vCenter as a single component. Some larger complex deployments may have had multiple SSO servers, but you still think of SSO as fundamental to vCenter. Starting in vSphere 6.0 vCenter is being decoupled into two distinct parts. The first is known as the Platform Services Controller (PSC), and the remainder are all the vCenter services. You can see this in the VMware graphic below, showing the management node (vCenter services) and the PSC. Other VMware products like the vRealize suite can utilize the PSC services, such as authentication.
When you install vCenter now, it no longer prompts you for various components. It installs the full suite every time…whether you want everything or not. This full suite includes the following components:
- vCenter Server
- vSphere Web Client
- Inventory Service
- Profile-driven storage
- Auto Deploy
- Syslog Collector
- ESXi Dump Collector
- and more…
Separately installable IS vSphere Update Manager. You can combine the VCSA (vCenter appliance) and a Windows VUM server, so it makes sense they give you the option to separately install VUM. The only other separately installable component is the vSphere authentication proxy. Keep in mind you still need the Windows thick C# client to manage all the VUM features. VMware is working on a VUM replacement, but it’s TBD when that will be released. Personally I wouldn’t look for that anytime soon.
Platform Services Controller (PSC)
As we all remember with vSphere 5.1, VMware introduced a major new component called SSO, or single sign on. In the 5.1 days this caused a lot of headaches and pain, particularly around SSL certificates. The situation was improved in vSphere 5.5 with SSO 2.0, and VMware provided more guidance to customers for SSO topologies. Fast forward to vSphere 6.0, and now there’s a whole new component called Platform Services Controller (PSC). PSC is a shared service that supports vCenter server and vCenter server components. Various VMware products can use the PSC such as vCenter and vRealize Operations. Think of PSC as a foundational service which provides the following services:
- License service (formerly held by vCenter)
- Single Sign-on Service (Secure Token Service, identity management service, directory service)
- Lookup Service
- VMware Certificate Authority (VMCA)
- VMware Endpoint Certificate Store (VECS)
- Authentication framework daemon
- Component Manager Service (CM)
- HTTP reverse proxy
The big news here is the brand new VMware certificate authority (VMCA) and VMware Endpoint Certificate store (VECS). This will have a major impact on how you deploy and manage certificates in a vCenter environment. More to come on that in my next post.
Also keep in mind that you can mix and match PSC embedded installs along with external instances. All will share the same SSO domain, and will replicate other information like licensing. This lets you start out small, say with an embedded install, and expand in the future with a replicated external instance. Or perhaps you add a second datacenter down the road, with a local vCenter instance. There’s a limit of 8 PSCs per site.
Do keep in mind that if you start out with an embedded install (vCenter + PSC), there’s no supported method to “move” the PSC to a dedicated server or add more PSCs. So my advice is to start out by dedicating a VM to the PSC, and anther VM to all the other vCenter services. This provides maximum scalability, and future proofs your infrastructure for the foreseeable future.
High availability (HA) for the PSC service is via an external load balancer, such as a Citrix Netscaler or F5. Unfortunately built-in HA didn’t make it into this release, so we must rely on a third party solution. In the VMware graphic below you can see three vCenter instances, all pointing to a redundant and load balanced PSC deployment.
vCenter single sign-on allows vSphere components to communicate with each other using secure tokens rather than authenticating separately to each component. The SSO service is comprised of the security token service, administration server, VMware directory service (vmdir) and identity management service. The STS service uses SAML tokens for authentication. The administration server allows administrators with the proper privileges to manage the SSO service. VMdir is a multi-master, multi-tenant directory service that uses LDAP, much like Active Directory. However it does not use AD nor ADAM/ADLS. It uses port 389 and 11711. If there is more than one instance of PSC in your environment then one update in vmdir will be replicated to all other instances. Vmdir also stores some certificate information. The identity management service processes identity sources and STS authentication requests.
Starting with vSphere 6.0 SSO is either deployed via the embedded PSC (co-resident with your vCenter server) or as part of an external PSC deployment. Of great importance is the order of installation. If you are using an external PSC, then it must be installed prior to vCenter server. This make sense, as vCenter depends on a number of the services in the PSC. If you choose the embedded install then everything is installed in the right order.
A single external PSC deployment can support up to eight vCenter instances. Each new vCenter instance connects to the same PSC server. If you are a monster enterprise environment and have more than 8 vCenters then you can deploy multiple PSC instances.
When you deploy the SSO component you will need to configure a password for the email@example.com account. This password needs to be at least 8 characters, one lowercase character, one numeric character and one special character. And the length must NOT exceed 20 characters. Only use visible ASCII characters, meaning you can't use a space. You are also not allowed to use the single quote (‘) either. Other special characters may cause problems (remembering the SSO 5.1 and 5.5 days) so be sure to test out your “complex” passwords.
By default users are locked out of the SSO service after five consecutive failed attempts in three minutes. Accounts are unlocked after five minutes. These policies can be changed, if desired. See the vSphere Security Guide for additional details.
Below is a graphic from VMware showing the progression of SSO to the PSC, from vSphere 5.1 to 6.0.
VMware vCenter Server is the management server or central point for accessing ESX hosts and VMware clusters, accessing VMs, Storage, vSwitch and other components. There are two version of VMware vCenter server – an installable version which runs on the Microsoft Windows and virtual appliance edition. In this post I am going to cover installable version of vCenter Server 6.0.
Fresh Embedded Deployment
1. Verify all prerequisites.
2. If using a remote database, ensure that a 64-bit DSN has been created. DSN aliases are not supported.
This step is not necessary if using the local PostgreSQL database.
3. Mount the vCenter Server 6.0 ISO image.
4. If autorun does not start, execute autorun.exe.
5. Select vCenter Server for Windows and click Install
6. Click Next.
7. Accept the license agreements.
8. Select Embedded Deployment and click Next.
9. Verify that the FQDN is correct and click Next.
10. Enter a password and Site name for vCenter Single Sign-On and click Next.
11. Select the local system account or enter the service account username and password
12. Select Use an embedded database (vPostgres) or Use an external database server’s DSN Name
and click Next
13. Unless required, leave all ports at their defaults and click Next.
14. Unless required, leave the default paths for installation and click Next.
15. Review and then click Install.
Open Browser and type localhost, make sure you have already installed flash player.
Type username: firstname.lastname@example.org and password which is provided during installation
vCenter is installed and working. Click on administration.
In administration click on configuration in Single Sign-On.
Add vCenter to domain