vSphere 6.0 Installation Pt. 14: Install Windows vCenter

Now that we are pretty far into this series, we can finally install our Windows vCenter. This will leverage our external PSC, for maximum scalability. Depending on your environment size, you may need to scale up the VM’s hardware specs for optimal performance. Consult VMware documentation for sizing guidance. In this exercise we will configure 2 vCPUs and 12GB of RAM, which is enough for a small environment.

If you would rather use the VCSA vCenter instead of a Windows vCenter, don’t fear, that will be coming up in a future blog installment. So if you don’t want a Windows vCenter, then hold on and soon enough I’ll have those instructions published.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install
vSphere 6.0 Install Pt. 15: VCSA vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Provision vCenter VM

Before we install vCenter, we need to provision the vCenter VM. Per VMware recommendations the VM needs at least 8GB of RAM for an embedded installation.  Don’t skimp on memory as performance will likely take a beating, depending on the number of hosts and VMs you are managing. I’d recommend 12GB minimum. Also keep in mind:

  • At least 2 vCPUs (hard minimum)
  • At least 12GB of RAM (8GB hard minimum)
  • At least 70GB D drive (more with VUM)
  • Use VMXNET3 NIC
  • Use any virtual hardware version. I recommend v10 or v11.
  • Recommend Windows Server 2012 R2
  • Enable hot add of memory/CPU (optional)
  • Fully patched OS (important)
  • Verify time sync between PSC and vCenter VM

If you want to use the web client on the vCenter server with IE, then you must install the Desktop Experience feature. Why? That’s the only way to get Flash player in IE with Windows Server 2012 and Windows Server 2012 R2. VMware really needs to dump the Flash interface and go HTML5. If you use a third party browser, make sure you get the very latest Flash player.

After you install the Desktop Experience make sure you patch it. Why? The stock Flash player version is not compatible with the web client and needs to be updated via Windows Update/WSUS/SCCM to the latest version.

10-8-2013 6-11-01 AM

If you will be using IE on the vCenter server you also need to turn off the IE enhanced security mode.

10-8-2013 5-40-17 PM

vCenter Install

When installing vCenter you have two primary options. The first is an embedded option, where it will install the PSC and all the vCenter components in one fell swoop. This is akin to the “Simple” install in vSphere 5.5. The second option lets you deploy the PSC separately from vCenter. If you only install the PSC, when you run the installer the next time you only have an uninstall option and can’t install the rest of the vCenter services. So for this install we will go ahead and do a full vCenter install, using the external PSC that we have previously installed. You can use either a Windows external PSC or a VCSA-based PSC for this. Choice is yours!

1. Launch the vSphere 6.0 autorun installer. On the main screen select vCenter Server for Windows.

2014-11-22_18-40-25

2. Accept the license agreement and pause on the Deployment Type screen. Select vCenter Server.

2015-03-22_14-32-35a

3. On the System Network Name screen verify the FQDN is that of your local server. It should be. Click Next. You may get a warning about IPv6, which you can ignore if you aren’t using it.

2015-01-25_19-03-08

4. Next up you need to point the installer towards your PSC and enter the SSO password you used during the installation process.

2015-03-22_14-41-50

5. When you click next you may get a warning about a time differential. It’s off by just a minute or two I would not worry about it. I saw a warning about a 63 second time delta. After any time warnings you will then get a certificate validation prompt. At this point you will also get a certificate pop-up. Even if you replaced your VMCA and PSC machine SSL certificates, you will see an untrusted certificate here. This is because the VMware Directory Service certificate is used for this authentication. If you followed along in my blog and replaced the VMdir certificate, then it will show a trusted certificate.

2015-04-03_18-07-42

6. Next you need to select your vCenter service account. I always use a Windows service account, so I input those credentials here. I also made sure the service account was in the local administrator’s group on the vCenter server. It will also need the “Log on as a service” right. To do that launch the “Local Security Policy” editor, navigate to “Local Policies” then “User Rights Assignment”.

2015-03-24_8-12-17

2015-03-24_8-06-027. Now you need to configure your database. For anything but a small home lab you should use an external database. If you do opt for the internal database, in vSphere 6.0 it is now vPostgres and NOT SQL Express. In the previous blog series article we configured SQL using my vCenter toolkit script. So now select that DSN from the drop down.

