• Before performing these steps confirm that you have taken a backup of the environment.
• Ensure that replication between the PSCs is working properly prior to upgrading.
• Review the article Important information before upgrading to vSphere 6.7.

• New vSphere 6.7 installation with SSL pass through
• Upgrading from vSphere 6.0 to 6.7 with SSL pass through
• Upgrading from vSphere 6.0 to 6.7 with SSL termination
• Upgrading from vSphere 6.5 to 6.7 with SSL pass through
• Upgrading from vSphere 6.5 to 6.7 with SSL termination
• Migrating a 6.0 vCenter Server to vCenter Server Appliance 6.7 with SSL Pass through
• Migrating a 6.0 vCenter Server to vCenter Server Appliance 6.7 with SSL termination
• Migrating a 6.5 vCenter Server to vCenter Server Appliance 6.7 with SSL Pass through
• Migrating a 6.5 vCenter Server to vCenter Server Appliance 6.7 with SSL termination

New environment installation

Configuring vSphere 6.7 Platform Service Controllers for High availability for a new vSphere 6.5 installation with SSL pass through

1. Install the primary external Platform Services Controller node.
2. Deploy the secondary SSO node as a replication partner to the primary Platform Service Controller node.
3. Create a new machine SSL certificate. For more information, see:

• Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7
• Configuring certificates for Windows Platform Services Controller for High Availability in vSphere 6.5 and 6.7

4.  Configure the load balancer. For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

5.  Run the configuration scripts on the Platform Service Controllers. For more information, see

• Configuring Windows PSC for High Availability in vSphere 6.5/6.7
• Configuring PSC Appliance for High Availability in vSphere 6.5/6.7

6.  Verify the machine Certificate:

• Windows vCenter Server - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• vCenter Server Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

7. Verify the Load Balancer is presenting the same certificate.

• Platform Services Controller - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• Platform Services Controller Appliance - openssl s_client -connect SSOLB.vmware.local:443

8. Install the vCenter Server using the Load Balancer virtual IP for the Platform Service Controller when prompted.

Upgraded environment

1. Except the node that is to be upgraded, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control –-stop --all

2. Upgrade the Platform Services Controller 6.0 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been upgraded and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Create a new machine SSL certificate. For more information, see:

• Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7
• Configuring certificates for Windows Platform Services Controller for High Availability in vSphere 6.5 and 6.7

6.  Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability in vSphere 6.5/6.7
• Configuring PSC Appliance for High Availability in vSphere 6.5/6.7

7.  Verify the Load Balancer configuration/ For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

8. Verify vCenter functionality is still available.
9. Upgrade all vCenter Server nodes.
10. Verify the machine Certificate:

• Platform Services Controller - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• Platform Services Controller Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

11.  Verify the Load Balancer is presenting the same certificate:

• Windows vCenter Server - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• vCenter Server Appliance - openssl s_client -connect SSOLB.vmware.local:443

1. Except the node that is to be upgraded, stop the services on all other PSC nodes. Use this command to stop the services. 

• Widows server "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• Linux appliance service-control --stop --all

2. Upgrade the Platform Services Controller 6.0 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been upgraded and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability SSL termination in vSphere 6.7
• Configuring PSC Appliance for High Availability SSL termination in vSphere 6.7

6.  Verify the Load Balancer configuration/ For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7. Verify vCenter functionality is still available.
8. Upgrade vCenter Server nodes.

1. Except the node that is to be upgraded, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Upgrade the Platform Services Controller 6.5 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been upgraded and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability in vSphere 6.5/6.7
• Configuring PSC Appliance for High Availability in vSphere 6.5/6.7

6.  Verify the Load Balancer configuration/ For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7.  Verify vCenter functionality is still available.
8. Upgrade vCenter Server nodes.
9. Verify the machine Certificate:

• Platform Services Controller - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• Platform Services Controller Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

8.  Verify the Load Balancer is presenting the same certificate:

• Windows vCenter Server - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• vCenter Server Appliance - openssl s_client -connect SSOLB.vmware.local:443

1. Except the node that is to be upgraded, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Upgrade the Platform Services Controller 6.5 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been upgraded and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability SSL termination in vSphere 6.7
• Configuring PSC Appliance for High Availability SSL termination in vSphere 6.7

6.  Verify the Load Balancer configuration/ For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7. Verify vCenter functionality is still available.
8. Upgrade all vCenter Server nodes.

