Translate

Total Pageviews

My YouTube Channel

My YouTube Channel

Monday 7 September 2015

VMware Platform Services Controller 6.0 FAQs (2113115)

Purpose

This article provides answers to some of the frequently asked questions about VMware Platform Services Controller (PSC) for vSphere 6.0. The PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA), licensing, and server reservation and registration services.
 
For more information, see:

Resolution

For answers to FAQs on various topics, see:

General Questions

What is Platform Services Controller 6.0 (PSC)?

Platform Services Controller (PSC) is a component of the VMware Cloud Infrastructure Suite. PSC deals with identity management for administrators and applications that interact with the vSphere platform.

How is PSC 6.0 different from SSO 5.5? How is it different from SSO 5.1?
The architecture remains the same between vSphere 5.5 and 6.0; however, there are now new features and services introduced at the PSC layer which are discussed below. To get a list of all the changes between SSO 5.5 and PSC 6.0, see What’s New in VMware vSphere 6.0 platform and VMware Education's What's New V5.5 to v6.0. To get a list of changes from SSO 5.1, see What's New in VMware vSphere 5.5 Platform.

What are the key capabilities of PSC 6.0?
  • PSC 6.0 remains a multi-master model, as was introduced in vSphere 5.5 in the form of vCenter Single Sign-On.
  • It can be deployed either in an Appliance-based or Windows-based flavor, both able to participate in multi-master replication. (With vSphere 5.x, the vCenter Server Appliance's embedded SSO was not supported to replicate with other SSO nodes)
    • Both Appliance-based or Windows-based PSCs can interoperate with Appliance-based or Windows-based vCenter Servers.
  • It now handles the storing and generation of the SSL certificates within your vSphere environment. For more information, seeImplementing CA signed SSL certificates in vSphere 6.0 (2111219).
  • It now handles the storing and replication of your VMware License Keys
  • It now handles the storing and replication of your permissions via the Global Permissions layer.
  • It now handles the storing and replication of your Tags and Categories.
  • It has a built-in feature for automatic replication between different, logical SSO sites.
  • There is only one single default domain for the identity sources.
What are the components that are installed with Platform Services Controller 6.0?
Components that are installed with PSC 6.0 include:
  • VMware Appliance Management Service (only in Appliance-based PSC)
  • VMware License Service
  • VMware Component Manager
  • VMware Identity Management Service
  • VMware HTTP Reverse Proxy
  • VMware Service Control Agent
  • VMware Security Token Service
  • VMware Common Logging Service
  • VMware Syslog Health Service
  • VMware Authentication Framework
  • VMware Certificate Service
  • VMware Directory Service
What are the different products/components with which PSC 6.0 is supported?
 
PSC 6.0 is supported with:
  • VMware vCenter Server
  • VMware vCenter Inventory Services
  • VMware vSphere Web Client
  • VMware Log Browser
  • VMware NSX for vSphere
  • VMware Site Recovery Manager
  • VMware vCloud Air
  • VMware vCloud Director
  • VMware vRealize Automation Center
  • VMware vRealize Orchestrator
  • VMware vSphere Data Protection
  • VMware vShield Manager
How is PSC 6.0 packaged?

The Platform Services Controller is available on both the Windows vCenter Server ISO or within the vCenter Server Appliance (VCSA) ISO.

How is the PSC 6.0 licensed?

The Platform Services Controller, on both Windows and Appliance, is not a licensed product. It is currently bundled with the vCenter Server 6.0 in the vSphere and vCloud Suites, but only the vCenter Server component of the bundle requires a license.


What Platform Services Controller deployment modes are possible with the vCenter Server Appliance? With Windows-based vCenter Server?

New to vSphere 6.0, both the Appliance-based PSC and Windows-based PSC can be deployed in both multi-site or high availability configurations. Additionally, if you need multi-site in conjunction with high availability, you can now setup your vSphere environment to have multi-sites and then configure each site with secondary PSCs. A load balancer is still required per site to provide high-availability. Only local load balancers (often times referred to as LTM, or Local Traffic Manager) are supported for PSC HA. For more information about recommended and support topologies, see List of recommended topologies for vSphere 6.0.x (2108548).