2015-03-24_12-13-43

8. Next up are the default port numbers, which you shouldn’t change.

2015-03-24_12-16-06

9. Now you can change the directory installation paths if you wish. I just took the defaults.

2015-03-24_12-16-48

10. Now you can review your configuration and make sure that everything is good to go. Click Install.

Summary

With the external PSC already installed, doing the vCenter install is a piece of cake. If you are in a small lab, then you don’t even need to fuss with setting up an external database like SQL. For production instances I would always use a SQL or Oracle database. Its best to leave the default installation paths, as VMware instructions for certificate replacement use the default paths. I just don’t see any big reason to stray from the defaults here. KISS principle applies. If you have to choose between using SQL or Oracle for the back end, I would lean towards SQL. The VMware Fling to convert a Windows vCenter to the VCSA currently only works with SQL, so should you ever want to change your deployment model SQL makes it easier.

Next up is installing the VCSA vCenter, which you can find here.

Publishing vSphere 6.0 VMCA Signing Certificate

As mentioned in my vSphere 6.0 installation series, you can configure the new VMCA to be a subordinate to your enterprise CA. This is great, and opens up new certificate management options for organizations that wish to use trusted SSL certificates. However, you may run into a situation where this new root certificate is not published into active directory and thus your Windows computers will not trust it. This short post will show you how to publish the VMCA signing certificate to AD, which then gets pushed down to the domain computers.

You can see if you have this problem by going to your PSC/VMCA and double clicking on the C:\Certs\VMCA\root_signing_cert.crt and clicking on the Certificate Path tab. If there’s just one entry with a yellow warning, your VMCA is not trusted by that Windows computer. Note: This assumes you are using my Toolkit to create your VMCA certificates. That path is not native to the VMware installation. To correct this condition follow the procedure below.2015-04-04_17-04-13

1. On a domain controller launch the GPO management tool.

2. Find the appropriate group policy you wish to manage. In my simple lab I’m modifying the default domain policy.

3. Open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.

4. From your PSC/VMCA, go to C:\Certs\VMCA and copy the root_signing_cert.crt file to your domain controller.

5. Right click on Trusted Publishers and select Import. Run through the wizard and import your signing certificate.

6. On your PSC/VMCA open a command prompt and type “gpupdate /force” and wait a minute.

7. Double click on C:\Certs\VMCA\root_signing_cert.crt and you should now see the full certificate chain under the Certificate Path tab.

2015-04-04_17-07-31

Where is the Certificate?

If you are curious where the certificate got published, then open a blank MMC and add the certificates snap-in. Manage the computer account, then go down to Trusted Publishers. Open the Certificates folder and you should see the name of your PSC.2015-04-04_18-47-34

vSphere 6.0 Install Pt. 11: VMCA as Subordinate

As mentioned in my vSphere 6.0 install part 3, VMware has introduced a new certificate option in this release. You can now make a built-in VMware certificate authority (VMCA) a subordinate to your enterprise CA. This is great news, as it will allow some automation of the certificate deployment process. However, there are certainly some regulated industries like the US Federal Government where they’d laugh you out of the office if you asked to stand up your own subordinate CA. So this model won’t be used by everyone.

So if you are one of those organizations that CAN use the built-in VMware VMCA, then follow along in this article to see how you make it a subordinate in your enterprise environment. Later in this series we will cover the manual replacement process so don’t worry…alternatives to the VMCA are covered.

As a reminder, I’ve written the vCenter Toolkit script which helps in the SSL deployment process. In this version of the script I’ve added some VMCA features. See the download link below. In this series I’m assuming a Windows Enterprise CA, but you can use a non-Windows CA with a little bit more work (manual submission and download).

Important: You MUST use Toolkit version 0.7 or later. Please download the latest Toolkit from the URL below.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Mint VMCA Certificate (Online)

You should run the Toolkit script on your Windows external PSC, so you have all the files needed locally and it will also automate the installation. If you are using the VCSA PSC, then run this script from a Windows server that has PowerShell 3.0. Use this online procedure if your Microsoft CA will issue the subordinate certificate either with or without approval. Before you run the Toolkit, always download the latest version as new versions can come out rapidly. You can get the latest from the permalink above.

