Deploying Platform Services Controller ( PSC ) in HA mode behind a Load Balancer.

In this blog we can see the configuration of High Availability External Platform Services Controller ( PSC ) Appliance .A fresh, or new, vCenter Single Sign-On high availability deployment is recommended when there are multiple vCenter Server systems or vCenter Single Sign-On enabled solutions that require a high level of uptime.When deploying the Platform Services Controller externally for multiple services, availability of the Platform Services Controller must be considered. In some cases, simply having the Platform Services Controller located in a vSphere cluster with VMware vSphere High Availability enabled is sufficient. In other cases, having more than one Platform Services Controller deployed in a highly available architecture is recommended. This requires a network load balancer.


PIC is from VMware.

Mount the vCenter Server 6.0 Appliance ISO to a Windows VM and Install the Client Integration Plugin.

Node1 : PSCSSO1.domain.local

Node2: PSCSSO2.domain.local

LB: PSCSSO.domain.local

Double Click the vcsa-setup.html and once the plug-in is opened then Click Install.


Accept the terms of the license agreement and Click Next

Select a Target ESXI Host to Deploy the Appliance.


Click YES to accept the host’s Certificate

Enter an Appliance name and the root OS Password which we want to assign.


Select the Install Platform Service Controller Option under “ External Platform Service Controller “


Select Create a new SSO Domain and enter an administrator vCenter SSO Password; enter an SSO Domain name such as vsphere.local and an SSO Site name such as a city or physical location name


Next Select the Datastore with the Thin Disk Mode.


Choose the Network and see my blog for the Ephemeral Port details.



Once the Installation is done then start the second Node.

Do the above steps and select the option to Join an SSO in an Existing configuration.


Select the Join an existing site



Once the Installation is done ,we need to prepare the Nodes for the load balancer configuration.

SSH into the Node 1 PSC appliance and enable the Shell  with the below commands

Shell.Set –enable=true


Download and copy unzip the vCenter Single Sign-On high availability scripts SSO-HA.ZIP File.

Create the directory sso-ha.

mkdir /sso-ha and unzip


Change in to the Directory /sso-ha and run the below command.

python –primary-node –lb-fqdn=<loadbalancerfqdn> –password <certpassword>

loadbalancerfqdn – LB virtual IP for load-balancing the PSC.




Create a forward and reverse DNS entry for the VIP created to load balance the Platform Services Controller traffic

Now Login in to Node 2.

Create the below folders.

Mkdir /ha and/ha/keys and from the first node copy the /sso-ha , ha and also the keys ( /etc/vmware-sso/keys )- Pls check SCP to the vCSA details .


Verify all the Files


Run the Following command from the Node 2.

python –secondary-node –lb-fqdn= –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys/

lb-fqdn – LBFQDN is the load balancer’s VIP used for load balancing the PSC.



On one Platform Services Controller, update the endpoint URL by running

where FQDNofLocalMachine is the FQDN of the machine where the script is being run, loadbalancerFQDN is the FQDN of the load balancer’s VIP used for load balancing the Platform Services Controllers, SSODomain is the vCenter Single Sign-On domain (by default vsphere.local), and password is the password for the vCenter Single Sign-On administrator. The password parameter is optional; if not specified, you will be prompted for it.


Once all the configuration is done then create a pool for ports 443,2012,2014,2020,389 and 636.Also choose the health monitors to use TCP and Load Balancing Method to Round Robin.

Update 03\25\2016.

Additional info to maintain the PSC

Platform Service Controller Appliance 6.0 /storage/log fill up .

During rotation of the SSO log files the old log file is not compressed leaving multiple large files stored in /storage/log.

Resolution : There is no fix for this issue and VMware initially they asked to delete the files and now they updated the KB with workaround.

To work around this issue edit the file to change the log file settings.
  1. Connect to the vCenter Server Appliance console and log in using root credentials.
  2. Run this command to enable access the Bash shell:shell.set –enabled true
  3. Type shell and press Enter.
  4. Navigate to the file location with this command:cd /usr/lib/vmware-sso/vmware-sts/webapps/sts/WEB-INF/classes/
  5. backup the file with this command:cp 
  6. Open the in a text editor:vi
  7. Search under the log4j.appender.LOGFILE.File=${catalina.base}/logs/vmware-identity-sts.log section for log4j.appender.LOGFILE.MaxFileSize=100MB and change the size to 50MB.For example:log4j.appender.LOGFILE.MaxFileSize=50MB
  8. Search under the log4j.appender.LOGFILE.File=${catalina.base}/logs/vmware-identity-sts.log section for log4j.appender.LOGFILE.MaxBackupIndex=10 and change the backups to 5.For example:log4j.appender.LOGFILE.MaxBackupIndex=5
  9. Search under the log4j.appender.PERFLOG.File=${catalina.base}/logs/vmware-identity-sts-perf.log section for log4j.appender.PERFLOG.MaxBackupIndex=10 and change the backups to 3For example:log4j.appender.PERFLOG.MaxBackupIndex=3
  10. Restart the STS service using this commandservice vmware-stsd restart
  11. Navigate to /storage/log/vmware/sso/ with this command:cd /storage/log/vmware/sso/
  12. Remove the old localhost_access_log and vmware-identity-sts log files with these commands:rm localhost_access_log.*
    rm vmware-identity-sts.*


Pls check my another blog on F5 Load Balancer Configuration on PSC

Reference :

This entry was posted in Certificate, High-Availability, Platform Services Controller (PSC ), SSO, vCSA 6.0, VMware and tagged , , , . Bookmark the permalink.

2 Responses to Deploying Platform Services Controller ( PSC ) in HA mode behind a Load Balancer.

  1. David Nolan says:

    Hi, I’m looking to add 4 PSCs behind a load balancer but unsure of the python command on the 3rd and 4th nodes as the only options appear to be “–primary-node” and “–secondary-node”.


    python –secondary-node –lb-fqdn=load_balanced_fqdn –lb-cert-folder=/ha –sso-serversign-folder=/ha/keys

    Any ideas gratefully received.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s