Note: When configuring PSC High Availability, the load balanced pair are required to be the same type; it is not supported to mix Appliance-Base and Windows-Based PSCs in the same load balanced pair.
For information about setting up PSC High Availability (HA), see the following.

What are the minimum requirements to run PSC 6.0?

Requirements when deploying the Appliance-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB
  • Disk storage - 30 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server Appliance Hardware Requirements and Storage Requirements section in the vSphere Install and Setup guide for vSphere 6.0

Requirements when deploying the Windows-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB
  • Disk storage - 4 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server for Windows Hardware Requirements and Storage Requirements section in the vSphere Install and Setup guide for vSphere 6.0


What happens when the PSC 6.0 server is down? How does this affect Enhanced Linked Mode (ELM)?

If the PSC 6.0 server is down, you cannot log in to vCenter Server or any 2nd party VMware products that depends on it. Existing connections and user sessions to the vCenter Server will remain active, and the vCenter Server services will remain up and running. However, once the session ends, if the PSC is still down, the user will not be able to log in again. Additionally, if the PSC is down and the vCenter Server's services are restarted, vCenter Server will be unable to fully start until the PSC's services are restored or the vCenter Server is repointed to an operation PSC in the same vSphere Domain.

Regarding an environment in which multiple PSCs are in the same vSphere Domain and Enhanced Link Mode is being used, if a PSC in which a vCenter Server is connected to fails, access to this vCenter Server via a different vCenter Server's vSphere Web Client will not be possible. This is due to a user's SAML token from the vSphere Web Client being unable to be passed to the failed PSC, thus to the vCenter Server. Unless the PSC is brought back online or the vCenter Server is repointed to a different PSC in the same domain, users will not be able to access it.

What happens when the VMware Certificate Authority (VMCA) service in the PSC 6.0 server is down? If my Private Key Infrastructure (PKI) is down?

At this time the VMCA and VECS do not perform Certificate Revocation List (CRL) checking. This means that while the VMCA service is down, your vCenter Server(s) will be able to continue working and are able to be restarted. For more information, see Managing Certificate Revocation in the vSphere Security Guide.

Additionally, if your PKI is down, due to the the VMCA and VECS not performing CRL checking, your vSphere environment will continue to run.


Do I need a database to successfully install/run PSC 6.0?

As with SSO 5.5, in vSphere 6.0 you do not need a database for the PSC.

How to backup and restore PSC 6.0?

For information on how to backup and restore the PSC, see How to back up and restore vCenter Server 6.0 external deployment models (2110294).

Can I use snapshots against my PSC 6.0? How about image-based backups?

You can snapshot a single Platform Services Controller so long as it does not exist in a multi-site or highly available configuration within a vSphere domain.  Additionally, you can also use image-based backups but with the same caveat that the PSC does not exist in a multi-site or highly available configuration, and is a stand-alone PSC. This is due to the use of Update Sequence Number (USN) for replication, and when restoring a PSC via snapshot or image-based backup, the sibling nodes will be out of sync. For more information, see Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 or Platform Services Controller 6.0 node (2086001)

For guidance on backup and restore of your PSC, see the section How to backup and restore PSC 6.0? above.


How do I create a Service Principal Name (SPN)?

For instructions to create and use a Service Principal Account in PSC 6.0, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).

What is a vSphere Domain Name in PSC 6.0?

A vSphere Domain Name is defined when you are first configuring a PSC 6.0, or it is retained when you are upgrading your existing SSO 5.5 environment. This is the name in which your vSphere Domain's backing directory service (VMware Directory Service) bases all of its Lightweigh Directory Access Protocol (LDAP) internal structuring upon. With vSphere 6.0, you are able to give you vSphere Domain a unique name; however, make sure that you do not name it the same as any of the other Directory Services (OpenLDAP, Microsoft Active Directory) as this will cause conflicts with authentication. If you are upgrading from vSphere 5.5, your vSphere Domain Name will remain the defaultvsphere.local. Changing the name of your vSphere Domain once is has been configured is not supported.

