FAQ: VMware Platform Services Controller in vSphere 6.x
search cancel

FAQ: VMware Platform Services Controller in vSphere 6.x

book

Article ID: 322858

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides information on some of the frequently asked questions about VMware Platform Services Controller (PSC) for vSphere 6.0. The PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA), licensing, and server reservation and registration services.

Note that vSphere 6.5 and 6.7 encompasses much if not most of the information below as well. As this document is meant to be informational only, please contact support should you have a more specific break/fix issue.

 
For more information, see:


Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x

Resolution

FAQs on various topics, see:

General Questions

What is Platform Services Controller 6.0 (PSC)?
 
Platform Services Controller (PSC) is a component of the VMware Cloud Infrastructure Suite. PSC deals with identity management for administrators and applications that interact with the vSphere platform.
 
How is PSC 6.0 different from SSO 5.5? How is it different from SSO 5.1?
 
The architecture remains the same between vSphere 5.5 and 6.0. However, there are new features and services introduced at the PSC layer which are discussed below. To get a list of all the changes between SSO 5.5 and PSC 6.0, see What’s New in VMware vSphere 6.0 platform and VMware Education's What's New V5.5 to v6.0. To get a list of changes from SSO 5.1, see What's New in VMware vSphere 5.5 Platform.
 
What are the key capabilities of PSC 6.0?
  • PSC 6.0 uses the same replication model, which allows data to be stored by any node and updated by any node in the vSphere domain, as was introduced in vSphere 5.5 in the form of vCenter Single Sign-On.
  • It can be deployed either in an Appliance-based or Windows-based flavor, both able to participate in replication. (With vSphere 5.x, the vCenter Server Appliance's embedded SSO was not supported to replicate with other SSO nodes)

    Both Appliance-based or Windows-based PSCs can interoperate with Appliance-based or Windows-based vCenter Servers.
     
  • It now handles the storing and generation of the SSL certificates within your vSphere environment. For more information, see Implementing CA signed SSL certificates in vSphere 6.0 (2111219).
  • It now handles the storing and replication of your VMware License Keys
  • It now handles the storing and replication of your permissions via the Global Permissions layer. For more information, see Reviewing and Managing Local and Global Permissions in vCenter Server 6.0 (2123931).
  • It now handles the storing and replication of your Tags and Categories. For more information, see Reviewing and Managing Tags and Tag Association in VMware vCenter Server 6.0 (2130130).
  • It has a built-in feature for automatic replication between different, logical SSO sites.
  • There is only one single default domain for the identity sources.
     
What are the components that are installed with Platform Services Controller 6.0?

Components that are installed with PSC 6.0 include:

  • VMware Appliance Management Service (only in Appliance-based PSC)
  • VMware License Service
  • VMware Component Manager
  • VMware Identity Management Service
  • VMware HTTP Reverse Proxy
  • VMware Service Control Agent
  • VMware Security Token Service
  • VMware Common Logging Service
  • VMware Syslog Health Service
  • VMware Authentication Framework
  • VMware Certificate Service
  • VMware Directory Service
What are the different products/components with which PSC 6.0 is supported?
 
PSC 6.0 is supported with:
  • VMware vCenter Server
  • VMware vCenter Inventory Services
  • VMware vSphere Web Client
  • VMware Log Browser
  • VMware NSX for vSphere
  • VMware Site Recovery Manager
  • VMware vCloud Air
  • VMware vCloud Director
  • VMware vRealize Automation Center
  • VMware vRealize Orchestrator
  • VMware vSphere Data Protection
  • VMware vShield Manager
How is PSC 6.0 packaged?
 
The Platform Services Controller is available on both the Windows vCenter Server ISO or within the vCenter Server Appliance (VCSA) ISO.
 
How is the PSC 6.0 licensed?
 
The Platform Services Controller, on both Windows and Appliance, is not a licensed product. It is currently bundled with the vCenter Server 6.0 in the vSphere and vCloud Suites, but only the vCenter Server component of the bundle requires a license.
 
What Platform Services Controller deployment modes are possible with the vCenter Server Appliance? With Windows-based vCenter Server?

