How to configure Highly Available External Platform Services Controller (PSC) Appliance?

By | November 20, 2015

This post covers configuring Highly Available External Platform Services Controller (PSC) Appliance (SSO). For more information about high availability of vCenter and PSC, please follow my post: VMware vCenter 6 Deployment Possibilities: Topologies and High Availability.

Prerequisties and notes to build a highly available External Platform Services Controller

  • Load Balancer, VMware supports only: Citrix Netscaler, F5 Networks or VMware NSX. (please check comments)
  • With vCenter 6.0, connectivity to the Platform Services Controller is stateful (load balancer as a failover only).
  • Set load balancer up for the two PSCs on ports 389, 443, 636, 2012, 2014, 2020.
  • VMware-psc-ha-6.0.0.2503195.zip available here.

There are some scalability limitations as well:

  • Maximum Platform Services Controllers (PSC) per domain: 8
  • Maximum PSCs per vSphere Site, behind a single load balancer: 4
  • Maximum objects withiun a vSphere domain (Users, groups, solution users): 1,000,000
  • Maximum number of VMware solutions connected to a single PSC: 4
  • Maximum number of VMware products/solutions per vSphere domain: 10

Platform Services Controller Type Deployment Considerations

Platform Services Controller can be deployed in the following configurations:

  • as an embedded Platform Services Controller
  • as an external Platform Services Controller

For simple sites (without Enhanced Linked Mode) is recommended to use an vCenter with embedded Platform Services Controller. High availability is provided by VMware HA because there is only one virtual machine (vCenter + PSC).

For more complex sites  it is recommended to use external Platform Service Controllers. Depending on size of infrastructure (how many VMware solutions e.g. vCenters you use) you would use:

  • Two to four VMware solutions – single PSC or 2 PSCs with single load balancer.
  • Four to eight VMware solutions – 2 PSCs or 4 PSCs with 2 load balancers (2 PSCs behind of each load balancer).
  • Eight to ten VMware solutions – 3 PSCs or 6 PSCs with 3 load balancers (2 PSCs behind of each load balancer).

You can also repoint your vCenter 6 to other external Platform Services Controller - also highly available shown in this post.

Configuring Highly Available External Platform Services Controller Appliance

Deploy two External Platform Services Controllers

To deploy Highly Available External Platform Services Controller Appliance please follow the below steps:

  1. Please deploy the first Platform Services Controller Appliance following steps mentioned here.
  2. When you deployed the first Platform Services Controller, please deploy the second using again steps mentioned above but with the diffrence mentioned in the following steps 3 and 4.
  3. In the Set up Single Sign-on tab, please select Join an SSO domain in an existing vCenter 6.0 platform services controller. Type FQDN or IP of thr first PSC you have deployed in step 1. Click Next.How to configure Highly Available External Platform Services Controller Appliance
  4. Select Join an existing site and select SSO site from the list. Click Next.How to configure Highly Available External Platform Services Controller Appliance 2
  5. Follow the rest steps as mentioned in my another post.
  6. The summary of the second PSC. The Single Sign-On instance IP should be the IP or FQDN of the first PSC.How to configure Highly Available External Platform Services Controller Appliance 3

Configuring Platform Services Controllers HA

Now, as you have deployed two External Platform Services Controller Appliances, it's time to configure HA. Please follow the below steps:

  1. Download the vCenter Single Sign-On high availability configuration scripts from the vCenter Server product download page mentioned in prerequisites earlier in this post.
  2. Connect to the first and second Platform Services Controller via SSH.
  3. On both please,type:

    shell.set --enabled True

  4. On both please create a catalog name sso-ha:

    mkdir /sso-ha

  5. Send the above zip file to the PSC via scp.

    scp VMware-psc-ha-6.0.0.2503195.zip root@FQDN_of_PSC:

    Note: To be able to send files via scp, you need to change shell to bash

    chsh -r "/bin/bash" root

    If you do not change the shell, you will get the following error:

    Unknown command: `scp'

  6. On the first PSC, extract the vCenter Single Sign-On high availability scripts to /sso-ha.

    unzip VMware-psc-ha-6.0.0.2503195.zip -d /sso-ha/

  7. Change directory to /sso-ha on the first PSC:

    cd /sso-ha

  8. Run the following command on the first PSC:

    python gen-lb-cert.py --primary-node --lb-fqdn=loadbalancerFQDN

    In my case:

    python gen-lb-cert.py --primary-node --lb-fqdn=Nihon-lb.nihonno.domein

    You should get the following output:

    Initialization complete
    executing certTool command
    executing certTool command
    Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
    Status : Success
    Executing openssl command
    Executing openssl command
    writing RSA key
    Modifying hostname.txt
    modifying server.xml
    Executing StopService --all
    INFO:root:Service: vmware-syslog-health, Action: stop
    INFO:root:Service: applmgmt, Action: stop
    INFO:root:Service: vmware-cis-license, Action: stop
    INFO:root:Service: vmware-syslog, Action: stop
    INFO:root:Service: vmware-sca, Action: stop
    INFO:root:Service: vmware-cm, Action: stop
    INFO:root:Service: vmware-rhttpproxy, Action: stop
    INFO:root:Service: vmware-stsd, Action: stop
    INFO:root:Service: vmware-sts-idmd, Action: stop
    INFO:root:Service: vmcad, Action: stop
    INFO:root:Service: vmdird, Action: stop
    INFO:root:Service: vmafdd, Action: stop
    Executing StartService --all
    INFO:root:Service: vmafdd, Action: start
    INFO:root:Service: vmware-rhttpproxy, Action: start
    INFO:root:Service: vmdird, Action: start
    INFO:root:Service: vmcad, Action: start
    INFO:root:Service: vmware-sts-idmd, Action: start
    INFO:root:Service: vmware-stsd, Action: start
    INFO:root:Service: vmware-cm, Action: start
    INFO:root:Service: vmware-cis-license, Action: start
    INFO:root:Service: vmware-sca, Action: start
    INFO:root:Service: applmgmt, Action: start
    INFO:root:Service: vmware-syslog, Action: start
    INFO:root:Service: vmware-syslog-health, Action: start
    Copy the contents of the /ha to the other nodes
    Please copy the p12 file into the F5 loadbalancer
    Please copy the lb_rsa.key file and lb.crt file into the Netscaler loadbalancer

  9. Create a forward and reverse DNS entry for the VIP created to load-balance the Platform Services Controller traffic.
  10. On the second PSC, please create the following folders:

    mkdir /ha
    mkdir /ha/keys

  11. Copy the /sso-ha and /ha folder from the first Platform Services Controller. Please run the following command on the primary (first) PSC:

    scp /sso-ha/* root@FQDN_2nd_PSC:/sso-ha
    scp /ha/* root@FQDN_2nd_PSC:/ha

    In my case:

    scp /sso-ha/* root@vc-psc2.nihonno.domein:/sso-ha
    scp /ha/* root@vc-psc2.nihonno.domein:/ha

  12. Copy /etc/vmware-sso/keys/ from the first Platform Services Controller to /ha/keys on the second PSC.

    scp /etc/vmware-sso/keys root@FQDN_2nd_PSC:/ha/keys

    In my case:

    scp /etc/vmware-sso/keys root@vc-psc2.nihonno.domein:/ha/keys

  13. On the second PSC, change directory to /sso-ha.

    cd /sso-ha

  14. Run the following command on the second PSC:

    python gen-lb-cert.py --secondary-node --lb-fqdn=loadbalancerFQDN --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

    In my case:

    python gen-lb-cert.py --secondary-node --lb-fqdn=nihon-lb.nihonno.domein --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

  15. On first Platform Services Controller, update the endpoint URL by running:

    python lstoolHA.py --hostname=FQDNofLocalMachine --lb-fqdn=loadbalancerFQDN --lb-cert-folder=/ha --user=Administrator@SSODomain

    In my case:

    python lstoolHA.py --hostname=vc-psc1.nihonno.domein --lb-fqdn=nihon-lb.nihonno.domein --lb-cert-folder=/ha --user=Administrator@vsphere.local

  16. Follow the steps mentioned here to install a new external vCenter Server. When asked for the Platform Services Controller, enter the FQDN of the load balancer VIP.
Author: Mariusz

Architect (~ 15 years experience based on passion...) with strong background as a System Administrator and Engineer. Focused on Data Center Solutions: Virtualization/Cloud Computing and Storage/Backup Systems. Currently living in Poland.