Once you have defined the name of your domain, you are then able to populate it with objects in the form of Machines (PSCs, vCenter Servers, vRealize Automation, etc.), Users (users@vsphere.local) or Groups (groups@vsphere.local). These objects can then be organized into individual logical sites, explained below.


What are Sites in PSC 6.0?

A site in the VMware Directory Service is a logical container in which we group Platform Services controllers within a vSphere Domain. You can name them in an intuitive way for easier implementation. Currently, the use of sites is for configuring PSC High Availability groups behind a load balancer.

What are the different types of Identity Sources that can be created with SSO 5.5?
 
The different types of Identity Sources that can be created with SSO 5.5 include:
  • Active Directory (Integrated Windows Authentication)
  • Active Directory as an LDAP server
  • OpenLDAP
  • Local OS
For more information, see Identity Sources for vCenter Server with vCenter Single Sign-On in the vSphere 6.0 Security Guide.

How do we generate the PSC Support Bundle for Windows? For the Appliance-based PSC?

Since both Appliance-based and Windows-based PSCs can be deployed external to the vCenter Server exist in the same environment in vSphere 6.0, there are multiple means to generate a support log bundle. 

For the Platform Services Controller Appliance:
  • From a Web Browser
    1. Open a Web Browser and navigate to: https://Platform_Services_Controller_FQDN/appliance/support-bundle
    2. When prompted enter the root credentials and click Enter.
    3. The download will begin automatically as vm-support.tgz.
  • From Command Line:
    1. Initiate an SSH connection to the vCenter Server Appliance.
    2. Provide the root user user name and password when prompted.
    3. Run this command to enable the Bash shell:

      shell.set --enable True
    4. Run this command to access the Bash shell:

      shell
    5. In the Bash shell, run the below command to export logs to /storage/log/ :

      vc-support -l
    6. This will begin generating a log bundle as vc-<FQDN_of-PSC>-<Date>.tgz.
    7. Once complete, use an SCP client to download the log bundle.
  • From vSphere Web Client UI
    1. Log into the vSphere Web Client from vCenter Server connected to the Platform Services Controller withAdministrator@vsphere.local
    2. Click on Administration > System Configuration
    3. Click on Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and select Export Support Bundles
    5. Click Export Log Bundle and select a location you'd like to export.
    6. Click OK once completed.
For the Platform Services Controller for Windows:
  • From Windows Server UI
    1. Remote Desktop into the Windows Server.
    2. Click Start > All Programs (Windows 2008R2) or Start > All Apps icon (Windows Server 2012R2)
    3. Locate the VMware folder
    4. Click Generate vCenter Server log bundle
    5. This will begin generating a log bundle as vc-<FQDN_of-PSC>-<Date>.tgz on the desktop.
  • From Command Line:
    1. Remote Desktop into the Windows Server.
    2. Open an administrative command prompt.
    3. Run the below command to generate the log bundle:

      "%VMWARE_CIS_HOME%"\bin\vc-support.bat
    4. This will begin generating a log bundle as vc-<FQDN_of-PSC>-<Date>.tgz on the desktop.
  • From vSphere Web Client UI
    1. Log into the vSphere Web Client from vCenter Server connected to the Platform Services Controller with Administrator@vsphere.local
    2. Click on Administration > System Configuration
    3. Click on Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and select Export Support Bundles
    5. Click Export Log Bundle and select a location you'd like to export.
    6. Click OK once completed
If you are running an embedded Platform Services Controller on your vCenter Server, the support bundle will contain logs and also the information for the PSC. For more information, see Collecting diagnostic information for VMware vCenter Server 4.x, 5.x and 6.0 (1011641).


What is a VMware Solution and how does it affect my maximums?

A VMware Solution is defined as a product that creates a Machine Account and one or more Solution User (a collection of vSphere services) within the VMware Directory Service when the product is joined to the PSC, thus the vSphere Domain. The Machine Account and Solution User(s) are used to broker and secure communication between other Solutions available within the vSphere environment. In order to count against these maximums, the Machine Account and Solution Users must be fully integrated with all of the PSC's available feature sets (Identity Management and Authentication Brokering, Certificate Management, Licensing, etc.) such that the product makes full use of the PSC. At this time, only vCenter Server is defined as a fully integrated solution and counts against these maximums.

