vSphere 6 Platform Service Controllers HA Setup using F5 Loadbalacer and vSphere 6 Enhanced Linked Mode

In my previous post I have shown how to deploy vCenter server in a stand alone embedded model, in this post we learn how to configure Platform Service Controllers HA  using F5 Load balacer and install vCenter server 6 to use common SSO domain (Enhanced linked mode ). vCenter linked mode deployment will help you to manage multiple vCenter servers in a single pane of glass view. With vSphere 6 architecture changes vCenter server services are consolidate into two components namely Platform Service Controller or PSC and vCenter server core services.

Platform Services Controller or PSC – provides infrastructure services for the datacenter, the Platform Services Controller contains below services.

  • vCenter Single Sign-On
  • License Service
  • Lookup Service
  • VMware Directory Service
  • VMware Certificate Authority

vCenter Services – vCenter Server services are group of services provides remaining services which required vCenter server to function.

  • vCenter Server
  • vSphere Web Client
  • vCenter Inventory Service
  • vSphere Auto Deploy
  • vSphere ESXi Dump Collector
  • vSphere Syslog Collector (Microsoft Windows)/VMware Syslog Service (Appliance)

vCenter Server with an External Platform Services Controller – In this deployment mode the platform services and vCenter server services are installed on separate machines. The Picture below depicts the architecture of externally hosted vCenter server installation, this mode of deployment is suitable for large environments with multiple vCenter and allows you to manage them in single pane of glass.extenalvc

Enhanced Linked Mode
vSphere introduces new feature, enhanced linked mode. This provides capability of single pane of glass view to manage vCenters that are part of particular platform service controller. This will also enables another new vSphere 6 feature Cross vCenter vMtotion. Prerequisites for enhanced linked mode is external platform service controller. The new architecture of Enhanced linked Mode depicted below, please refer the KB article 2108548  for recommended topologies for vSphere 6 enhanced linked mode.


First we will learn how to deploy Platform Service Controller or PSCs in linked mode for that I have chosen one of the recommended toplogy by VMware, you may chose what best suites your requirement. Requirements are listed below for the end to end deployment.
• One Single Sign-On domain
• one Single Sign-On site
• Two external Platform Services Controllers
• Two vCenter Server with external Platform Services Controllers
• One third-party load balancer (F5 BIG IP-VE) you may chose Citrix Netscaler ADC as well if you wish to (VMware supports only F5 and Citrix Netscaler).

Please refer Mohan Potheri’s blog for more insights on vCenter Server 6 Deployment Topologies and High Availability.

There are scalability limitations, to know more please refer the blog By Jonathan McDonald.


Deploy Highly Available External Platform Services Controller Appliance

lets deploy first PSC.

Please download the vCSA 6.0 appliance (evaluation) from here.

  1. Mount the ISO image and launch the installer vcsa-setup.html. Client Integration Plug-In serves as the prerequisites to deploy or upgrade the vCenter Server Appliance.


2. Click on Install.


3. Accept the EULA  and click Next.


4. Enter the target ESXi or vCenter server information to deploy the appliance and click Next. In this post I am deploying on a stand alone ESXi server.


5. Accept the certificate from the ESXi server.


6. Enter the name for the appliance and new root password and click Next


7. Select Install Platform Service Controller option and click Next


8. Select create a new SSO domain option and fill in details to deploy first PSC.


9. Review the appliance configuration and Click Next.


10. Select the datastore to deploy the appliance and click Next.


11. Select a network and fill details like IP address, FQDN , DNS details and click Next.


12. Review the details and click on Finish.


13. Click on Close once the installation is successful.


Now we have successfully deployed first Platform Service Controller in our setup, lets deploy the second PSC.

  1. Please follow the steps 1 through 7 above and in step 8 please select Join an SSO domain in an existing vCenter 6.0 platform services controller . Fill in IP or FQDN of the first PSC along with credentials and click Next. 


2. Select Join an existing site option and select the correct site name from the drop down list and click Next.


3. Select a network and fill details like IP address, FQDN , DNS details and click Next.


4. Review the details and click on Finish.


We have deployed both Platform Service Controllers, lets configure high availability between two PSC’s.  Please download the HA configuration files from here.

1. Login to both the PSC’s via SSH.
2. Please type the below commands on both of them.
Command> shell.set –enabled True
Command> shell
vmpsc01:~ # chsh -s /bin/bash root
Changing login shell for root.
Shell changed.

3.  Please create directory named ssoha on both PSC’s.

vmpsc01:~ # mkdir ssoha

4. Copy the HA configuration file downloaded earlier to directory ssoha on both PSC’s (using scp, I used WInSCP).

5. On the first PSC, change the directory to /ssoha and extract the vCenter Single Sign-On high availability scripts.

vmpsc01:~/ssoha #unzip VMware-psc-ha-

6.  Run the following command command to generate the certificates required for loadbalancer.
python gen-lb-cert.py –primary-node –lb-fqdn= load_balanced_fqdn
In my example: vmpsc01:~/ssoha # python gen-lb-cert.py –primary-node –lb-fqdn=psclb.sddconline.com

Yous should get the following output upon successful execution of the script.

Initialization complete
executing certTool command
executing certTool command
Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
Status : Success

Executing openssl command
Executing openssl command
writing RSA key
Modifying hostname.txt
modifying server.xml
Executing StopService –all
INFO:root:Service: vmware-psc-client, Action: stop
INFO:root:Service: vmware-syslog-health, Action: stop
INFO:root:Service: applmgmt, Action: stop
INFO:root:Service: vmware-cis-license, Action: stop
INFO:root:Service: vmware-syslog, Action: stop
INFO:root:Service: vmware-sca, Action: stop
INFO:root:Service: vmware-cm, Action: stop
INFO:root:Service: vmware-rhttpproxy, Action: stop
INFO:root:Service: vmware-stsd, Action: stop
INFO:root:Service: vmware-sts-idmd, Action: stop
INFO:root:Service: vmcad, Action: stop
INFO:root:Service: vmdird, Action: stop
INFO:root:Service: vmafdd, Action: stop
Executing StartService –all
INFO:root:Service: vmafdd, Action: start
INFO:root:Service: vmware-rhttpproxy, Action: start
INFO:root:Service: vmdird, Action: start
INFO:root:Service: vmcad, Action: start
INFO:root:Service: vmware-sts-idmd, Action: start
INFO:root:Service: vmware-stsd, Action: start
INFO:root:Service: vmware-cm, Action: start
INFO:root:Service: vmware-cis-license, Action: start
INFO:root:Service: vmware-psc-client, Action: start
INFO:root:Service: vmware-sca, Action: start
INFO:root:Service: applmgmt, Action: start
INFO:root:Service: vmware-syslog, Action: start
INFO:root:Service: vmware-syslog-health, Action: start
Copy the contents of the /ha to the other nodes
Please copy the p12 file into the F5 loadbalancer
Please copy the lb_rsa.key file and lb.crt file into the Netscaler loadbalancer

7. create a directory and copy the files to new folder for later use.
mkdir /ha/keys
cp /etc/vmware-sso/keys/* /ha/keys

8. Copy the /ssoha and /ha/keys content to second PSC.

9. Now switch to second PSC and run this command – python gen-lb-cert.py –secondary-node –lb-fqdn=load_balanced_fqdn –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys

vmpsc02:/ssoha # python gen-lb-cert.py –secondary-node –lb-fqdn=psclb.sddconline.com –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys/

10. Run this command on first PSC upon succesfull execution of script given step 9 of this post, this  is to update the endpoint URLs – python lstoolHA.py –hostname=psc_1_fqdn –lb-fqdn=load_balanced_fqdn –lb-cert-folder=/ha –user=Administrator@vsphere.local

vmpsc01:/ssoha # python lstoolHA.py –hostname=vmpsc01.sddconline.com –lb-fqdn=psclb.sddconline.com –lb-cert-folder=/ha –user=Administrator@vsphere.local

Now we have configured HA between PSC’s, next step is we need to configure load balancer to balance between the two Platform Service Controllers on ports 443, 2012, 2014, 2020, 389, and 636 per vSphere 6 deployment guide. I have BIG-IP virtual edition deployed in my test lab and ready to use, please refer the KB article for how to deploy BIG-IP virtual edition. As a first step please download the certificate lb.p12 from PSC ha folder and store it on your system, certificate is required for creating client and server ssl profiles.

  1. From the home page of the BIG-IP, navigate to  System >> File management >> Certificate list and Click on Import.


2.  Select the Import Type as PKCS12 from the drop down list, give certificate friendly name and upload the certificate you saved earlier, password for the is changeme.


3. Navigate back to Certificate list to ensure uploaded certificate is listed in the store.


4. Now navigate to Local Traffic >> Profile >>SSL:Client and click on Create.


5. Fill in the friendly name for client profile and select the previously imported Certificate in certificate and Key section.  Password in this case was changeme.untitled4

6. Scroll to the bottom and click on Finish


7. Now navigate to Local Traffic >> Profile >>SSL:Server and click on Create.


8. Fill in the friendly name for client profile and select the previously imported Certificate in certificate and Key section.  Password in this case was changeme.


9. Now lets create the persistence profile: Navigate to Local Traffic >> Profiles:Persistence  and click on Create.


10.  Fill in the friendly name for the profile, select Persistence Type as Source Address Affinity: specify Time out as 28800 seconds as per VMware KB article. Click on Finish once you are done.


10.  Now lets create the sever pools required to provide load balancing for PSCs. Navigate to Local Traffic >>Pools>> Select New Pool. Fill in the Friendly Pool name, Select the tcp health monitor, enter IP address and port number (443 in this case ) of PSC at a time and click add. Click on Finish once you are done with updating all PSC details in your environment.


11. Please repeat the step 10 to create the remaining Pools with different port numbers (2012, 2014, 2020, 389, and 636 ) required for PSCs to function.

12. Navigate to Local Traffic:Pool List to ensure all pools are in healthy state (Green).


13. Now lets create the Virtual Server will be used to link vCenter  to provide load balancing for PSCs. Navigate to Local Traffic >> Virtual Server>> Click on New Virtual Server .  In the General Properties section Fill in the Friendly name, IP address of the Virtual Server, Service Port as shown in below picture.


14. Scroll down below to configuration section, select the previously created client and server SSL profiles, select all VLANs and Tunnels for Traffic option, select Auto Map for Source Address Translation as shown in below picture.


15. Scroll down to Resources section of the Virtual server creation page, Select the default pool in this case its pool-psc-443 and Persistence profile. Click on Finished once done.


16. Please repeat the steps 13 – 15 in this post to create different Virtual Servers for different services ports (2012, 2014, 2020, 389, and 636 ) using respective server pools created earlier.

Make sure all virtual servers are in healthy state by navigating to Local Traffic >>Network Map.


Run the following command on First PSC with FQDN of the Load balancer Virtual Server IP.

python lstoolHA.py –hostname=psc_1_fqdn –lb-fqdn=load_balanced_fqdn –lb-cert-folder=/ha –user=Administrator@vsphere.local

vmpsc01:/ssoha # python lstoolHA.py –hostname=vmpsc01.sddconline.com –lb-fqdn=psclb.sddconline.com –lb-cert-folder=/ha –user=Administrator@vsphere.local

2016-11-12 09:41:52,403 INFO com.vmware.identity.token.impl.SamlTokenImpl – SAML token for SubjectNameId [value=Administrator@VSPHERE.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
2016-11-12 09:41:52,430 INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl – Successfully acquired token for user: Administrator@vsphere.local
2016-11-12 09:41:53,096 WARN com.vmware.vim.vmomi.client.http.impl.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase – Shutting down the connection monitor.

Now you can deploy the external vCenter Server ( Windows or Appliance based ) using  vCenter deployment wizard and use the load balanced  FQDN of the Platform Service controller when prompted as shown in below pictures.



Finally you will be able to manage all your vCenter Servers in one console after joining them to common SSO domain as depicted in below picture.



One thought on “vSphere 6 Platform Service Controllers HA Setup using F5 Loadbalacer and vSphere 6 Enhanced Linked Mode

Leave a Reply

Your email address will not be published. Required fields are marked *