How to configure Highly Available External Platform Services Controller (PSC) Appliance?

By | March 26, 2015

This post covers configuring Highly Available External Platform Services Controller (PSC) Appliance (SSO). For more information about high availability of vCenter and PSC, please follow my post: VMware vCenter 6 Deployment Possibilities: Topologies and High Availability.

Prerequisties and notes to build a highly available External Platform Services Controller

  • Load Balancer, VMware supports only: Citrix Netscaler, F5 Networks or VMware NSX. (please check comments)
  • With vCenter 6.0, connectivity to the Platform Services Controller is stateful (load balancer as a failover only).
  • Set load balancer up for the two PSCs on ports 389, 443, 636, 2012, 2014, 2020.
  • VMware-psc-ha-6.0.0.2503195.zip available here.

There are some scalability limitations as well:

  • Maximum Platform Services Controllers (PSC) per domain: 8
  • Maximum PSCs per vSphere Site, behind a single load balancer: 4
  • Maximum objects withiun a vSphere domain (Users, groups, solution users): 1,000,000
  • Maximum number of VMware solutions connected to a single PSC: 4
  • Maximum number of VMware products/solutions per vSphere domain: 10

Platform Services Controller Type Deployment Considerations

Platform Services Controller can be deployed in the following configurations:

  • as an embedded Platform Services Controller
  • as an external Platform Services Controller

For simple sites (without Enhanced Linked Mode) is recommended to use an vCenter with embedded Platform Services Controller. High availability is provided by VMware HA because there is only one virtual machine (vCenter + PSC).

For more complex sites  it is recommended to use external Platform Service Controllers. Depending on size of infrastructure (how many VMware solutions e.g. vCenters you use) you would use:

  • Two to four VMware solutions – single PSC or 2 PSCs with single load balancer.
  • Four to eight VMware solutions – 2 PSCs or 4 PSCs with 2 load balancers (2 PSCs behind of each load balancer).
  • Eight to ten VMware solutions – 3 PSCs or 6 PSCs with 3 load balancers (2 PSCs behind of each load balancer).

You can also repoint your vCenter 6 to other external Platform Services Controller - also highly available shown in this post.

Configuring Highly Available External Platform Services Controller Appliance

Deploy two External Platform Services Controllers

To deploy Highly Available External Platform Services Controller Appliance please follow the below steps:

  1. Please deploy the first Platform Services Controller Appliance following steps mentioned here.
  2. When you deployed the first Platform Services Controller, please deploy the second using again steps mentioned above but with the diffrence mentioned in the following steps 3 and 4.
  3. In the Set up Single Sign-on tab, please select Join an SSO domain in an existing vCenter 6.0 platform services controller. Type FQDN or IP of thr first PSC you have deployed in step 1. Click Next.How to configure Highly Available External Platform Services Controller Appliance
  4. Select Join an existing site and select SSO site from the list. Click Next.How to configure Highly Available External Platform Services Controller Appliance 2
  5. Follow the rest steps as mentioned in my another post.
  6. The summary of the second PSC. The Single Sign-On instance IP should be the IP or FQDN of the first PSC.How to configure Highly Available External Platform Services Controller Appliance 3

Configuring Platform Services Controllers HA

Now, as you have deployed two External Platform Services Controller Appliances, it's time to configure HA. Please follow the below steps:

  1. Download the vCenter Single Sign-On high availability configuration scripts from the vCenter Server product download page mentioned in prerequisites earlier in this post.
  2. Connect to the first and second Platform Services Controller via SSH.
  3. On both please,type:

    shell.set --enabled True

  4. On both please create a catalog name sso-ha:

    mkdir /sso-ha

  5. Send the above zip file to the PSC via scp.

    scp VMware-psc-ha-6.0.0.2503195.zip root@FQDN_of_PSC:

    Note: To be able to send files via scp, you need to change shell to bash

    chsh -r "/bin/bash" root

    If you do not change the shell, you will get the following error:

    Unknown command: `scp'

  6. On the first PSC, extract the vCenter Single Sign-On high availability scripts to /sso-ha.

    unzip VMware-psc-ha-6.0.0.2503195.zip -d /sso-ha/

  7. Change directory to /sso-ha on the first PSC:

    cd /sso-ha

  8. Run the following command on the first PSC:

    python gen-lb-cert.py --primary-node --lb-fqdn=loadbalancerFQDN

    In my case:

    python gen-lb-cert.py --primary-node --lb-fqdn=Nihon-lb.nihonno.domein

    You should get the following output:

    Initialization complete
    executing certTool command
    executing certTool command
    Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
    Status : Success
    Executing openssl command
    Executing openssl command
    writing RSA key
    Modifying hostname.txt
    modifying server.xml
    Executing StopService --all
    INFO:root:Service: vmware-syslog-health, Action: stop
    INFO:root:Service: applmgmt, Action: stop
    INFO:root:Service: vmware-cis-license, Action: stop
    INFO:root:Service: vmware-syslog, Action: stop
    INFO:root:Service: vmware-sca, Action: stop
    INFO:root:Service: vmware-cm, Action: stop
    INFO:root:Service: vmware-rhttpproxy, Action: stop
    INFO:root:Service: vmware-stsd, Action: stop
    INFO:root:Service: vmware-sts-idmd, Action: stop
    INFO:root:Service: vmcad, Action: stop
    INFO:root:Service: vmdird, Action: stop
    INFO:root:Service: vmafdd, Action: stop
    Executing StartService --all
    INFO:root:Service: vmafdd, Action: start
    INFO:root:Service: vmware-rhttpproxy, Action: start
    INFO:root:Service: vmdird, Action: start
    INFO:root:Service: vmcad, Action: start
    INFO:root:Service: vmware-sts-idmd, Action: start
    INFO:root:Service: vmware-stsd, Action: start
    INFO:root:Service: vmware-cm, Action: start
    INFO:root:Service: vmware-cis-license, Action: start
    INFO:root:Service: vmware-sca, Action: start
    INFO:root:Service: applmgmt, Action: start
    INFO:root:Service: vmware-syslog, Action: start
    INFO:root:Service: vmware-syslog-health, Action: start
    Copy the contents of the /ha to the other nodes
    Please copy the p12 file into the F5 loadbalancer
    Please copy the lb_rsa.key file and lb.crt file into the Netscaler loadbalancer

  9. Create a forward and reverse DNS entry for the VIP created to load-balance the Platform Services Controller traffic.
  10. On the second PSC, please create the following folders:

    mkdir /ha
    mkdir /ha/keys

  11. Copy the /sso-ha and /ha folder from the first Platform Services Controller. Please run the following command on the primary (first) PSC:

    scp /sso-ha/* root@FQDN_2nd_PSC:/sso-ha
    scp /ha/* root@FQDN_2nd_PSC:/ha

    In my case:

    scp /sso-ha/* root@vc-psc2.nihonno.domein:/sso-ha
    scp /ha/* root@vc-psc2.nihonno.domein:/ha

  12. Copy /etc/vmware-sso/keys/ from the first Platform Services Controller to /ha/keys on the second PSC.

    scp /etc/vmware-sso/keys root@FQDN_2nd_PSC:/ha/keys

    In my case:

    scp /etc/vmware-sso/keys root@vc-psc2.nihonno.domein:/ha/keys

  13. On the second PSC, change directory to /sso-ha.

    cd /sso-ha

  14. Run the following command on the second PSC:

    python gen-lb-cert.py --secondary-node --lb-fqdn=loadbalancerFQDN --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

    In my case:

    python gen-lb-cert.py --secondary-node --lb-fqdn=nihon-lb.nihonno.domein --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

  15. On first Platform Services Controller, update the endpoint URL by running:

    python lstoolHA.py --hostname=FQDNofLocalMachine --lb-fqdn=loadbalancerFQDN --lb-cert-folder=/ha --user=Administrator@SSODomain

    In my case:

    python lstoolHA.py --hostname=vc-psc1.nihonno.domein --lb-fqdn=nihon-lb.nihonno.domein --lb-cert-folder=/ha --user=Administrator@vsphere.local

  16. Follow the steps mentioned here to install a new external vCenter Server. When asked for the Platform Services Controller, enter the FQDN of the load balancer VIP.

22 thoughts on “How to configure Highly Available External Platform Services Controller (PSC) Appliance?

  1. Ganesh

    Is it possible to upgrade the SSO 5.5 load balancer directly to the Platform Services Controller ..