1. Run the Toolkit PowerShell script on your external PSC or a Windows server VM if using the VCSA PSC. Select the VMCA menu (option 2). Select the option to create a VMCA signing certificate with an online MS CA (option 1).

2. Press Enter to accept the PSC name, and the script will take care of the rest. After it quickly runs you have a C:\Certs\VMCA directory with all of the needed files.2015-04-01_14-21-25

 

If your MS CA is configured to require CA manager approval before issuing a certificate, you will see the following:

2015-03-29_18-53-10

Have the CA manager approve the request ID, then re-run my Toolkit script and select the “Resume a pending online request for VMCA certificate” (option 3).

2015-03-30_19-07-35

After the request is complete, you will see the following files in the C:\Certs\VMCA directory. As you will notice, I’ve purposely used the same file names as the VMware documentation and tools.

2015-03-30_19-08-41

You have now minted your VMCA certificates, but they are not yet installed. Read on in the blog post to find out how to install them.

Mint VMCA Certificate (Offline)

Use this procedure if your issuing certificate authority is NOT a Microsoft online CA. It could be an offline Microsoft CA, or a non-MS CA as well. Don’t try this procedure with a public CA provider, as they won’t let you issue subordinate CA certificates. Only use this for internal enterprise CAs which you control and can issue subordinate certificate authority certificates with.

1. Run the Toolkit script and in the VMCA menu (option 2) select the option to create a VMCA signing certificate with an offline or non-MS CA (option 2). The script will verify that you have downloaded the root chain certificates.

2. Because I was running this on the external PSC, I just pressed enter for the PSC name.2015-03-29_12-00-023. Navigate to C:\Certs\ and upload the root_signing_cert.csr file to your favorite CA and issue a certificate. Download the issued certificate in the base-64 format and save as root_signing_cert.crt in the same folder. You MUST use this file name and it MUST be base-64 encoded. It should only contain the certificate, not a full chain.

4. Re-run the toolkit and from the menu select the option “Create VMCA PEM files from offline or non-Microsoft CA” (option 4). No input is needed. This will properly create a PEM file with the full certificate chain. 2015-03-30_19-10-59

Now that we have our VMCA certificates, we need to install them. I will cover both the Windows and VCSA installation process. Windows is easier, since I’ve built that functionality into my Toolkit. For the VCSA we will leverage the VMware certificate tool.

Install VMCA Certificate (Windows PSC)

Note: For this procedure I am showing you how to use my Tookit script to install your VMCA signing certificate. VMware provides a Certificate Management tool that can perform the same steps. I show you how to use the VMware tool in the next section, when using the VCSA. The tool is the same on Windows and the VCSA. So if you feel more comfortable using the VMware tool to install the cert, skip down to that section. On Windows you can find the tool at C:\Program Files\VMware\vCenter Server\vmcad\Certificate-manager. My tool uses the manual method as documented in the vSphere 6.0 security guide, so the results are the same.

1. Re-run my Toolkit script and in the VMCA menu (option 2) select the option “Install VMCA signing certificate on Windows PSC” (option 5).

2015-04-01_18-24-46

2. Sit back and wait while the script stops services, installs the new certificate, restarts the services, then lists the certificate properties. Keep an eye on the process, and verify a ‘success’ message half way through. I’ve added a pause and notification when you should see the ‘success’ message. The entire replacement process takes about two minutes. 2015-03-29_12-20-293. Once the script completed, it will show the properties of the new VMCA. Validate that these match the issued certificate.2015-03-29_12-21-47

4. To follow in the footsteps of the VMware Certificate tool that also replaces the Machine SSL certificate by a VMCA issued certificate, re-run the Toolkit and select the Machine SSL certificate menu (option 4). Then select Option 3, Create Machine SSL certificate with VMCA. Press enter to accept the default hostnames (assuming you are running this on the PSC/VMCA).

