Platform Services Controller
With vSphere 6.0 introduced, along came the Platform Services Controller, or PSC for short. The best way to think of the PSC is Single Sign-On (SSO) plus more. What is “more” you ask? Let’s start with the deployment options. The PSC can be deployed as either a Windows Server or an Appliance. You can either embedded your PSC or use it as an external PSC (See Software and Hardware Requirements). In my opinion, I would always deploy the PSC externally because it will future proof your environment if your infrastructure is growing. For a list of recommended topologies and deployment models please click here.
Now we can talk about the “more.” The first question asked is usually “What components are installed with the PSC? Here is the list you are looking for:
VMware Appliance Management Service
VMware Authentication Framework
VMware Certificate Service
VMware Common Logging Service
VMware Component Manager
VMware Directory Service
VMware HTTP Reverse Proxy
VMware Identity Management Service
VMware License Service
VMware Security Token Service
VMware Service Control Agent
VMware Syslog Health Service
Some of these components are carried over from previous versions, like the Directory Service, Security Token Service, etc. However, some of these are new, and introduce a lot of brand new functionality. For example, the VMware Certificate Service stores and generates SSL certificates for your vCenter Server or ESXi hosts; the License services will store and replicated VMware license keys in your environment and much more.
After standing up your first PSC, you can navigate to the URL https://FQDN/websso/ (external) or https://FQDN/lookupservice/sdk (embedded) to ensure it’s up and running. This page will also point you to the Platform Services Controller documentation page.
vSphere Web Client
A good amount of the configuration is done through the vSphere Web Client. However, it is not included in an external PSC. You will need to stand up a vCenter Server, to access it. As mentioned SSO is one of the main components of the PSC.
After standing up a vCenter Server, you will log into the vSphere Web Client with firstname.lastname@example.org After logging into the vSphere Web Client, select Administration From here you can do the following with SSO. I included only the most common tasks, but you can also set the following from the Administration -> Configuration tab.
- Password Policy
- Lockout Policy
- Token Policy
- Identity Sources TrustStore
- STS Signing
- SAML Service Providers.
One of my first blog posts was the implementation of CA certificates in vSphere 6.0, which included the PSC machine certificate and making the VMware Certificate Authority a subordinate CA to sign certificates to vCenter Servers and ESXi hosts. There was a lot of new architecture and functionality introduced with VMware Certificate Endpoint Store (VECS) and VMware Certificate Authority (VMCA) so I highly suggest you check out that article if you haven’t yet!
I do want to note that you can view, Active, Revoked, Expired, or Root Certificates through the vSphere Web Client by navigating to Administration -> Configuration -> System Configuration
Looking at the Configuration Maximums for vSphere 6.0 you will see the following.
|Maximum PSCs per vSphere Domain||8|
|Maximum PSCs per site, behind a load balancer||4|
|Maximum objects within a vSphere Domain (Users and Groups)||1,000,000|
|Maximum tolerance for time skew between PSC nodes||5 minutes|
|Maximum Active Directory or OpenLDAP Groups per User for best performance||1015|
|Enhanced Linked Mode/Lookup Service|
|Maximum number of VMware Solutions connected to a single PSC||4 This limit is based on the test performed using only vCenter
|Maximum number of VMware Solutions in a vSphere Domain||10|
|Maximum number of subordinate Certificate Authority servers in the chain within VMware Certificate Authority||6|
|Maximum cryptographic hash used for PSC Node certificate||1|
|Maximum RSA Public Key length used for PSC Node certificate||16,384|
The Platform services controller can utilize many different VMware products or solutions. The supported solutions are below. It’s important to note from the maximums that you can have a total of 4 solutions pointing to PSC. Note: These four solutions do NOT include SRM, vRO, vRA, and vROps.
VMware vCenter Server
VMware vCenter Inventory Services
VMware vSphere Web Client
VMware Log Browser
VMware vCloud Air
VMware vSphere Data Protection
VMware vRealize Automation Center
VMware vRealize Orchestrator
VMware vShield Manager
Command Line Management Tools
There a few new command line tools for manageability. I wanted to briefly introduce them, but I will have dedicated sections coming very soon with the usage. So far, vecs-cli and certificate-manager are the only sections I have completed, you can click the link below for more information.
- dir-cli : Manage solution users, certificates and passwords
- vecs-cli : Manage VMware Certificate Store (VECS)
- certool : Manage VMware Certificates
- certificate-manager : Manage PSC and vCenter Server Certificates
- vmafd-cli : Repointing vCenter to a new external PSC and manage replication
Multimaster Architecture and Replication
As in 5.5 SSO, PSCs in 6.0 use the same multi-master architecture. This means you can have several PSCs in your environment all automatically replicating with a partner node. All of the nodes are master nodes, unlike in SSO 5.1, there was a primary node and multiple secondaries (master-slave). The default replication interval between PSCs is 30 seconds and is very latency sensitive; with that said I wouldn’t recommend that you deploy PSCs in a WAN setup unless you know there is low latency between the nodes. One additional thing to mention is that you can technically use a PSC with vCenter Server 5.5; however it’s only recommended to be used during rolling upgrades. vCenter Server 5.1 pointing to a PSC will not work and is not supported.
You can also Repoint a vCenter Server to a new External PSC.
PSC High Availability
If by chance your PSC server goes down, you will not be able to log into vCenter Server. Additionally, any services that utilize the PSC for authentication will also fail to create new sessions. This does not mean that your vCenter Server will be down, just the management layer.
You can install your PSC in High Availability (HA) mode to ensure that you don’t hit this type of problem. I have written a nice guide on installing PSCs in HA mode using F5 as a load balancer here.
Another possibility is using Fault Tolerance (FT). Fault Tolerance is vSphere 6.0 now supports up to 4CPUs so this can provide continuous availability if needed. I haven’t had full confirmation on whether or not vCenter Server and PSCs using FT are supported by VMware, but I wanted to throw the option out there anyway.
PSC Backups and Recoverability
Backups are always important, I would recommend backing up the PSC regularly. Please see the following article on “How to backup and restore the vCenter Server 6.0 external deployment models” This article provides all of the supported techniques for backing up and restoring single external PSCs and multiple PSCs
- Recovering from a single failed vCenter Server
- Recovering from a single failed Platform Services Controller
- Recovering from a single failed vCenter Server
- Recovering when all Platform Services Controllers fail
- Recovering from a single failed Platform Services Controller behind a load balancer
Upgrading to PSC 6.0
The last piece of information I would like to provide, are some “How-To” upgrade guides from SSO 5.1 or SSO 5.1 to PSC 6.0. If you are using an internal SSO server, then the installer will handle the upgrade process. However, if you have an external SSO server, SSO in multisite, multimaster, or HA mode, then the flow charts below show outline the Prerequisites and Procedure
Credit: Flow Chart for Single Sign-On 5.1 Upgrade to PSC 6.0
Credit: Flow Chart for Single Sign-On 5.5 Upgrade to PSC 6.0
Please let me know if you have any additional questions or comments; I would be happy to do my best to answer them!