Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance
search cancel

Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance

book

Article ID: 328404

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to configure Platform Services Controller High Availability for vSphere 6.0 when using vCenter Server 6.0 Appliances.

If you are using Platform Services Controllers installed on a Windows Server system, see Configuring Windows PSC 6.0 High Availability for vSphere 6.0 (2113085).
 
Notes:



Resolution

A - Deploy two PSC 6.0 Appliances in the same site:

Deploy the first PSC 6.0 Appliance.

Deploy the additional PSC 6.0 Appliance joining the first PSC under the same site.

B - Perform the following on the first PSC Node:

  1. Download the PSC HA Scripts available at VMware Download Platform Services Controller 6.0.
  2. Extract the contents to /ha on the first PSC.

    Notes:

  3. (Optional) The command in Step 5 generates a certificate issued by the VMCA with a CN value for the load balanced fully qualified domain name (FQDN). If you want to configure the VMCA as a subordinate of an existing CA, VMware recommends to stop and perform that action now, on both PSCs, before proceeding with Step 5. For more information, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).

    Notes:

    • Use each local FQDN when configuring each VMCA as a subordinate CA. Do not use the Load Balanced FQDN when configuring each VMCA as a subordinate CA.
    • If you are using a trusted certificate on the Load Balancer, VMware also recommends to use a trusted certificate for the Platform Services Controller Machine SSL.
  4. (Optional) If you want to exclusively use your own CA, and not leverage VMCA, perform these steps to create the certificates. Otherwise proceed to step 5.

    1. Save a copy of the /usr/lib/vmware-vmca/share/config/certool.cfg file to the /ha folder.
    2. Edit the copy of certool.cfg file located at /ha and edit the values as required, ensuring the value for Name and Hostname are set to the correct Load Balanced FQDN.

      For example:

      #
      # Template file for a CSR request
      #
      # Country is needed and has to be 2 characters
      Country = US
      Name = hostname.example.com
      Organization = AcmeOrg
      OrgUnit = AcmeOrg Engineering
      State = California
      Locality = Palo Alto
      IPAddress = 127.0.0.1
      Email = [email protected]
      Hostname = hostname.example.com


    3. Run this command to generate a Certificate Signing Request (CSR) and Private Key paring based off the certool.cfg file edited above:

      /usr/lib/vmware-vmca/bin/certool --initcsr --privkey=/ha/psc-ha.privkey --pubkey=/ha/psc-ha.pubkey --csrfile=/ha/psc-ha.csr --config=/ha/certool.cfg

      For example:

      /usr/lib/vmware-vmca/bin/certool --initcsr --privkey=/ha/psc-ha.privkey --pubkey=/ha/psc-ha.pubkey --csrfile=/ha/psc-ha.csr --config=/ha/certool.cfg

      This is deprecated. Use gencsr instead.
      Using config file : /ha/certool.cfg
      Status : Success


    4. Provide the CSR file to your CA and obtain the certificate file. For more information on obtaining a Microsoft CA, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    5. Save the certificate to /ha/custom_lb.crt.

    6. Rename psc-ha.privkey to custom_lb.key.

    7. Save the Root CA certificate as custom_root.crt.

  5. Run this command on the first PSC Node:

    python gen-lb-cert.py --primary-node --lb-fqdn=
    load_balanced_fqdn

    Note
    : The load_balanced_fqdn is the FQDN of the Load Balanced Address. The password of the resulting lb.p12 file is changeme.

    For example:

    python gen-lb-cert.py --primary-node --lb-fqdn=hostname.example.com
    Initialization complete
    executing certTool command
    executing certTool command
    Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
    Status : Success
    Executing openssl command
    Loading 'screen' into random state - done
    Executing openssl command
    writing RSA key
    Executing StopService --all
    INFO:root:Service: vmware-license, Action: stop
    INFO:root:Service: vmwareServiceControlAgent, Action: stop
    INFO:root:Service: VMwareComponentManager, Action: stop
    INFO:root:Service: rhttpproxy, Action: stop
    INFO:root:Service: VMwareSTS, Action: stop
    INFO:root:Service: VMwareIdentityMgmtService, Action: stop
    INFO:root:Service: VMWareCertificateService, Action: stop
    INFO:root:Service: VMWareDirectoryService, Action: stop
    INFO:root:Service: VMWareAfdService, Action: stop
    INFO:root:Service: vmware-cis-config, Action: stop
    Executing StartService --all
    INFO:root:Service: vmware-cis-config, Action: start
    INFO:root:Service: VMWareAfdService, Action: start
    INFO:root:Service: rhttpproxy, Action: start
    INFO:root:Service: VMWareDirectoryService, Action: start
    INFO:root:Service: VMWareCertificateService, Action: start
    INFO:root:Service: VMwareIdentityMgmtService, Action: start
    INFO:root:Service: VMwareSTS, Action: start
    INFO:root:Service: VMwareComponentManager, Action: start
    INFO:root:Service: vmware-license, Action: start
    INFO:root:Service: vmwareServiceControlAgent, Action: start

    Steps 6 and 7 are applicable only if you performed Step 4, else proceed to Step 8.

  6. (Optional) If you performed Step 4 and are not using VMCA issued certificates, discard the lb.crt, lb.key. lb.p12 and root.crt generated by the gen-lb-cert.py command in Step 5 with the certificates you generated from Step 4. Rename your custom CA certificate files as lb.crt, lb.key. root.crt respectively. Create a PKCS12 lb.p12 file.

