VMware vSphere 6.5 – Platform Service Controller HA lab using BIG IP Load Balancer
In my previous post I have showed to how to configure high availability for platform services controllers in vSphere 6.0 using F5 BIG IP load balancer. In this post I am going to demonstrate how to configure Platform Service Controller High Availability (HA) in a vSphere 6.5 environment. There are no major architecture changes for Platform service controllers however HA configuration is now more simplified and supports SSL pass through (which means you dont have to upload SSL certificates onto load balancer ), unlike previous version there is no need to download HA scripts from VMware to enable. VMware NSX Edge Loadbalancer is supported along with BIG IP and Citrix Netscaler. Please refer the link for supported and deprecated deployment models with vSphere 6.5. If you are planning to upgrade from earlier version to vSphere 6.5 please refer the following link for licensing requirements and important information before upgrading to vSphere 6.5.
Topology and software components used in this lab are listed below:
• One Single Sign-On domain
• One Single Sign-On site
• Two external Platform Services Controllers (Linux based appliance )
• Two vCenter Server with external Platform Services Controllers ( vCSA 6.5)
• One third-party load balancer (F5 BIG IP-VE)
First lets deploy primary and replication Platform Service controllers. Please follow the steps below to deploy Primary External Platform Service Controller.
- Mount the installation media and launch the UI installer.
- Click on Install to proceed with installation.
- Click on Next to start with stage 1 of the deployment process (vCSA and Platform Service controller installation is now two stage process, deployment and configuration).
- Select Platform Service Controller radio button and click on Next.
- Enter the ESXi or vCenter Server information to deploy the appliance, ESXi server in this case.
- Accept the certificate warning to continue with deployment.
- Enter Name and new root password and click on Next to continue.
- Select the datastore and click Next.
- Provide static IP, FQDN, DNS information and clcik Next to continue.
- Review configuration details and click on Finish to start the deployment.
- Lets continue with stage 2 of the two stage deployment process by clicking on Next.
- Select NTP and SSH options for the appliance and click Next to continue.
- Select create a new SSO domain radio button to create a new SSO domain and enter SSO domain name, SSO password, SSO site name and then click on Next to continue.
- Finally review the settings and click on Finish to proceed to with final step of two stage deployment process.
We have successfully deployed primary Platform Service Controller. Lets proceed with deploying replication Platform Service Controller.
- Please follow the steps 1 – 12 in this post above to deploy replication Platform Service Controller, Select Join an existing SSO domain option when you reach step 13. Enter the FQDN of the primary Platform Service Controller, SSO domain we created earlier and credentials to join the SSO domain. Click Next once done.
- Select the join an existing SSO site radio button, select the SSO site we created earlier (sddconline-site1 in this case) form the drop down list and click on Next to continue.
- Review the settings and click on Finish to complete.
We have successfully deployed Primary and replication Platform Service controllers, lets proceed further with generating SSL certifcates required for this lab, we will use certificates generated using VMware VMCA (VMware certificate Authority, part of PSC ).
- Lets create certificate signing request first, log into first PSC and creating a create a folder by executing the following command mkdir /ha we will use this directory to store all certificates and keys required going forward. Navigate to newly created directory and create a file name using text editor as shown below. It is important to provide FQDN of your primary and all replication PSC’s along with FQDN for Load balanced URL Common name must be FQDN of Load balanced URL.
- Execute the following command to create a certificate signing request along with a key file. openssl req -new -nodes -out /ha/lb.csr -newkey rsa:2048 -keyout /ha/lb.key -config /ha/psc_ha_csr_cfg.cfg ( psc_ha_csr_cfg.cfg is the configuration file we created in step1 above).
- Execute the following command is to generate the certificate using certificate signing request file and configuration file: openssl x509 -req -days 3650 -in /ha/lb.csr -out /ha/lb.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /ha/psc_ha_csr_cfg.cfg.
- Execute the below commands to copy the current VMCA root certificate and rename it to cachain.crt and SSL Certificate that contains the newly created certificate and the VMCA root certificate.cp /var/lib/vmware/vmca/root.cer /ha/cachain.crt
cat /ha/lb.crt >> /ha/lb-chain.crt
cat /ha/cachain.crt >> /ha/lb-chain.crt
- Verify the certificate by executing following command to make sure subject alternative name for all Platform Service Controllers and the the common name is matching with FQDN of Load Balanced URL: openssl x509 -in /certs/lb-chain.crt -noout -text
- Now replace the certificates on Platform Service Controller, ensure to replace the certificates on all Platform Service Controllers in your environment (copy all certificates from Primary Platform Service Controller using scp or winscp, you may consider enabling secure copy on PSC’s by executing “chsh –s /bin/bash” ). Run the following command and select option 1 and 2: /usr/lib/vmware-vmca/bin/certificate-manager
- Provide valid path for certificate,( in our case: /ha/lb-chain.crt /ha/lb.key /ha/cachain.crt ). Type Y to proceed with replacing the certificates.
At this point all PSC’s should be updated with certificates we provided. Lets proceed to configure load balancer required to provide HA for PSC’s. My home lab setup is running F5 BIG IP VE version 11.5, you can chose one of the VMWare supported hardware virtual editions. I have the BIG IP deployed in my home lab and ready to configure virtual servers. Please follow this KB article to deploy BIG IP VE on ESXi.
- First lets create custom health monitor for PSC by navigating to Local Traffic >> Monitors and then click on Create button.
- Enter the new monitor name, select the monitor type as https in the general properties section, In configuration section enter the following send string : GET /websso/HealthStatus HTTP/1.1\r\nHost:\r\nConnection: Close\r\n\r\n and the receive string must be 200. Also make sure to update Alias port as 443 in the Configuration section. Click on Finished once done.
- Now lets create server pools for PSC services by navigating to Local Traffic >> Pools >> Create
- Provide the Pool name in Configuration section, Select Round Robin as default load balancing method from Resources section, add all PSCs in your environment for https pool. Click on Finished once done.
- Please repeat the step 4 above to create server pools with following port numbers 389, 636, 2012, 2014, 2020
- Now lets create the persistence profile for virtual server, this is important to ensure request from vCeneter will be sent to one PSC throughout its session. Navigate to Local Traffic >> Profiles >> Persistence and click on create.
- Enter the Name for new persistence profile, Select persistence type as Source Address Affinity.Specify the time out value as 28800 in configuration section and click on Finished.
- We will now create the virtual servers for PSC services. Navigate to Local Traffic >> Virtual Servers >> Click on Create.
- Enter the name, IP address and service port (443) under the General section of VIP creation page. Select the Source Address Translation as Auto Map in configuration section. Continue to select default pool and persistence profile we created earlier.
- Repeat the step 9 to create the remaining VIPs for ports 389, 636, 2012, 2014, 2020. IP address for all VIPs must be same.
- Ensure that all Pools and VIPs are up and healthy by navigating to Net Map.
We now have two PSC’s on single SSO domain with updated certificates and Load balancer URL. Lets run configuration scripts to provide HA for PSC’s.
- Login to first PSC in the environment and run the following command by navigating to /usr/lib/vmware-sso/bin: python updateSSOConfig.py –lb-fqdn=psc-ha-vip (lb-fqdn must be Load balanced FQDN of PSC).
- Repeat step 1 in remaining PSC’s in the environment.
- Now run the following command on only one PSC to update the endpoints: python UpdateLsEndpoint.py –lb-fqdn=labpsclb.sddconline.com –user=Administrator@vsphere.local –password=
Now we have completed vSphere 6.5 Platform Service Controller HA setup, we are good to proceed with installing vCenter service by pointing to PSC HA URL. Please follow the steps below to deploy externally hosted vCenter Server and provide the FQDN of the load balanced URL of the Platform Service Controller.
- Please follow the steps 1 – 3 above in the PSC deployment section of this post to start vCenter deployment.
- Select the vCenter Server (External deployment) option and click Next.
- Enter the ESXi or vCenter server information and credentials to deploy the appliance, enter the appliance name and new root password , select the deployment size, data store, IP address including FQDN and DNS server in next steps of the deployment process. Review the settings click on finish to complete the stage 1 one of the 2 stage process of deploying vCSA.
- In stage 2 (Configuration section). Enter the FQDN of the load Balanced URL of the Platform Service Controller along with SSO domain name and credentials to proceed with vCenter service installation.
- Repeat the above steps to deploy any additional vCenter servers by pointing to load Balanced URL of the Platform Service Controller when prompted, I have deployed 2 vCenter servers in single SSO using above steps and I can now manage them in single pane of glass view.