Partially integrated solutions, such as vCenter Site Recovery Manager, vCloud Director vRrealize Orchestrator, vRealize Automation Center, and vRealize Operations, do not count against these defined maximums

Upgrade Questions

How do I upgrade from SSO 5.1 to PSC 6.0? From SSO 5.5 to PSC 6.0?

If the SSO service is bundled with the vCenter Server, referred to as an embedded deployment, the upgrade from 5.x to 6.0 is handled all-inclusively via the installer for both Windows and the vCenter Server Appliance.

vSphere 5.1: If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.1 for External Deployment section in thevSphere Upgrade Guide.
vSphere 5.5: If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.5 for External Deployment section in thevSphere Upgrade Guide.


What is the sequence when upgrading my SSO 5.x to PSC 6.0? What if I have multiple SSO nodes in the same domain?

When planning your vSphere 5.x upgrade to 6.0, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760) which cover when to upgrade the Platform Services Controller.

In vSphere environments in which multiple SSO nodes exist in the same vSphere domain, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in the vSphere Upgrade Guide.


What happens to the database that I have with SSO 5.1?

After upgrading to PSC 6.0, the old SSO database is no longer needed. However, the database is not removed from your database server during the upgrade. You must manually remove the database and all users associated with it.

After upgrading, will the PSC 6.0 retain my old Identity Sources?

Yes, all your old Identity Sources are retained after the upgrade.

In SSO 5.1, my SSO domain was system-domain and the administrator user was the admin. Will I still be able to log in using the same username in PSC 6.0?

Yes, you can continue to log in to your SSO server with the old user (admin@system-domain) and password. This account is an alias of the administrator@vsphere.local after you have upgraded.

Will PSC 6.0 work with vCenter Server 5.1? With vCenter Server 5.5?

vSphere 5.1: No, PSC 6.0 will not work with vCenter Server 5.1.
vSphere 5.5: Yes, PSC 6.0 will continue working with vCenter Server 5.5 in an environment in which you are performing a rolling upgrade. However, VMware does not support fresh installs or repointing of vCenter Server 5.5 against a PSC 6.0, nor does VMware support leaving your environment in a hybrid-type deployment of vSphere 5.5 with vSphere 6.0. VMware recommends you to upgrade to vCenter Server to 6.0 along with your PSC. For more information, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in thevSphere Upgrade guide.



Will PSC 6.0 work with SSO 5.5?

Yes, PSC 6.0 will continue to work with SSO 5.5. However, as with vCenter Server backward compatibility, VMware recommends you to upgrade all of your SSO 5.5 nodes to 6.0. For more information, see Replace the VMware Directory Service Certificate in Mixed Mode Environments in the vSphere Security guide.


When do I Patch (Appliance) or Update (Windows) a PSC 6.0?

The Platform Services Controller and the vSphere Domain sit above the vCenter Server and the rest of the VMware Product stack. When planning an update for your vSphere environment, the Platform Services Controller(s) will be the first system that needs to be patched or updated. At this time, updating the Platform Services Controllers must be performed in a serial fashion where each PSC is updated one by one. Parallel installation of patches or updates on PSCs is not supported.

For more information on the sequence of updating your vSphere environment, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760).


How do I check the current vSphere version or build number that my PSC 6.0 is running?
  • Checking the Platform Services Controller Appliance:
    1. SSH to the appliance and log in with root.
    2. Execute the following:

      com.vmware.appliance.version1.system.version.get

      This will output the the build number, the release date of the build, and type of the Appliance. Use the example below as a model:

      Version:
         Product: VMware vCenter Server Appliance
         Summary: Patch for VMware vCenter Server Appliance 6.0
         Releasedate: June 16, 2015
         Version: 6.0.0.5120
         Build: 2800573
         Type: VMware Platform Services Controller
  • Checking the Platform Services Controller for Windows:
    1. Remote desktop to the Windows Server
    2. Open an administrative command prompt
    3. Execute the following to get the build number:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v BuildNumber

      Use the example below as a model:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
          BuildNumber    REG_SZ    2800572
    4. Execute the following to get the type of deployment:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v INSTALL_TYPE

      Use the example below as a model:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
          INSTALL_TYPE    REG_SZ    infrastructure

      There are two types that can be displayed here: 
      Embedded indicates the PSC is embedded with the vCenter Server. 
      Infrastructure indicated that the PSC was deployed separate from the vCenter Server


How do I Patch (Appliance) or Update (Windows) a PSC 6.0?

The Platform Services Controller Appliance and the Platform Services Controller for Windows use different update mechanisms to patch the software. This includes using the software-packages for the Appliance and running the autorun executable from Windows. Due to the differences, when using the appliance, it is often referred to as Patching; when using the Windows equivalent, it is referred to as Updating. The below operations will result in updating your PSC(s) to the latest versions of vSphere 6.0.
  • Patching the Platform Services Controller Appliance:

    The Patches for the Platform Services Controller Appliance are located on the MyVMware Patch Repository.
    1. Download the Patch ISO for the the Platform Services Controller Appliance.
    2. Mount the ISO to the Appliance using the vSphere Client or vSphere Web Client
    3. SSH to the appliance and log in with root.
    4. Ensure you are running the Platform Services Controller appliance under the Appliance Shell. For more information, see Toggling the vCenter Server Appliance 6.x default shell (2100508).
    5. Stage the patches from the mounted ISO by running the following command:

      software-packages stage --iso --acceptEulas
    6. Install the staged patches by running the following command:

      software-packages install --staged
    7. If prompted, reboot the Platform Services Controller Appliance by running the following workflow:
      1. Run this command to enable the Bash shell:

        shell.set --enabled True
      2. Run this command to access the Bash shell:

        shell
      3. Run this command to reboot the PSC:

        reboot
    8. After completion, repeat this process on any additional Platform Services Controllers.
  • Updating the Platform Services Controller for Windows:

    The Updates for the Platform Services Controller for Windows are located on the MyVMware Downloads.
    1. Download the latest ISO for the Windows vCenter Server 6.0
    2. Mount the ISO to the Platform Services Controller
    3. In the software installer, double-click the autorun.exe file to start the update. 
      The installer will run to identify which versions of Platform Services Controller you are using and will identify if it needs to be upgraded.
    4. Click Next, Accept the EULA
    5. Click Next
    6. Click Update
    7. If prompted, reboot the Platform Services Controller system.
    8. After completion, repeat this process on any additional Platform Services Controllers.

Best Practices

What are the best practices for installing PSC 6.0?


What are the best practices for upgrading to PSC 6.0?


How many PSC servers can exist behind a load balancer?

With the use of a load balancer, there can be a maximum of 4 PSCs per site within the vSphere domain. For more information, see thePlatform Services Controller Maximums in the vSphere 6.0 Configuration Maximums Guide.

What are the compatible load balancers with PSC HA? What are the requirements of the load balancer?

VMware has tested and certified the use of Citrix Netscalar and F5 Networks Big-IP for use with PSC HA. For information on the requirements for using Citrix Netscalar, F5 Networks Big-IP as well as other load balancers with PSC HA, see vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix (2112736).


PSC HA requires the use of SSL Termination with the compatible load balancer rather than SSL Passthrough. What does this mean?

Everything is encrypted on port 443 up to the Reverse Proxy, which utilizes the __Machine_SSL certificate stored in theMACHINE_SSL_CERT VECS store, on the backing Platform Services Controller nodes. When vCenter Server (acting as a client) connects, it create an SSL session (encrypted) which terminates at the the load balancer, at which point a new SSL connection from the load balancer is initiated where we then hand off this session to one of the PSC nodes (encrypted), resulting in the vCenter Server session being connected to the Reverse Proxy on the PSC (443). For the load balancer to proxy and have visibility of the traffic it has to decrypt it. Then it re-encrypts it in another session to the PSC.

There are other RPC and LDAPS ports that we communicate with, which are called out in the different load balancer setup guides:


How many PSC servers can exist in a vSphere Domain?

VMware has tested up to 8 PSCs within the vSphere domain. For more information, see the Platform Services Controller Maximums in the vSphere 6.0 Configuration Maximums Guide.