    Reply
  2. Ganesh

    Good Article and I noticed you missed double -- in few commands.

    shell.set –enabled True = -- enabled

    python gen-lb-cert.py –primary-node –lb-fqdn=Nihon-lb.nihonno.domein = --primary-node and --lb-fqdn......

    Reply
      1. Ganesh

        Really Strange..it will create unnecessary confusion when we following the command ...
        Also it worked only when i used the double quotes ( chsh -s "/bin/bash" root ) ,

        Reply
          1. Ganesh

            Thanks...I already configured the vCSA 6.0 to the embedded PSC and now how i can point to the loadblancer PSC...Is there any configuration or command to change the PSC from the local to the PSC LB...

            Reply
            1. Mariusz Post author

              There is a command (I wrote a post mentioned earlier in this article) to repoint vCenter to a newer external PSC. Unfortunately, at least officially, the only supported way to change from an embedded to an external Platform Services Controller is a fresh install.

              Reply
  3. MikeP

    Could you do a similar post showing the process for doing this with the Windows version of the PSC?

    Reply
    1. Mariusz Post author

      HA of PSC on Windows is almost the same, just you need to remember to add Python to your path on PSC by typing: PATH=%PATH%;%VMWARE_PYTHON_HOME% . Please follow pages 53-59 in the guide mentioned in the above comments.

      Reply
  4. John

    Fantastic Post!! Did you ever post your steps to configure load balancing for the PCS on a Netscaler?

    Reply
    1. Mariusz Post author

      Hi John,

      Thank you for warm answer! Yes, the post is in the queue! But i will try to post it within one week.

      Reply
  5. Qing Lin

    need configuration guide for PSC HA on Citrix Netscaler load balancer (vSphere v6.0)???

    also, is it possible just setup two external PSC for redundancy without NLB. as some environment is simple and do not need NLB but redundant PSC.

    that's being says, can we manually point vcenter to psc? in the event of psc failure, vcenter will re-point to the second psc.

    any suggetions will be appreciatted!

    Qing Lin

    Reply
    1. Mariusz Post author

      Hello Qing,

      Yes, you can install two or more external PSCs (create a SSO domain and join the second PSC) and later, if necessary, you can repoint vCenter to the second PSC manually.

      Now, I can't tell you when I write a post about Netscaler so please stay tuned (check or use newsletter to not miss any updates).

      btw. I have not tested it but probably you could use CNAME record for your PSC so you need to change a record in DNS to point to the second PSC. Unfortunately, I'm not sure if it is a supported way but it should work as well.

      Reply
  6. Jim

    Hi Settlersoman,

    Great article. Just to clarify here NSX-v is not a supported Load Balancing method for the PSC: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2112736

    Currently, while the upgrade of existing 5.5 SSO to 6.0 PSC is supported, you must use a supported LB with 6.0. If using vCNS or NSX for SSO 5.5, you'll need to migrate to an F5 or NetScaler first, then upgrade to PSC. This is due to a lack of multi-port support and session affinity with NSX.

    Reply
    1. Mariusz Post author

      Hi Jim,

      thanks for info. Looks like VMware has changed it. I'm sure I saw NSX as a supported load balancer. The article you provided was updated yesterday 😉

      Reply
  7. David Nolan

    Hi, I'm looking to add 4 PSCs behind a load balancer but unsure of the python command on the 3rd and 4th nodes as the only options appear to be "--primary-node" and "--secondary-node".

    Eg

    python gen-lb-cert.py --secondary-node --lb-fqdn=load_balanced_fqdn --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

    Any ideas gratefully received.

    David

    Reply
    1. Mariusz Post author

      Hi David,

      I checked this some weeks ago and as I know, you can have only one pair of PSCs behind a load balancer. However you can create two pairs of PSCs in the same SSO domain and if necessary just repoint vCenter between them.

      Reply
  8. Jim

    I am having trouble - getting error certificate hostname did not match - %load-balancer FQDN% does not match %PSC host name%

    Reply
    1. Mariusz Post author

      Thx for comment and pointing a small mistake. I cut your post for better visibility. Hmmm, I haven't faced such error.

      Reply
    2. Alex

      Got the same "Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match:"
      Did you find a solution?

      Reply
  9. hoang92bn

    I get there error at last command:
    Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: != OR

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *