gen-lb-cert.py --primary-node --lb-fqdn=hostname.example.com
Initialization complete
executing certTool command
executing certTool command
Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
Status : Success
Executing openssl command
Loading 'screen' into random state - done
Executing openssl command
writing RSA key
Executing StopService --all
INFO:root:Service: vmware-license, Action: stop
INFO:root:Service: vmwareServiceControlAgent, Action: stop
INFO:root:Service: VMwareComponentManager, Action: stop
INFO:root:Service: rhttpproxy, Action: stop
INFO:root:Service: VMwareSTS, Action: stop
INFO:root:Service: VMwareIdentityMgmtService, Action: stop
INFO:root:Service: VMWareCertificateService, Action: stop
INFO:root:Service: VMWareDirectoryService, Action: stop
INFO:root:Service: VMWareAfdService, Action: stop
INFO:root:Service: vmware-cis-config, Action: stop
Executing StartService --all
INFO:root:Service: vmware-cis-config, Action: start
INFO:root:Service: VMWareAfdService, Action: start
INFO:root:Service: rhttpproxy, Action: start
INFO:root:Service: VMWareDirectoryService, Action: start
INFO:root:Service: VMWareCertificateService, Action: start
INFO:root:Service: VMwareIdentityMgmtService, Action: start
INFO:root:Service: VMwareSTS, Action: start
INFO:root:Service: VMwareComponentManager, Action: start
INFO:root:Service: vmware-license, Action: start
INFO:root:Service: vmwareServiceControlAgent, Action: start
Steps 6 and 7 are applicable only if you performed Step 4, else proceed to Step 8. - (Optional) If you performed Step 4 and are not using VMCA issued certificates, discard the lb.crt, lb.key. lb.p12 and root.crt generated by the gen-lb-cert.py command in Step 5 with the certificates you generated from Step 4. Rename your custom CA certificate files as lb.crt, lb.key. root.crt respectively. Create a PKCS12 lb.p12 file.
- rm /ha/lb.crt /ha/lb.key /ha/lb.p12 /ha/root.crt
- mv /ha/custom_lb.crt /ha/lb.crt
- mv /ha/custom_lb.key /ha/lb.key
- mv /ha/custom_root.crt /ha/root.crt
-
openssl pkcs12 -export -in /ha/lb.crt -inkey /ha/lb.key -certfile /ha/root.crt -name rui -passout pass:changeme -out /ha/lb.p12
- (Optional) If you performed Step 4 and are not using VMCA issued certificates, import the Root CA and Intermediate CA issuing certificates that issued the certificates in Step 4.
If your environment contains one or more Intermediate CAs, publish the full chain into the VMware Endpoint Certificate Store (VECS) using this command:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert path_to_CA_Chain
If your environment only contains a single Root CA, publish this root into VECS using this command:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_CA_Root - Copy /etc/vmware-sso/keys to /ha/keys.
mkdir /ha/keys
cp /etc/vmware-sso/keys/* /ha/keys
C - Perform the following on additional PSC Nodes:
- Copy the contents of the /ha folder from the First PSC to the/ha folder on the Additional PSC.
Note: Ensure that you also copy the keys from step 8 directly). - Run this command on the Additional PSC Node:
python gen-lb-cert.py --secondary-node --lb-fqdn=load_balanced_fqdn --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys
Note: Where load_balanced_fqdn is the FQDN of the Load Balanced Address.
For example:
python gen-lb-cert.py --secondary-node --lb-fqdn=hostname.example.com --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys
Initialization complete
Please make sure that you have copied the contents from HA folder in Node 1 into the HA folder in the local node
Please Make that you have copied the ssoserverSign.* files and ssoServerRoot.crt file from node 1
Press enter to continue.
Executing StopService --all
INFO:root:Service: vmware-license, Action: stop
INFO:root:Service: vmwareServiceControlAgent, Action: stop
INFO:root:Service: VMwareComponentManager, Action: stop
INFO:root:Service: rhttpproxy, Action: stop
INFO:root:Service: VMwareSTS, Action: stop
INFO:root:Service: VMwareIdentityMgmtService, Action: stop
INFO:root:Service: VMWareCertificateService, Action: stop
INFO:root:Service: VMWareDirectoryService, Action: stop
INFO:root:Service: VMWareAfdService, Action: stop
INFO:root:Service: vmware-cis-config, Action: stop
Executing StartService --all
INFO:root:Service: vmware-cis-config, Action: start
INFO:root:Service: VMWareAfdService, Action: start
INFO:root:Service: rhttpproxy, Action: start
INFO:root:Service: VMWareDirectoryService, Action: start
INFO:root:Service: VMWareCertificateService, Action: start
INFO:root:Service: VMwareIdentityMgmtService, Action: start
INFO:root:Service: VMwareSTS, Action: start
INFO:root:Service: VMwareComponentManager, Action: start
INFO:root:Service: vmware-license, Action: start
INFO:root:Service: vmwareServiceControlAgent, Action: start
D - Configure a compatible Load Balancer for use with vSphere 6.0 Platform Services Controller High Availability
At this stage, complete the configuration of your desired Load Balancer before running the final PSC HA Script.
At this stage, complete the configuration of your desired Load Balancer before running the final PSC HA Script.
For known compatible load balancers, see vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix (2112736).
For the F5 BIG-IP load balancer, see Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2098006).
For the F5 BIG-IP load balancer, see Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2098006).
For the Citix Netscaler load balancer, see Configuring Citrix NetScaler Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2116281).
E - Perform the following on the First PSC Node:
- Run this command to update the Endpoint URLs with the load_balanced_fqdn:
python lstoolHA.py --hostname=psc_1_fqdn --lb-fqdn=load_balanced_fqdn --lb-cert-folder=/ha [email protected]
Note: Where psc_1_fqdn is the FQDN of the First PSC Node. Where load_balanced_fqdn is the FQDN of the Load Balanced Address. The command prompts for the [email protected] password.
For example:
python lstoolHA.py --hostname=psc-vcsa-1.example.com --lb-fqdn=hostname.example.com --lb-cert-folder=/ha [email protected]
Password:
2015-03-16 10:05:06,665 INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [[email protected], Format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
2015-03-16 10:05:06,713 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: [email protected]
2015-03-16 10:05:07,305 WARN com.vmware.vim.vmomi.client.http.impl.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase - Shutting down the connection monitor.
Notes:
- The command ends with the preceding entries when completed successfully.
- The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- To verify the endpoints are updated correctly, run these commands using the First PSC Node FQDN entry:
- Obtain the sitename, by running the command:
python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url https://psc_1_fqdn/lookupservice/sdk 2> /dev/null - Using the output sitename from previous step a, run these commands to verify the endpoints are updated with the Load Balanced FQDN:
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost:7080/lookupservice/sdk --site sitename --type cs.license | grep "URL:"
or
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://PSC_FQDN/lookupservice/sdk --site sitename --type cs.identity | grep "URL:"
- Obtain the sitename, by running the command:
F - Install vCenter Server 6.0 or Upgrade vCenter Server 5.5 to 6.0
Continue with the installation of the vCenter Server 6.0 or upgrade of a vCenter Server 5.5 system. When asked for the target Platform Services Controller details, provide the load_balanced_fqdn defined above.
Feedback
Yes
No
Powered by