Is there any way to add Identity Source through command line?

Yes, however this is limited to just the Active Directory (Integrated Windows Authentication) identity source. For more information, see Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vSphere 5.5/6.0 (2063424).

What are the other PSC's maximums?

For more information, see the Configuration Maximums for vSphere 6.0.


Can I deploy PSCs over a WAN?

While it is possible to deploy PSCs over a WAN, the replication between PSCs is very latency sensitive. It is recommended that the latency between PSCs, as with any replicating directory service, to be as low as possible. Additionally, now that Enhanced Linked Mode (ELM) and all features that utilize ELM are facilitated via the PSC, for the best user experience within a vSphere environment, low latency is highly recommended.


How should I deploy my PSC 6.0 regarding Active Directory? Regarding OpenLDAP?

When using the Active Directory (Integrated Windows Authentication) identity source, it is recommend to pair the PSC as close to the local Active Directory Domain Controller(s) (DC) as possible, with minimal hop count to reach them. The PSC, both Windows-based and Appliance-based, have improved logic to allow for SAML token creation, requests as well as User and Group querying that will leverage the nearest DC within the environment to provide the best performance for log-in. Additionally, depending on the complexity of your Active Directory environment, there are known limitations. For more information about support Active Directory topologies, see Microsoft Active Directory Trusts supported with VMware vCenter Single Sign-On (2064250).

When using the other available Identity Source, such as OpenLDAP and Active Directory as a LDAP Server, the PSC is performing simple binds via the service account that was provided during identity source creation. While distance and latency in regards to the Domain Controllers is of extreme importance, since we are performing a simple bind when querying the users, these identity source will have performance limitations and problems due to parsing recursion. For more information, see Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a multi-domain environment fails (2037410).


When should I use Embedded? When should I used External? What is the optimal PSC to vCenter Server Architecture?

vCenter Servers with Embedded Platform Services Controllers are designed for small environments in which no vCenter Servers, or 2nd party VMware products, need to communicate (via Enhanced Linked Mode) and the vSphere environment stays relatively static. In these environments, often there is only a single vCenter Server. When using the Embedded Platform Services Controller with the vCenter Server, it is not recommended to setup replication partnerships with External Platform Services controllers or other, embedded Platform Services Controllers. At this time, there is no way to reconfigure a vCenter Server with Embedded Platform Services Controller to an External Platform Services controller or vice versa.

External Platform Services Controllers are used in large environments in which multiple vCenter Servers are all working in conjunction via Enhanced Linked Mode and/or you have multiple 2nd-party applications (vRealize Automation Center, vRealize Orchestrator, etc.) that integrate with the PSC. In these environments, often there are multiple vCenter Servers connected to the same vSphere domain, and there are other 2nd-party applications that stack on top of the vCenter, using it as an endpoint for automation or Cloud services.


Application Questions

Can I change the PSC 6.0 administrator username from administrator@vsphere.local to another user name?

No, PSC 6.0 administrator username cannot be changed from administrator@vsphere.local to another user name. You can, however, create a separate administrator user for this purpose.

Do I still need to have a master password with PSC 6.0?

No, there is no Master password anymore. By default, administrator@vsphere.local, is the administrator in PSC 6.0 as it was in SSO 5.5.

Can I create or manage SSO users in the vSphere.local domain with PSC 6.0? With a command-line interface (CLI)? With an application program interface (API)?

You can now easily create and manage SSO Users using a new command-line utility that is included within the PSC 6.0 called dir-cli. For guidance on using dir-cli, see the dir-cli Command Reference section in the vSphere Security Guide.

At this time, the APIs required to for this process are not publicly exposed. For more information, see Overview of vSphere Command-Line Interfaces section in the vSphere 6.0 Command-Line Documentation Guide.

What do all of the built-in Groups do within my vSphere Domain? Can I remove any of these built-in Groups?

Each of these groups provides an an integral set of privilege and corresponding set of available actions in the vSphere Domain. For more information, see Groups in the vSphere.local Domain in the vSphere Security Guide. Removing any of the built-in Users or removing any of the built-in Groups is not supported and can cause irreparable damage to your vSphere Domain.