Migrated Environment

1. Except the node that is to be migrated, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Migrate the Platform Services Controller 6.0 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been migrated and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Create a new machine SSL certificate. For more information, see:

• Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7
• Configuring certificates for Windows Platform Services Controller for High Availability in vSphere 6.5 and 6.7

6.  Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability in vSphere 6.5/6.7
• Configuring PSC Appliance for High Availability in vSphere 6.5/6.7

7.  Verify the Load Balancer configuration. For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

8.  Verify if vCenter functionality is still available.
9. Migrate all vCenter Server nodes.
10. Verify the machine Certificate:

• Windows vCenter Server - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• vCenter Server Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

11. Verify the Load Balancer is presenting the same certificate:

• Platform Services Controller - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• Platform Services Controller Appliance - openssl s_client -connect SSOLB.vmware.local:443

12. Verify the machine Certificate:

• Platform Services Controller - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• Platform Services Controller Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

13.  Verify the Load Balancer is presenting the same certificate:

• Windows vCenter Server - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• vCenter Server Appliance - openssl s_client -connect SSOLB.vmware.local:443

1. Except the node that is to be migraed, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Migrate the Platform Services Controller 6.0 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been migrated and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability SSL termination in vSphere 6.7
• Configuring PSC Appliance for High Availability SSL termination in vSphere 6.7

6.  Verify the Load Balancer configuration. For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7. Verify if vCenter functionality is still available.
8. Migrate all vCenter Server nodes.

1. Except the node that is to be migrated, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Migrate the Platform Services Controller 6.5 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been migrated and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability in vSphere 6.5/6.7
• Configuring PSC Appliance for High Availability in vSphere 6.5/6.7

6. Verify the Load Balancer configuration. For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7. Verify if vCenter functionality is still available.
8. Migrate all vCenter Server nodes.
9. Verify the machine Certificate:

• Windows vCenter Server - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• vCenter Server Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

10. Verify the Load Balancer is presenting the same certificate:

• Platform Services Controller - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• Platform Services Controller Appliance - openssl s_client -connect SSOLB.vmware.local:443

11. Verify the machine Certificate:

• Platform Services Controller - "%VMWARE_CIS_HOME%"/vmafdd/vecs-cli.exe entry list --store MACHINE_SSL_CERT --text
• Platform Services Controller Appliance - /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

12.  Verify the Load Balancer is presenting the same certificate:

• Windows vCenter Server - "%VMWARE_OPENSSL_BIN%"openssl s_client -connect SSOLB.vmware.local:443
• vCenter Server Appliance - openssl s_client -connect SSOLB.vmware.local:443

1. Except the node that is to be migrated, stop the services on all other PSC nodes. Use this command to stop the services. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --stop –all
• vCenter Server Appliance - service-control --stop --all

2. Migrate the Platform Services Controller 6.5 node to 6.7.
3. Start the services on all other PSC nodes in the environment and allow them to replicate.
   Note: It is very important to allow the PSCs to replicate with the upgraded node before proceeding. The steps to check replication status can be found in Determining replication agreements and status with the Platform Services Controller 6.x
4. Choose the next node to be upgraded and stop the services of all the other nodes, including the node that has been upgraded previously.
5. Repeat this process until all the PSC nodes have been migrated and start the services on all the PSC nodes. 

• Windows vCenter Server - "%VMWARE_CIS_HOME%"\bin\service-control --start –all
• vCenter Server Appliance - service-control –start --all

5. Run the configuration scripts on the Platform Service Controllers. For more information, see:

• Configuring Windows PSC for High Availability SSL termination in vSphere 6.7
• Configuring PSC Appliance for High Availability SSL termination in vSphere 6.7

6.  Verify the Load Balancer configuration. For more information, see:

• Configuring Netscaler Load Balancer to provide the PSC 6.5/6.7 High Availability
• Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.5/6.7

7. Verify if vCenter functionality is still available.
8. Migrate all vCenter Server nodes.