    1. rm /ha/lb.crt /ha/lb.key /ha/lb.p12 /ha/root.crt
    2. mv /ha/custom_lb.crt /ha/lb.crt
    3. mv /ha/custom_lb.key /ha/lb.key
    4. mv /ha/custom_root.crt /ha/root.crt
    5. openssl pkcs12 -export -in /ha/lb.crt -inkey /ha/lb.key -certfile /ha/root.crt -name rui -passout pass:changeme -out /ha/lb.p12

  7. (Optional) If you performed Step 4 and are not using VMCA issued certificates, import the Root CA and Intermediate CA issuing certificates that issued the certificates in Step 4.

    If your environment contains one or more Intermediate CAs, publish the full chain into the VMware Endpoint Certificate Store (VECS) using this command:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert path_to_CA_Chain

    If your environment only contains a single Root CA, publish this root into VECS using this command:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_CA_Root

  8. Copy /etc/vmware-sso/keys to /ha/keys.

    mkdir /ha/keys
    cp /etc/vmware-sso/keys/* /ha/keys


C - Perform the following on additional PSC Nodes:

  1. Copy the contents of the /ha folder from the First PSC to the/ha folder on the Additional PSC.

    Note: Ensure that you also copy the keys from step 8 directly).

  2. Run this command on the Additional PSC Node:

    python gen-lb-cert.py --secondary-node --lb-fqdn=load_balanced_fqdn --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

    Note: Where load_balanced_fqdn is the FQDN of the Load Balanced Address.

    For example:

    python gen-lb-cert.py --secondary-node --lb-fqdn=hostname.example.com --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys
    Initialization complete

    Please make sure that you have copied the contents from HA folder in Node 1 into the HA folder in the local node
    Please Make that you have copied the ssoserverSign.* files and ssoServerRoot.crt file from node 1
    Press enter to continue.
    Executing StopService --all
    INFO:root:Service: vmware-license, Action: stop

INFO:root:Service: vmwareServiceControlAgent, Action: stop
INFO:root:Service: VMwareComponentManager, Action: stop
INFO:root:Service: rhttpproxy, Action: stop
INFO:root:Service: VMwareSTS, Action: stop
INFO:root:Service: VMwareIdentityMgmtService, Action: stop
INFO:root:Service: VMWareCertificateService, Action: stop
INFO:root:Service: VMWareDirectoryService, Action: stop
INFO:root:Service: VMWareAfdService, Action: stop
INFO:root:Service: vmware-cis-config, Action: stop
Executing StartService --all
INFO:root:Service: vmware-cis-config, Action: start
INFO:root:Service: VMWareAfdService, Action: start
INFO:root:Service: rhttpproxy, Action: start
INFO:root:Service: VMWareDirectoryService, Action: start
INFO:root:Service: VMWareCertificateService, Action: start
INFO:root:Service: VMwareIdentityMgmtService, Action: start
INFO:root:Service: VMwareSTS, Action: start
INFO:root:Service: VMwareComponentManager, Action: start
INFO:root:Service: vmware-license, Action: start
INFO:root:Service: vmwareServiceControlAgent, Action: start



D - Configure a compatible Load Balancer for use with vSphere 6.0 Platform Services Controller High Availability

At this stage, complete the configuration of your desired Load Balancer before running the final PSC HA Script.


For the Citix Netscaler load balancer, see Configuring Citrix NetScaler Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2116281).



E - Perform the following on the First PSC Node:

  1. Run this command to update the Endpoint URLs with the load_balanced_fqdn:

    python lstoolHA.py --hostname=psc_1_fqdn --lb-fqdn=load_balanced_fqdn --lb-cert-folder=/ha [email protected]


    Note: Where psc_1_fqdn is the FQDN of the First PSC Node. Where load_balanced_fqdn is the FQDN of the Load Balanced Address. The command prompts for the [email protected] password.

    For example:

    python lstoolHA.py --hostname=psc-vcsa-1.example.com --lb-fqdn=hostname.example.com --lb-cert-folder=/ha [email protected]

    Password:

    2015-03-16 10:05:06,665 INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [[email protected], Format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
    2015-03-16 10:05:06,713 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: [email protected]
    2015-03-16 10:05:07,305 WARN com.vmware.vim.vmomi.client.http.impl.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase - Shutting down the connection monitor.


    Notes:

    • The command ends with the preceding entries when completed successfully.
    • The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  2. To verify the endpoints are updated correctly, run these commands using the First PSC Node FQDN entry:

    1. Obtain the sitename, by running the command:

      python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url https://psc_1_fqdn/lookupservice/sdk 2> /dev/null
    2. Using the output sitename from previous step a, run these commands to verify the endpoints are updated with the Load Balanced FQDN:

      python /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost:7080/lookupservice/sdk --site sitename --type cs.license | grep "URL:"
      or
      python /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://PSC_FQDN/lookupservice/sdk --site sitename --type cs.identity |
      grep "URL:"

F - Install vCenter Server 6.0 or Upgrade vCenter Server 5.5 to 6.0


Continue with the installation of the vCenter Server 6.0 or upgrade of a vCenter Server 5.5 system. When asked for the target Platform Services Controller details, provide the load_balanced_fqdn defined above.