Deploying Platform Services Controller ( PSC ) in HA mode behind a Load Balancer.

In this blog we can see the configuration of High Availability External Platform Services Controller ( PSC ) Appliance .A fresh, or new, vCenter Single Sign-On high availability deployment is recommended when there are multiple vCenter Server systems or vCenter Single Sign-On enabled solutions that require a high level of uptime.When deploying the Platform Services Controller externally for multiple services, availability of the Platform Services Controller must be considered. In some cases, simply having the Platform Services Controller located in a vSphere cluster with VMware vSphere High Availability enabled is sufficient. In other cases, having more than one Platform Services Controller deployed in a highly available architecture is recommended. This requires a network load balancer.

tee

PIC is from VMware.

Mount the vCenter Server 6.0 Appliance ISO to a Windows VM and Install the Client Integration Plugin.

Node1 : PSCSSO1.domain.local

Node2: PSCSSO2.domain.local

LB: PSCSSO.domain.local

Double Click the vcsa-setup.html and once the plug-in is opened then Click Install.

Ufntitled

Accept the terms of the license agreement and Click Next

Select a Target ESXI Host to Deploy the Appliance.

Ufntitdled

Click YES to accept the host’s Certificate

Enter an Appliance name and the root OS Password which we want to assign.

1d

Select the Install Platform Service Controller Option under “ External Platform Service Controller “

Uflegd

Select Create a new SSO Domain and enter an administrator vCenter SSO Password; enter an SSO Domain name such as vsphere.local and an SSO Site name such as a city or physical location name

fUntitled

Next Select the Datastore with the Thin Disk Mode.

led

Choose the Network and see my blog for the Ephemeral Port details.

ff

1ntitled

Once the Installation is done then start the second Node.

Do the above steps and select the option to Join an SSO in an Existing configuration.

titlefd

Select the Join an existing site

ftitled

tgled

Once the Installation is done ,we need to prepare the Nodes for the load balancer configuration.

SSH into the Node 1 PSC appliance and enable the Shell  with the below commands

Shell.Set –enable=true

Shell

Download and copy unzip the vCenter Single Sign-On high availability scripts SSO-HA.ZIP File.

Create the directory sso-ha.

mkdir /sso-ha and unzip VMware-psc-ha-6.0.0.2503195.zip

gd

Change in to the Directory /sso-ha and run the below command.

python gen-lb-cert.py –primary-node –lb-fqdn=<loadbalancerfqdn> –password <certpassword>

loadbalancerfqdn – LB virtual IP for load-balancing the PSC.

fw

lehd

Ugntitled

Create a forward and reverse DNS entry for the VIP created to load balance the Platform Services Controller traffic

Now Login in to Node 2.

Create the below folders.

Mkdir /ha and/ha/keys and from the first node copy the /sso-ha , ha and also the keys ( /etc/vmware-sso/keys )- Pls check SCP to the vCSA details .

t1itled

Verify all the Files

Udntitled_censored

Run the Following command from the Node 2.

python gen-lb-cert.py –secondary-node –lb-fqdn= –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys/

lb-fqdn – LBFQDN is the load balancer’s VIP used for load balancing the PSC.

PSCSSO.domain.local

1d_censored

On one Platform Services Controller, update the endpoint URL by running

where FQDNofLocalMachine is the FQDN of the machine where the script is being run, loadbalancerFQDN is the FQDN of the load balancer’s VIP used for load balancing the Platform Services Controllers, SSODomain is the vCenter Single Sign-On domain (by default vsphere.local), and password is the password for the vCenter Single Sign-On administrator. The password parameter is optional; if not specified, you will be prompted for it.

q_censored

Once all the configuration is done then create a pool for ports 443,2012,2014,2020,389 and 636.Also choose the health monitors to use TCP and Load Balancing Method to Round Robin.

Update 03\25\2016.

Additional info to maintain the PSC

Platform Service Controller Appliance 6.0 /storage/log fill up .

During rotation of the SSO log files the old log file is not compressed leaving multiple large files stored in /storage/log.

Resolution : There is no fix for this issue and VMware initially they asked to delete the files and now they updated the KB with workaround.

To work around this issue edit the log4j.properties file to change the log file settings.
  1. Connect to the vCenter Server Appliance console and log in using root credentials.
  2. Run this command to enable access the Bash shell:shell.set –enabled true
  3. Type shell and press Enter.
  4. Navigate to the log4j.properties file location with this command:cd /usr/lib/vmware-sso/vmware-sts/webapps/sts/WEB-INF/classes/
  5. backup the log4j.properties file with this command:cp log4j.properties log4j.properties.bak 
  6. Open the log4j.properties in a text editor:vi log4j.properties
  7. Search under the log4j.appender.LOGFILE.File=${catalina.base}/logs/vmware-identity-sts.log section for log4j.appender.LOGFILE.MaxFileSize=100MB and change the size to 50MB.For example:log4j.appender.LOGFILE.MaxFileSize=50MB
  8. Search under the log4j.appender.LOGFILE.File=${catalina.base}/logs/vmware-identity-sts.log section for log4j.appender.LOGFILE.MaxBackupIndex=10 and change the backups to 5.For example:log4j.appender.LOGFILE.MaxBackupIndex=5
  9. Search under the log4j.appender.PERFLOG.File=${catalina.base}/logs/vmware-identity-sts-perf.log section for log4j.appender.PERFLOG.MaxBackupIndex=10 and change the backups to 3For example:log4j.appender.PERFLOG.MaxBackupIndex=3
  10. Restart the STS service using this commandservice vmware-stsd restart
  11. Navigate to /storage/log/vmware/sso/ with this command:cd /storage/log/vmware/sso/
  12. Remove the old localhost_access_log and vmware-identity-sts log files with these commands:rm localhost_access_log.*
    rm vmware-identity-sts.*

 

Pls check my another blog on F5 Load Balancer Configuration on PSC

Reference : http://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdf

Advertisements
This entry was posted in Certificate, High-Availability, Platform Services Controller (PSC ), SSO, vCSA 6.0, VMware and tagged , , , . Bookmark the permalink.

2 Responses to Deploying Platform Services Controller ( PSC ) in HA mode behind a Load Balancer.

  1. David Nolan says:

    Hi, I’m looking to add 4 PSCs behind a load balancer but unsure of the python command on the 3rd and 4th nodes as the only options appear to be “–primary-node” and “–secondary-node”.

    Eg

    python gen-lb-cert.py –secondary-node –lb-fqdn=load_balanced_fqdn –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys

    Any ideas gratefully received.

    David

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s