New to vSphere 6.0, both the Appliance-based PSC and Windows-based PSC can be deployed in both multi-site or high availability configurations. Additionally, if you need multi-site in conjunction with high availability, you can now setup your vSphere environment to have multi-sites and then configure each site with secondary PSCs. A load balancer is still required per site to provide high-availability. Only local load balancers (often times referred to as LTM, or Local Traffic Manager) are supported for PSC HA. For more information about recommended and support topologies, see List of recommended topologies for vSphere 6.0.x (2108548).

Note: When configuring PSC High Availability, the load balanced pair are required to be the same type; it is not supported to mix Appliance-Base and Windows-Based PSCs in the same load balanced pair.
 
For information about setting up PSC High Availability (HA), see:
 
What are the minimum requirements to run PSC 6.0?
 
Requirements when deploying the Appliance-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB

    Note: In vSphere 6.0 Update 3 and later the PSC is deployed with 4 GB.
     
  • Disk storage - 30 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server Appliance Hardware Requirements and Storage Requirements section in the vSphere Install and Setup Guide.
 
Requirements when deploying the Windows-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB
  • Disk storage - 4 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server for Windows Hardware Requirements and Storage Requirements section in the vSphere Install and Setup Guide.
 
 
What happens when the PSC 6.0 server is down? How does this affect Enhanced Linked Mode (ELM)?
 
If the PSC 6.0 server is down, you cannot log in to vCenter Server or any second party VMware products that depends on it. Existing connections and user sessions to the vCenter Server remains active, and the vCenter Server services remains up and running. However, once the session ends, if the PSC is still down, the user cannot log in again. Additionally, if the PSC is down and the vCenter Server's services are restarted, vCenter Server is unable to fully start until the PSC's services are restored or the vCenter Server is repointed to an operation PSC in the same vSphere Domain.
 
Regarding an environment in which multiple PSCs are in the same vSphere Domain and Enhanced Link Mode is being used, if a PSC in which a vCenter Server is connected to fails, access to this vCenter Server through a different vCenter Server's vSphere Web Client is not possible. This is due to a user's SAML token from the vSphere Web Client being unable to be passed to the failed PSC, thus to vCenter Server. Unless the PSC is brought back online or vCenter Server is repointed to a different PSC in the same domain, users cannot access it.
 
What happens when the VMware Certificate Authority (VMCA) service in the PSC 6.0 server is down? If my Private Key Infrastructure (PKI) is down?
 
At this time the VMCA and VECS do not perform Certificate Revocation List (CRL) checking. This means that while the VMCA service is down, your vCenter Server(s) continues working and are able to be restarted. For more information, see Managing Certificate Revocation in the vSphere Security Guide.
 
Additionally, if your PKI is down, due to the the VMCA and VECS not performing CRL checking, your vSphere environment continues to run.
 
Do I need a database to successfully install/run PSC 6.0?
 
As with SSO 5.5, in vSphere 6.0 you do not need a database for the PSC.
 
How to backup and restore PSC 6.0?
 
For information on how to backup and restore the PSC, see How to back up and restore vCenter Server 6.0 external deployment models (2110294).
 
Can I use snapshots against my PSC 6.0? How about image-based backups?
 
You can snapshot a single Platform Services Controller so long as it does not exist in a multi-site or highly available configuration within a vSphere domain. This is due to the use of Update Sequence Number (USN) for replication, and when restoring a PSC via snapshot or image-based backup, the sibling nodes are out of sync. For more information, see Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 or Platform Services Controller 6.0 node (2086001).
 
You can use image-based backups for both stand-alone PSCs as well as multi-site or highly available configuration as long as the prescriptive backup and restore methodology covered in the section How to backup and restore PSC 6.0? has been followed.
 
How do I create a Service Principal Name (SPN)?
 
For instructions to create and use a Service Principal Account in PSC 6.0, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).
 
What is a vSphere Domain Name in PSC 6.0?
 
A vSphere Domain Name is defined when you are first configuring a PSC 6.0, or it is retained when you are upgrading your existing SSO 5.5 environment. This is the name in which your vSphere Domain's backing directory service (VMware Directory Service) bases all of its Lightweight Directory Access Protocol (LDAP) internal structuring upon. With vSphere 6.0, you can give your vSphere Domain a unique name. However, ensure that you do not name it the same as any of the other Directory Services (OpenLDAP, Microsoft Active Directory) as this causes conflicts with authentication. If you are upgrading from vSphere 5.5, your vSphere Domain Name remains the default vsphere.local. Changing the name of your vSphere Domain once it has been configured is not supported.
 