2015-04-01_18-33-54 5. Re-Run the toolkit and select the Machine SSL certificate menu again. This time select option 6. It will stop the PSC services, install the certificate, and then re-start the services. You will also get prompted mid way through if you want to delete the existing machine certificate. Answer “Y” here to proceed. 2015-04-01_18-39-20

Install VMCA Certificate (VCSA PSC)

Note: For this procedure I am showing you how to use the VMware Certificate Manager tool to install the VMCA signing certificate. This assumes you used my Toolkit to generate the certificate files.

1. If you haven’t already enabled BASH on your VCSA let’s do that now. Open a console into the VCSA. Press F2 to customize the system. Login. Arrow down to “Troubleshooting Mode Options” then enable BASH shell. Exit the VCSA console.

2. Open a SSH session to the VCSA and type the following:

shell.set –enabled true

shell

chsh -s “/bin/bash” root

Make sure you run the ‘chsh’ command from the ‘shell’ prompt and not the VMware restricted shell…it won’t recognize the chsh command. Thanks to William Lam’s blog post here for this step!

2. Download and install your favorite SCP client. I like WinSCP. Connect via SCP using the VCSA credentials.2015-04-01_14-40-003. Create a folder to put your SSL certificates. I like the ‘/root/ssl’ directory.

4. In WinSCP navigate to the C:\Certs\VMCA folder. Upload the root_signing_chain.cer and root_signing_cert.key files to the SSL directory on the VCSA. The other files are not needed, so don’t upload them.

5. SSH into the VCSA and ensure you get a ‘shell’ prompt. This will be in red, and have the short name of the VCSA. Type the following command:

/usr/lib/vmware-vmca/bin/certificate-manager

6. Choose Option 2 from the main menu. Enter the SSO password as requested.

7. From the new menu select Option 2, Import custom certificates. Input the root certificate file names when prompted. Use root_signing_chain.cer for the first prompt and root_signing_cert.key for the second.

2015-04-01_17-35-298. If you haven’t run the tool before, you will be prompted for a series of default values for the certool.cfg. Use the same values here as you did when setting up the Toolkit variables. When prompted, use the FQDN of the PSC for the ‘hostname’.

9. Wait a couple of minutes for the tool to run. After it has completed it has made the VMCA a subordinate to your enterprise CA, and also updated the machine SSL certificate to one issued by the new VMCA.

Inspecting the SubCA Cert

If you wish to look at the properties of the newly minted VMCA subordinate signing certificate which was installed, just double click on the C:\Certs\VMCA\root_signing_chain.cer file. Go to the Certification Path tab, and you can see the full certificate chain. If you do NOT see the full certificate chain, then follow my blog post here to enable your enterprise to trust the VMCA.

2015-03-29_19-10-30

You can also check out the Details tab, and go down to the “Basic Constraints” and “Key Usage” fields. There you can see this certificate can be used as a subordinate CA.

2015-03-29_19-12-08

Inspecting the Machine Certificate

Now that we have installed a new machine SSL certificate, we want to make sure it was issued by the VMCA and is trusted. This can easily be done via any browser of your choosing.

1. Launch your favorite browser and go to https://PSC-FQDN/websso/. Open the certificate properties for the SSL site.

2015-04-01_19-07-392. Click on the Certification Path, and verify that all of your enterprise CAs are listed, as well as the FQDN of your PSC. There should be a certificate listed under the FQDN of your PSC. If you only see a single entry in this list, and not the full chain, that likely means your Windows computer does NOT trust the VMCA subordinate CA. If that’s the case, I would recommend publishing the VMCA public certificate via Active Directory so that your entire domain will trust the VMCA. As you can see in my screenshot below I have three enterprise CAs and the VMCA.

2015-04-01_19-11-42

Solution Warning

A reader pointed out the SRM and other solutions may fail when replacing the machine certificate on vCenter or the PSC. If you find yourself in this situation, check out this VMware KB article for remediation.

Summary

Using my toolkit script, minting and updating the VMCA certificate is a breeze. My toolkit supports online Microsoft CAs, or any offline CA that you wish you use. Remember you can’t use a public CA for issuing your VMCA subordinate certificate. This must be an internal CA which you own, and which has been configured to issue certificates for the subordinate authority template.

