Configuring Windows PSC 6.0 High Availability for vSphere 6.0

search cancel

Configuring Windows PSC 6.0 High Availability for vSphere 6.0

book

Article ID: 336183

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The article provides the procedure to configure Platform Services Controller (PSC) High Availability for vSphere 6.0 for a Windows Server installation.

If you are using the vCenter Server 6.0 Appliance, deployed as Platform Services Controllers, see Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance (2113315)

Notes:

If you have upgraded from vSphere 5.5 Single Sign-On, see Configuring PSC 6.0 High Availability after upgrading from SSO 5.5 High Availability (2110879).
To configure Platform Services Controller (PSC) High Availability for vSphere 6.5 for a Windows Server installation, see Configuring Platform Service Controller HA in vSphere 6.5 (2147018).

Environment

VMware vCenter Server 6.0.x

Resolution

A - Install two PSC 6.0 in the same site:

Install the first PSC 6.0

Install the additional PSC 6.0 joining to the first PSC under the same site.

B - Perform these steps on the first PSC Node:

Download the PSC HA Scripts from the Download VMware Platform Services Controller 6.0.
Extract the contents to C:\ha. The scripts expects C:\ha as the directory it will be run from.

Note: Create the ha folder if it is not already created.
Click Start > Run, type cmd and click OK.
Navigate to C:\ha.
The command in Step 7 generate a certificate issued by the VMCA with a CN value for the load_balanced_fqdn. If you plan on configuring VMCA as a subordinate of an existing CA, VMware recommends to stop and perform that action now on both PSC instances, before proceeding with Step 7. For more information, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).

Note: Use each local FQDN when configuring each VMCA as a subordinate CA. Do not use the Load Balanced FQDN when configuring each VMCA as a subordinate CA.
If you want to exclusively use your own CA and not leverage VMCA, perform these steps to create the certificates. Otherwise proceed to step 7.
1. Copy the C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file to the C:\ha folder.
2. Edit the C:\ha\certool.cfg file in a plain text editor and modify the values as desired, ensuring the value for Name and Hostname are set to the correct load_balanced_fqdn.
  
  For example:
  
  #
  # Template file for a CSR request
  #
  # Country is needed and has to be 2 characters
  Country = US
  Name = psc-ha-vip.domain.com
  Organization = AcmeOrg
  OrgUnit = AcmeOrg Engineering
  State = California
  Locality = Palo Alto
  IPAddress = 127.0.0.1
  Email = [email protected]
  Hostname = psc-ha-vip.domain.com
3. Run this command to generate a Certificate Signing Request (CSR) and Private Key paring using the certool.cfg file edited in the previous step.
  
  "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --initcsr --privkey=C:\ha\psc-ha.privkey --pubkey=C:\ha\psc-ha.pubkey --csrfile=C:\ha\psc-ha.csr --config=C:\ha\certool.cfg
  
  For example:
  
  "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --initcsr --privkey=C:\ha\psc-ha.privkey --pubkey=C:\ha\psc-ha.pubkey --csrfile=C:\ha\psc-ha.csr --config=C:\ha\certool.cfg
  
  This is deprecated. Use gencsr instead.
  Using config file : C:\ha\certool.cfg
  
  Status : Success
4. Provide the CSR file to your CA and obtain the certificate file. For a Microsoft CA, see, Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).
5. Save the certificate to C:\ha\custom_lb.crt.
6. Rename psc-ha.privkey to custom_lb.key.
7. Save the Root CA certificate as custom_root.crt.
Run this command on the First PSC Node.

"C:\Program Files\VMware\vCenter Server\python\python.exe" gen-lb-cert.py --primary-node --lb-fqdn=load_balanced_fqdn

Note: Where load_balanced_fqdn is the FQDN of the Load Balanced Address. The password of the resulting lb.p12 file is changeme.

For example:

"C:\Program Files\VMware\vCenter Server\python\python.exe" gen-lb-cert.py --primary-node --lb-fqdn=psc-ha-vip.domain.com

Initialization complete
executing certTool command
executing certTool command
Using config file : C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
Status : Success

Executing openssl command
Loading 'screen' into random state - done
Executing openssl command
writing RSA key
Executing StopService --all
INFO:root:Service: vmware-license, Action: stop
INFO:root:Service: vmwareServiceControlAgent, Action: stop
INFO:root:Service: VMwareComponentManager, Action: stop
INFO:root:Service: rhttpproxy, Action: stop
INFO:root:Service: VMwareSTS, Action: stop
INFO:root:Service: VMwareIdentityMgmtService, Action: stop
INFO:root:Service: VMWareCertificateService, Action: stop
INFO:root:Service: VMWareDirectoryService, Action: stop
INFO:root:Service: VMWareAfdService, Action: stop
INFO:root:Service: vmware-cis-config, Action: stop
Executing StartService --all
INFO:root:Service: vmware-cis-config, Action: start
INFO:root:Service: VMWareAfdService, Action: start
INFO:root:Service: rhttpproxy, Action: start
INFO:root:Service: VMWareDirectoryService, Action: start
INFO:root:Service: VMWareCertificateService, Action: start
INFO:root:Service: VMwareIdentityMgmtService, Action: start
INFO:root:Service: VMwareSTS, Action: start
INFO:root:Service: VMwareComponentManager, Action: start
INFO:root:Service: vmware-license, Action: start
INFO:root:Service: vmwareServiceControlAgent, Action: start