After defining the name of your domain, you can populate it with objects in the form of Machines (PSCs, vCenter Servers, vRealize Automation, etc.), Users ([email protected]) or Groups ([email protected]). These objects can then be organized into individual logical sites, explained below.
 
What are Sites in PSC 6.0?
 
A Site in the VMware Directory Service is a logical container in which we group the Platform Services Controllers' server objects within a vSphere Domain. You can name them in an intuitive way for easier implementation. Additionally, when Platform Services Controllers are deployed, they publish their service information (service registrations) into the defined Site. When vCenter Servers are deployed against the Platform Services Controllers, the vCenter Server will publish its service information into the Site in which the Platform Services Controller belongs. If you need to move vCenter Servers between Site, you must move their respective service information. For more information, see the section Can I repoint the vCenter Server to other PSCs in the same vSphere Domain? Can I repoint the vCenter Server to a new vSphere Domain? within this article.
 
Currently, the use of sites is for configuring PSC High Availability groups behind a load balancer.
 
What are the different types of Identity Sources that can be created with SSO 5.5?
 
The different types of Identity Sources that can be created with SSO 5.5 include:
  • Active Directory (Integrated Windows Authentication)
  • Active Directory as an LDAP server
  • OpenLDAP
  • Local OS
For more information, see Identity Sources for vCenter Server with vCenter Single Sign-On in the vSphere 6.0 Security Guide.
 
How do we generate the PSC Support Bundle for Windows? For the Appliance-based PSC?
 
Since both Appliance-based and Windows-based PSCs can be deployed external to the vCenter Server exist in the same environment in vSphere 6.0, there are multiple means to generate a support log bundle.
 
For the Platform Services Controller Appliance:
  • From a Web Browser
    1. Open a Web Browser and navigate to: https://Platform_Services_Controller_FQDN/appliance/support-bundle
    2. When prompted enter the root credentials and click Enter.
    3. The download begins automatically as vm-support.tgz.
  • From Command Line:
    1. Initiate an SSH connection to the vCenter Server Appliance.
    2. Provide the root user user name and password when prompted.
    3. Run this command to enable the Bash shell:

      shell.set --enable True
       
    4. Run this command to access the Bash shell:

      shell
       
    5. In the Bash shell, run the command to export logs to /storage/log/:

      vc-support -l
       
    6. This begins generating a log bundle as vc-<FQDN_of-PSC>-<Date>.tgz.
    7. After completing, use an SCP client to download the log bundle.
  • From vSphere Web Client UI
    1. Log in to the vSphere Web Client from vCenter Server connected to the Platform Services Controller with [email protected]
    2. Click on Administration > System Configuration
    3. Click Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and click Export Support Bundles.
    5. Click Export Log Bundle and select a location to export.
    6. Click OK.
For the Platform Services Controller for Windows:
  • From Windows Server UI
    1. Remote Desktop into the Windows Server.
    2. Click Start > All Programs (Windows 2008R2) or Start > All Apps icon (Windows Server 2012R2)
    3. Locate the VMware folder
    4. Click Generate vCenter Server log bundle
    5. This will begin generating a log bundle as vc-FQDN_of-PSC-<Date>.tgz on the desktop.
  • From Command Line:
    1. Remote Desktop into the Windows Server.
    2. Open an administrative command prompt.
    3. Run the below command to generate the log bundle:

      "%VMWARE_CIS_HOME%"\bin\vc-support.bat
       
    4. This will begin generating a log bundle as vc-FQDN_of-PSC-<Date>.tgz on the desktop.
  • From vSphere Web Client UI
    1. Log in to the vSphere Web Client from vCenter Server connected to the Platform Services Controller with [email protected]
    2. Click on Administration > System Configuration
    3. Click on Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and click Export Support Bundles
    5. Click Export Log Bundle and select a location export.
    6. Click OK.
If you are running an embedded Platform Services Controller on your vCenter Server, the support bundle contain logs and also the information for the PSC. For more information, see Collecting diagnostic information for VMware vCenter Server 4.x, 5.x and 6.0 (1011641).
 
What is a VMware Solution and how does it affect my maximums?
 