Because we are using the VMCA for all of our certificates, we’ve also re-issued the PSC’s machine SSL certificate to one issued by the VMCA. This means any of the web services the PSC is providing are now using a VMCA issued certificate. In the next installment we will assume you can NOT use the VMCA for compliance reasons, and will replace the PSC’s machine SSL certificate with a trusted one. That is covered in Part 12. This will bring our two installations up to the same level. After that, we will replace the Directory Services certificate on the PSC.

vSphere 6.0 Install Pt. 10: Install VCSA PSC

New to my vSphere installation series is using the pre-packaged vCenter appliance (VCSA). Now that the VCSA is on par with the Windows vCenter server, I suspect more and more people will migrate to the appliance. So to that end, let’s install an external PSC using the VCSA. If you are using a Windows-based external PSC, then you can skip this blog post and go directly to Part 11 (VMCA as subordinate) when that gets published.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Deploy VCSA PSC

1. Download the VCSA ISO (yes ISO, not OVA) and mount it on a Windows VM.

2. Open the root of the ISO and click on the vcsa-setup.html file.

3. Since I’m assuming a fresh install, click on Install.2015-03-29_19-42-354. Accept the license agreement and click Next.

5. Enter the FQDN or IP address of the ESXi server which you want the PSC deployed on. Enter the associated credentials. Click next and wait for the verification to complete. You may get a warning about an untrusted SSL certificate. Accept it.

2015-03-29_19-48-33

6. On your DNS server configure A and PTR records for the PSC’s address. This is critical!

7. Enter the FQDN of your appliance, and a complex password. If your password is not complex enough it will warn you and provide the complexity requirements.

2015-03-29_19-51-28a8. Next up, select the PSC option and click Next.

2015-03-29_19-53-06

9. Now we get to configure SSO. Yippee! Since I’m assuming a new install, I’ll create a new SSO domain, enter a complex password, and SSO site name. Remember that you should NOT set your SSO domain name to the same as your Windows domain. You could use a sub-domain, such as sso.contoso.local. I’m sticking with vSphere.local.

2015-03-29_19-55-03

10. The appliance is automatically sizes for 2 vCPUs and 2GB of RAM. Not bad for a PSC. Click Next.

11. Next up is datastore selection. In my home lab I have datastores on my QNAP and VSAN. I’ll go with VSAN here.

2015-03-29_19-58-07

12. Now you get to configure your network settings. Everything here is self-explanatory. I used the public NTP servers for accurate time, and also enabled SSH (lower down on the screen).

2015-03-29_20-02-05a

13. On the summary screen review all of the details to ensure they are correct.

2015-03-29_20-04-18

14. Sit back for a few minutes and wait for your VCSA-based PSC to be installed!

2015-03-29_20-11-58

Summary

We walked through the manual process of deploying a VCSA-based PSC in your environment. The VMware wizard is very straight forward, and makes deploying the VCSA very easy. If you want to automate the deployment of the VCSA, check out William Lam’s awesome multi-part guide here. You can also check out an ‘official’ method of command line deployment here. Next up will be configuring the VMCA as a subordinate CA, which you can find here.

vSphere 6.0 Install Pt. 6: Install Windows PSC

Now that we’ve gotten some background and best practices behind us, now it’s time to start the actual software installation. As previously mentioned, in all but the smallest environments it’s recommended to have a dedicated Platform Services Controller (PSC), rather than an embedded one. So first up here will be provisioning a new Windows Server 2012 R2 VM which will be dedicated to the PSC role. No other vCenter roles or services will be installed on here. Then further along in this series we will provision a second VM, which will run all of the vCenter services. So let’s roll up our sleeves and get started with installing the PSC.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Platform Services Controller (PSC) Installation

1. From your favorite template provision a new Windows VM. It needs at least 2 vCPUs and I’d give it 4-6GB of RAM. I would recommend Windows Server 2012 R2. Join it to the domain, and patch it. No need to install Flash, as the PSC has no web or Flash based interface. The PSC install is also very small, so I wouldn’t even attach a second drive. Just install it to the C drive.