Note: Steps 8 and 9 are only applicable if you also performed Step 6. If you have not performed Step 6, then proceed to Step 10.
(Optional) If you performed Step 6 and are not using VMCA issued certificates, discard the lb.crt, lb.key , lb.p12 , and root.crt generated by the gen-lb-cert.py command in Step 7. Rename your custom CA certificate files as lb.crt, lb.key, root.crt respectively. Create a PKC12 lb.p12 file.
1. del C:\ha\lb.crt C:\ha\lb.key C:\ha\lb.p12 C:\ha\root.crt
2. ren C:\ha\custom_lb.crt C:\ha\lb.crt
3. ren C:\ha\custom_lb.key C:\ha\lb.key
4. ren C:\ha\custom_root.crt C:\ha\root.crt
5. "C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe" pkcs12 -export -in C:\ha\lb.crt -inkey C:\ha\lb.key -certfile C:\ha\root.crt -name rui -passout pass:changeme -out C:\ha\lb.p12
  
  Note: If the above command fails, run this command and retry Step e:
  
  SET OPENSSL_CONF=C:\Program Files\VMware\vCenter Server\openSSL\openssl.cnf
(Optional) If you performed Step 6 and are not using VMCA issued certificates, import the Root CA and Intermediate CA issuing certificates that issued the certificates in Step 6.

If your environment contains one or more Intermediate CAs, you will need to create and publish the full chain into VECS.

To create the chain:
1. Create a file called chain.pem, located in the folder for the service that you are creating the chain for.
2. Open the lb.crt file in Notepad and copy the contents of the file into the chain.pem file for that service.
3. Open the Root64.cer file in Notepad and paste the contents of the file into the chain.pem file right after the certificate section. Ensure that there is no whitespace in the file in between certificates.
  
  Note: Complete this action for each intermediate certificate authority as well.
4. After completing the file looks similar:
  
  Note: The certificates shown in this example are truncated for ease of reading with the text added to the right indicating the order in which the certificates should be pasted into the file. Do not copy this example or add the text to your .pem file. Ensure there are no spaces before or after any of the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines.
  
  -----BEGIN CERTIFICATE-----
  MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
  CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
  Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
  SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
  NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
  ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
  4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
  K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
  GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
  /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
  TLqwbQm6tNyFB8c=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
  K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
  GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
  /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
  TLqwbQm6tNyFB8c=
  -----END CERTIFICATE-----
5. Save and close the file.
6. To publish the chain, run this command:
  
  "C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe" trustedcert publish --chain --cert path_to_CA_Chain
  
  If your environment only contains a single Root CA, you must publish this root into VECS using this command:
  
  "C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe" trustedcert publish --cert path_to_CA_Root
Copy the contents of C:\ProgramData\VMware\vCenterServer\cfg\sso\keys to the C:\ha\keys folder.

mkdir C:\ha\keys
copy C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\* C:\ha\keys

C - Perform these steps on the additional PSC Node:

Copy the contents of C:\ha from the first PSC to the C:\ha on the additional PSC (ensure you have also copied the keys from step 10 in section B).

Note: Create the ha folder if it is not already created.
Click Start > Run, type cmd and click OK.
Navigate to C:\ha
Run this command on the additional PSC Node.

"C:\Program Files\VMware\vCenter Server\python\python.exe" gen-lb-cert.py --secondary-node --lb-fqdn= load_balanced_fqdn --lb-cert-folder=C:\ha --sso-serversign-folder=C:\ha\keys

Note: Where load_balanced_fqdn is the FQDN of the Load Balanced Address.

For Example:

C:\Program Files\VMware\vCenter Server\python\python.exe" gen-lb-cert.py --secondary-node --lb-fqdn=psc-ha-vip.domain.com --lb-cert-folder=C:\ha --sso-serversign-folder=C:\ha\keys
Initialization complete
Please make sure that you have copied the contents from HA folder in Node 1 into
the HA folder in the local node
Please Make that you have copied the ssoserverSign.* files and ssoServerRoot.crt
file from node 1
Press enter to continue.
Executing StopService --all
INFO:root:Service: vmware-license, Action: stop
INFO:root:Service: vmwareServiceControlAgent, Action: stop
INFO:root:Service: VMwareComponentManager, Action: stop
INFO:root:Service: rhttpproxy, Action: stop
INFO:root:Service: VMwareSTS, Action: stop
INFO:root:Service: VMwareIdentityMgmtService, Action: stop
INFO:root:Service: VMWareCertificateService, Action: stop
INFO:root:Service: VMWareDirectoryService, Action: stop
INFO:root:Service: VMWareAfdService, Action: stop
INFO:root:Service: vmware-cis-config, Action: stop
Executing StartService --all
INFO:root:Service: vmware-cis-config, Action: start
INFO:root:Service: VMWareAfdService, Action: start
INFO:root:Service: rhttpproxy, Action: start
INFO:root:Service: VMWareDirectoryService, Action: start
INFO:root:Service: VMWareCertificateService, Action: startE-5
INFO:root:Service: VMwareIdentityMgmtService, Action: start
INFO:root:Service: VMwareSTS, Action: start
INFO:root:Service: VMwareComponentManager, Action: start
INFO:root:Service: vmware-license, Action: start
INFO:root:Service: vmwareServiceControlAgent, Action: start

D - Configure a compatible Load Balancer for use with vSphere 6.0 Platform Services Controller High Availability

At this stage you will need to complete the configuration of your desired Load Balancer before running the final PSC HA Script.

For known compatible load balancers, see vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix (2112736).

For the F5 BIG-IP load balancer, see Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2098006).

For the Citix Netscaler load balancer, see Configuring Citrix NetScaler Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2116281).

E - Perform these steps on the First PSC Node:

Click Start > Run, type cmd and click OK.
Navigate to C:\ha
Run this command:

"C:\Program Files\VMware\vCenter Server\python\python.exe" lstoolHA.py --hostname=psc_node_1_fqdn --lb-fqdn=load_balanced_fqdn --lb-cert-folder=C:\ha [email protected]

Note: Where psc_node_1_fqdn is the FQDN of the First PSC Node. Also, Where load_balanced_fqdn is the FQDN of the Load Balanced Address.
Enter the [email protected] password when prompted.

For example:

"C:\Program Files\VMware\vCenter Server\python\python.exe" lstoolHA.py --hostname=psc-node-1.domain.com --lb-fqdn=psc-ha-vip.domain.com --lb-cert-folder=C:\ha [email protected]

Password:

2015-03-16 10:05:06,665 INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [[email protected], format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
2015-03-16 10:05:06,713 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: [email protected]
2015-03-16 10:05:07,305 WARN com.vmware.vim.vmomi.client.http.impl.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase - Shutting down the connection monitor.

Note: The command will end with the above when completed successfully.
To verify the endpoints are updated correctly, run these commands using the First PSC Node FQDN entry:
1. Obtain the Site ID by running this command:
  
  "C:\Program Files\VMware\vCenter Server\python\python.exe" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py" get-site-id --url https://psc_node_1_fqdn/lookupservice/sdk
2. Using the output sitename from step a, run these commands to verify the endpoints have been updated with the Load Balanced FQDN:
  
  "C:\Program Files\VMware\vCenter Server\python\python.exe" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py" list --url https://psc_node_1_fqdn/lookupservice/sdk --site My_Site_ID --type cs.license | findstr "URL:"
  
  "C:\Program Files\VMware\vCenter Server\python\python.exe" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py" list --url https://psc_node_2_fqdn/lookupservice/sdk --site My_Site_ID --type cs.identity | findstr "URL:"

F - Install vCenter Server 6.0 or Upgrade vCenter Server 5.5 to 6.0

Continue with the installation of the vCenter Server 6.0 or upgrade of a vCenter Server 5.5 system. When asked for the target Platform Services Controller details, provide the load_balanced_fqdn defined in this article. For more information, see the VMware vCenter Server 6.0 Deployment Guide.

Additional Information

If you are not using the VMCA to issue the certificates, you may now also wish to replace the default Machine SSL Certificate with a custom CA Signed Certificate.

For more information, see Replacing a vSphere 6.0 Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277).

Generating certificates for use with the VMware SSL Certificate Automation Tool
Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0
Configuring PSC 6.0 High Availability after upgrading from SSO 5.5 High Availability
Obtaining vSphere certificates from a Microsoft Certificate Authority
Configuring the vSphere 6.0 U1 or earlier VMware Certificate Authority as a Subordinate Certificate Authority
Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate
vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix
Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance
Configuring Citrix NetScaler Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0
Windows PSC 6.0 High Availability for vSphere 6.0 の構成
Configurando o Windows PSC 6.0 High Availability para vSphere 6.0
Configurar Windows PSC 6.0 High Availability para vSphere 6.0
配置适用于 vSphere 6.0 的 Windows PSC 6.0 High Availability
Configuring Platform Service Controller HA in vSphere 6.5

Feedback

thumb_up Yes

thumb_down No