A VMware Solution is defined as a product that creates a Machine Account and one or more Solution User (a collection of vSphere services) within the VMware Directory Service when the product is joined to the PSC, thus the vSphere Domain. The Machine Account and Solution User(s) are used to broker and secure communication between other Solutions available within the vSphere environment. In order to count against these maximums, the Machine Account and Solution Users must be fully integrated with all of the PSC's available feature sets (Identity Management and Authentication Brokering, Certificate Management, Licensing, etc.) such that the product makes full use of the PSC. At this time, only vCenter Server is defined as a fully integrated solution and counts against these maximums.
 
Partially integrated solutions, such as vCenter Site Recovery Manager, vCloud Director vRrealize Orchestrator, vRealize Automation Center, and vRealize Operations, do not count against these defined maximums
 

Upgrade Questions

How do I upgrade from SSO 5.1 to PSC 6.0? From SSO 5.5 to PSC 6.0?
 
If the SSO service is bundled with the vCenter Server, referred to as an embedded deployment, the upgrade from 5.x to 6.0 is handled all-inclusively via the installer for both Windows and the vCenter Server Appliance.
  • vSphere 5.1:</u> If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.1 for External Deployment section in the vSphere Upgrade Guide.
  • vSphere 5.5:</u> If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.5 for External Deployment section in the vSphere Upgrade Guide.
 
What is the sequence when upgrading my SSO 5.x to PSC 6.0? What if I have multiple SSO nodes in the same domain?
 
When planning your vSphere 5.x upgrade to 6.0, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760) which cover when to upgrade the Platform Services Controller.
 
In vSphere environments in which multiple SSO nodes exist in the same vSphere domain, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in the vSphere Upgrade Guide.
 
What happens to the database that I have with SSO 5.1?
 
After upgrading to PSC 6.0, the old SSO database is no longer needed. However, the database is not removed from your database server during the upgrade. You must manually remove the database and all users associated with it.
 
After upgrading, will the PSC 6.0 retain my old Identity Sources?
 
Yes, all your old Identity Sources are retained after the upgrade.
 
In SSO 5.1, my SSO domain was system-domain and the administrator user was the admin. Will I still be able to log in using the same username in PSC 6.0?
 
Yes, you can continue to log in to your SSO server with the old user (admin@system-domain) and password. This account is an alias of the [email protected] after you have upgraded.
 
Will PSC 6.0 work with vCenter Server 5.1? With vCenter Server 5.5?
  • vSphere 5.1</u>: No, PSC 6.0 will not work with vCenter Server 5.1.
  • vSphere 5.5</u>: Yes, PSC 6.0 will continue working with vCenter Server 5.5 in an environment in which you are performing a rolling upgrade.

However, VMware does not support fresh installs or repointing of vCenter Server 5.5 against a PSC 6.0, nor does VMware support leaving your environment in a hybrid-type deployment of vSphere 5.5 with vSphere 6.0. VMware recommends you to upgrade to vCenter Server to 6.0 along with your PSC. For more information, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in the vSphere Upgrade Guide.
 
 
Will PSC 6.0 work with SSO 5.5?
 
Yes, PSC 6.0 will continue to work with SSO 5.5. However, as with vCenter Server backward compatibility, VMware recommends you to upgrade all of your SSO 5.5 nodes to 6.0. For more information, see Replace the VMware Directory Service Certificate in Mixed Mode Environments in the vSphere Security Guide.
 
When do I Patch (Appliance) or Update (Windows) a PSC 6.0?
 
The Platform Services Controller and the vSphere Domain sit above the vCenter Server and the rest of the VMware Product stack. When planning an update for your vSphere environment, the Platform Services Controller(s) are the first system that needs to be patched or updated. At this time, updating the Platform Services Controllers must be performed in a serial fashion where each PSC is updated one by one. Parallel installation of patches or updates on PSCs is not supported.
 
When patching your vSphere Domain environment, VMware recommends to always patch all of the PSCs at the same time to bring them to the same version.
 
For more information on the sequence of updating your vSphere environment, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760).
 
How do I check the current vSphere version or build number that my PSC 6.0 is running?
  • Checking the Platform Services Controller Appliance:
    1. SSH to the appliance and log in with root.
    2. Run the command:

      com.vmware.appliance.version1.system.version.get

      You see output with the build number, the release date of the build, and type of the Appliance.