2. Mount the vCenter 6.0 ISO and start the Autorun. Click on vCenter Server for Windows then click on Install.

2015-02-08_10-51-45

2. Click Next on the build screen.

2015-02-08_10-55-06

3. Accept the license agreement.

2015-02-08_10-56-33

4. On the Select Deployment Type screen, choose Platform Services Controller. Click Next.

2015-02-08_10-57-38

5. At this point the installer should auto-populate the system name with the FQDN of the VM you are installing the PSC on. Accept this value and click Next. As soon as you click next you may get a IPv6 warning. Ignore this warning if you aren’t using IPv6 (and who is?).

2015-02-08_11-00-47

6. This is the most important configuration screen. First up, now in vSphere 6.0 you can change the SSO domain. Per VMware do *NOT* make this the same domain as your Active Directory. This will create a show-stopper problem. You CAN, however, use a subdomain of your corporate domain. For example, sso.contoso.local. Personally, I would keep it simple and stick with the default.

Now you will need to configure a password for the administrator@vsphere.local account. This password needs to be at least 8 characters, one lower case character, one numeric character and one special character. And the length must NOT exceed 20 characters. Only use visible ASCII characters, meaning you can’t use a space. You are also not allowed to use the single quote (‘) either. Other special characters may cause problems (remembering the SSO 5.1 and 5.5 days) so be sure to test out your “complex” passwords.

Finally, you can change the site name. I would recommend you do change the name, and have it reference your physical location. While it appears that information is not currently used by vSphere, VMware hinted down the road the ‘site’ name may play a more important role.

If you have a current vSphere deployment that is using SSO, you can join that domain here. In my case I’m doing a fresh install, so I created a new domain.

2015-02-08_11-04-39

7. On the Configure Ports screen I would leave these all at their default values.

2015-02-08_11-15-35

8. Here you can change the installation directory if you wish. The install is so small that I don’t see the need to install on a D drive, for example.

2015-02-08_11-16-47

9. On the final screen it shows a summary of the options you’ve selected. Verify everything is OK and click Install. Wait a few minutes for the installation to complete.

2015-02-08_11-18-38

 Summary

As you can see, the PSC installer is very straight forward. Unlike SSO in vSphere 5.1 that needed an external database, the PSC is fully self-contained. Nice! Now that we have the PSC up and running, it is time to install the Windows vCenter server.

vSphere 6.0 Install Pt. 2: Platform Services Controller

Introduction

In this second installment of the vSphere 6.0 installation series we cover the new service called the Platform Services Controller. This new service has consumed the SSO service, and added a number of new features. vCenter functionality is now divided into two primary roles, the management node and the PSC. The remainder of this article will cover this split, what the PSC is, and what it means to your vCenter topology.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Prior to vSphere 6.0 most people thought of vCenter as a single component. Some larger complex deployments may have had multiple SSO servers, but you still think of SSO as fundamental to vCenter. Starting in vSphere 6.0 vCenter is being decoupled into two distinct parts. The first is known as the Platform Services Controller (PSC), and the remainder are all the vCenter services. You can see this in the VMware graphic below, showing the management node (vCenter services) and the PSC. Other VMware products like the vRealize suite can utilize the PSC services, such as authentication.

2015-02-07_9-18-22

When you install vCenter now, it no longer prompts you for various components. It installs the full suite every time…whether you want everything or not. This full suite includes the following components:

  • vCenter Server
  • vSphere Web Client
  • Inventory Service
  • Profile-driven storage
  • Auto Deploy
  • Syslog Collector
  • ESXi Dump Collector
  • and more…

Separately installable IS vSphere Update Manager. You can combine the VCSA (vCenter appliance) and a Windows VUM server, so it makes sense they give you the option to separately install VUM. The only other separately installable component is the vSphere authentication proxy. Keep in mind you still need the Windows thick C# client to manage all the VUM features. VMware is working on a VUM replacement, but it’s TBD when that will be released. Personally I wouldn’t look for that anytime soon.