Can I add an Active Directory or OpenLDAP Group to one of the PSC built-in Groups, such as Administrators or SystemConfiguration.Administrators?


PSC 6.0 uses auto-generated certificates. Can we replace these certificates with custom generated certificates?

Yes, the VMware Certificate Authority (VMCA) on the Platform Services Controller can be replaced with a subordinate certificate authority signing certificate. This will allow for certificates on both the PSC and for vCenter Server to be generated using CA-signed certificates. For customers forgoing this feature, customers can replace the certificates on the PSC using the vSphere Certificate Utility. For more information, see Implementing CA signed SSL certificates in vSphere 6.0 (2111219).

Some of the the services bundled with the PSC are not fully VECS-integrated, so the certificate replacement process will be manual. For more information, see the vSphere Security Guide.

After replacing the VMCA in the PSC 6.0 with a Signing Certificate, do we need to do anything else?

After replacing the VMCA with a signing certificate for your own PKI, you will need to wait 24 hours in order to add new ESXi 6.0 hosts to the vCenter Server. Existing ESXi 6.0 or 5.x hosts will not be affected after this process has occurred. For more information, see Unable to add ESXi 6.0 host to vCenter Server 6.0 with error "signed certificate could not be retrieved due to a start time error" (2123386)

Can I disable PSC 6.0 in vCenter Server?

No, you cannot disable the vCenter Servers dependency on PSC 6.0. This is similar to vSphere 5.1 and 5.5.

Can I repoint the vCenter Server to other PSCs in the same vSphere Domain? Can I repoint the vCenter Server to a new vSphere Domain?

When multiple, external PSCs are deployed in the same vSphere Domain and are replicating, repointing a vCenter Server between these PSCs can be performed vmafd-cli. This allows customers to move the vCenter Servers between PSCs in the event they need to performance maintenance on a PSC. For more information, see the Repointing the Connections Between vCenter Server and Platform Services Controller section in the vSphere Installation and Setup Guide.

With vSphere 6.0, you can no longer repoint a vCenter Server node to a PSC in a separate vSphere Domain as was available in vSphere 5.5 and 5.1. This is due to the other vSphere Domain not containing any of the important data from the originating vSphere Domain's VMware Directory Service as the two domains have no way of replicating to one another. Due to the way that vCenter Server now stores some data in itself but utilized some data in the vSphere Domain, you must perform a re-installation of vCenter Server if you would like to change domains.

Can I merge two vSphere Domains together?

No, there is no way to merge two vSphere domains together.

Can I get Enhanced Linked Mode between two, separate vSphere domains?

No, Enhanced Linked Mode requires that all PSCs be in the same domain and replicating. Since two separate vSphere Domains do not have a means of replicating, the new APIs that provide ELM will not be able to display the contents of both domains. For more information about Enhanced Linked Mode, see the Enhanced Linked Mode Overview section in the vSphere Upgrade Guide.

Is NTLM authentication still supported? If yes, does does this mean that NT4 domains can also be authenticated?

No, NTLM authentication was deprecated in vSphere 5.5 and is no longer supported with PSC 6.0.

Can I configure multiple default domains in PSC 6.0?

No, there can only be one default domain.

What is the replication interval between two PSCs?

The replication interval between two PSCs is 30 seconds. However, under certain conditions, this replication time can increase in order for all PSCs to fully synchronize. For more information, see the VMware Directory Service Replication Can Take a Long Time section in the vSphere Secutity Guide.

How to verify a successful PSC 6.0 installation?

To verify if the PSC 6.0 installation is successful, perform the following: 
  • For External PSC, navigate to https://<FQDN_of_PSC>/websso/ after checking the status of the PSC services.
  • For Embedded PSC, navigate to https://<FQDN_of_Embedded_vCenter_Server>/lookupservice/sdk after checking the status of the PSC services.
How do I decommission a PSC 6.0 installaion for Windows-based or Appliance-based servers?


After adding my Active Directory (Integrated Windows Authentication) identity source, it went to the Root of my Active Directory domain. My PSC is in a Child Domain, how do I adjust this?

Source:-
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2113115&src=vmw_so_vex_ragga_1012
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)