      For example:

      Version:
      Product: VMware vCenter Server Appliance
      Summary: Patch for VMware vCenter Server Appliance 6.0
      Releasedate: June 16, 2015
      Version: 6.0.0.5120
      Build: 2800573
      Type: VMware Platform Services Controller
  • Checking the Platform Services Controller for Windows:
    1. Remote desktop to the Windows Server
    2. Open an administrative command prompt
    3. Run this command to get the build number:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v BuildNumber

      For example:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
      BuildNumber REG_SZ 2800572

       
    4. Run this command to get the type of deployment:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v INSTALL_TYPE

      For example:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
      INSTALL_TYPE REG_SZ infrastructure


      There are two types that can be displayed here:
      • Embedded indicates the PSC is embedded with the vCenter Server.
      • Infrastructure indicated that the PSC was deployed separate from the vCenter Server
 
How do I Patch (Appliance) or Update (Windows) a PSC 6.0?
 
The Platform Services Controller Appliance and the Platform Services Controller for Windows use different update mechanisms to patch the software. This includes using the software-packages for the Appliance and running the autorun executable from Windows. Due to the differences, when using the appliance, it is often referred to as Patching; when using the Windows equivalent, it is referred to as Updating. The below operations results in updating your PSC(s) to the latest versions of vSphere 6.0.
  • Patching the Platform Services Controller Appliance:

    The Patches for the Platform Services Controller Appliance are located on the Customer Connect Patch Repository.
    1. Download the Patch ISO for the the Platform Services Controller Appliance.
    2. Mount the ISO to the Appliance using the vSphere Client or vSphere Web Client
    3. SSH to the appliance and log in with root.
    4. Ensure you are running the Platform Services Controller appliance under the Appliance Shell. For more information, see Toggling the vCenter Server Appliance 6.x default shell (2100508).
    5. Stage the patches from the mounted ISO by running the command:

      software-packages stage --iso --acceptEulas
       
    6. Install the staged patches by running the command:

      software-packages install --staged
       
    7. If prompted, reboot the Platform Services Controller Appliance:
      1. Run this command to enable the Bash shell:

        shell.set --enabled True
         
      2. Run this command to access the Bash shell:

        shell
         
      3. Run this command to reboot the PSC:

        reboot
         
    8. After completion, repeat this process on a


Additional Information

Collecting diagnostic information for VMware vCenter Server 4.x, 5.x and 6.x
Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a multi-domain environment fails
VMware vCenter Single Sign-On Server 5.5 FAQs
Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vSphere 5.5/6.0
Microsoft Active Directory Trusts supported with VMware vCenter Single Sign-On
After upgrading to VMware vCenter Server 5.5.0b or later, users from a child domain are no longer able to log in
Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 or Platform Services Controller 6.0 node
Unable to administer vCenter Single Sign-On after adding a User Group and individual users from a Directory Service (OpenLDAP or Active Directory)
Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0
Toggling the vCenter Server Appliance 6.x default shell
Using the cmsso command to unregister vCenter Server from Single Sign-On
vCenter Server 6.0 requirements for installation
List of recommended topologies for VMware vSphere 6.0
Update sequence for vSphere 6.0 and its compatible VMware products
Upgrading to vCenter Server 6.0 best practices
Backing up and restoring vCenter Server 6.0 external deployment models
Replacing default certificates with CA signed SSL certificates in vSphere 6.x
vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix
How to repoint vCenter Server 6.x between External PSC within a site
Configuring Citrix NetScaler Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0
FAQ:vSphere 6.0 での VMware Platform Services Controller
vCenter Single Sign-On and Platform Services Controller Compatibility Matrix with vCenter Server
"Signed certificate could not be retrieved due to a start time error" when adding ESXi host to vCenter Server 6.0
Reviewing and Managing Local and Global Permissions in vCenter Server 6.0
Determining replication agreements and status with the Platform Services Controller 6.X
Reviewing and managing tags and tag association in VMware vCenter Server 6.0
Repointing vCenter Server 6.0 between sites in a vSphere Domain
Preguntas frecuentes sobre VMware Platform Services Controller 6.0
常见问题解答:vSphere 6.0 中的 VMware Platform Services Controller
Häufig gestellte Fragen: VMware Platform Services Controller in vSphere 6.0