Platform Services Controller (PSC)

As we all remember with vSphere 5.1, VMware introduced a major new component called SSO, or single sign on. In the 5.1 days this caused a lot of headaches and pain, particularly around SSL certificates. The situation was improved in vSphere 5.5 with SSO 2.0, and VMware provided more guidance to customers for SSO topologies. Fast forward to vSphere 6.0, and now there’s a whole new component called Platform Services Controller (PSC). PSC is a shared service that supports vCenter server and vCenter server components. Various VMware products can use the PSC such as vCenter and vRealize Operations. Think of PSC as a foundational service which provides the following services:

  • License service (formerly held by vCenter)
  • Single Sign-on Service (Secure Token Service, identity management service, directory service)
  • Lookup Service
  • VMware Certificate Authority (VMCA)
  • VMware Endpoint Certificate Store (VECS)
  • Authentication framework daemon
  • Component Manager Service (CM)
  • HTTP reverse proxy

The big news here is the brand new VMware certificate authority (VMCA) and VMware Endpoint Certificate store (VECS). This will have a major impact on how you deploy and manage certificates in a vCenter environment. More to come on that in my next post.

Also keep in mind that you can mix and match PSC embedded installs along with external instances. All will share the same SSO domain, and will replicate other information like licensing. This lets you start out small, say with an embedded install, and expand in the future with a replicated external instance. Or perhaps you add a second datacenter down the road, with a local vCenter instance. There’s a limit of 8 PSCs per site.

Do keep in mind that if you start out with an embedded install (vCenter + PSC), there’s no supported method to “move” the PSC to a dedicated server or add more PSCs. So my advice is to start out by dedicating a VM to the PSC, and anther VM to all the other vCenter services. This provides maximum scalability, and future proofs your infrastructure for the foreseeable future.

High availability (HA) for the PSC service is via an external load balancer, such as a Citrix Netscaler or F5. Unfortunately built-in HA didn’t make it into this release, so we must rely on a third party solution. In the VMware graphic below you can see three vCenter instances, all pointing to a redundant and load balanced PSC deployment.

2015-02-07_10-02-40

SSO

vCenter single sign-on allows vSphere components to communicate with each other using secure tokens rather than authenticating separately to each component. The SSO service is comprised of the security token service, administration server, VMware directory service (vmdir) and identity management service. The STS service uses SAML tokens for authentication. The administration server allows administrators with the proper privileges to manage the SSO service. VMdir is a multi-master, multi-tenant directory service that uses LDAP, much like Active Directory. However it does not use AD nor ADAM/ADLS. It uses port 389 and 11711. If there is more than one instance of PSC in your environment then one update in vmdir will be replicated to all other instances. Vmdir also stores some certificate information. The identity management service processes identity sources and STS authentication requests.

Starting with vSphere 6.0 SSO is either deployed via the embedded PSC (co-resident with your vCenter server) or as part of an external PSC deployment. Of great importance is the order of installation. If you are using an external PSC, then it must be installed prior to vCenter server. This make sense, as vCenter depends on a number of the services in the PSC. If you choose the embedded install then everything is installed in the right order.

A single external PSC deployment can support up to eight vCenter instances. Each new vCenter instance connects to the same PSC server. If you are a monster enterprise environment and have more than 8 vCenters then you can deploy multiple PSC instances.

When you deploy the SSO component you will need to configure a password for the administrator@vsphere.local account. This password needs to be at least 8 characters, one lower case character, one numeric character and one special character. And the length must NOT exceed 20 characters. Only use visible ASCII characters, meaning you can’t use a space. You are also not allowed to use the single quote (‘) either. Other special characters may cause problems (remembering the SSO 5.1 and 5.5 days) so be sure to test out your “complex” passwords.

By default users are locked out of the SSO service after five consecutive failed attempts in three minutes. Accounts are unlocked after five minutes. These policies can be changed, if desired. See the vSphere Security Guide for additional details.

Below is a graphic from VMware showing the progression of SSO to the PSC, from vSphere 5.1 to 6.0.

2015-02-07_9-08-21

Summary

As you can see, the Platform Services controller is new to vSphere 6.0 and incorporates a number of new services. Medium to large deployments can get complex, with a mix of multiple vCenter servers and highly available PSCs. Carefully evaluate your business requirements for scalability and high availability, then chose a the simplest deployment model that best meets those requirements.

© 2017 - Sitemap