Search the VMware Knowledge Base (KB)
View by Article ID

Reconfiguring the load balancer after upgrading a VMware vCenter Server 5.5 Single Sign-On High Availability deployment to version 5.5 (2058838)

  • 2 Ratings

Purpose

After upgrading VMware vCenter Server Single Sign-On (SSO) in a High Availability deployment to version 5.5, you must manually reconfigure the load balancer and configure both SSO servers for load balancing before upgrading vSphere Web Client, Inventory Service, and vCenter Server.
 
This article provides steps to reconfigure the load balancer.

Resolution

Prerequisites

To reconfigure the load balancer after upgrading both SSO nodes to version 5.5:

  1. Open the httpd.conf file of the load balancer using a text editor. The httpd.conf file is usually located at /etc/httpd/conf in the load balancer.
  2. In the Configure the Secure Token Service (STS) for clustering section, change all instances of ims to sts.

    For example:

    # Configure the STS for clustering
    ProxyPass /sts/ balancer://stscluster/ nofailover=On
    ProxyPassReverse /sts/ balancer://stscluster/

    Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/sts" env=BALANCER_ROUTE_CHANGED
    <Proxy balancer://stscluster>
    BalancerMember
    https://sso1.example.com:7444/sts route=node1 loadfactor=100 retry=300
    BalancerMember
    https://sso2.example.com:7444/sts route=node2 loadfactor=1 retry=300
    ProxySet lbmethod=byrequests stickysession=ROUTEID failonstatus=500
    </Proxy> 
  3. Configure the STS component on both SSO servers for load balancing:

    1. Open the server.xml file in both SSO nodes using a text editor. By default, the file is located at C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\.

    2. In the server.xml file of the first SSO node, find the following section in the server.xml file and add entry jvmRoute="node1" as follows:

       <Engine defaultHost="localhost"
                     name="Catalina" jvmRoute="node1">


    3. In the server.xml file of the second SSO node, add the entry jvmRoute="node2" as follows:

       <Engine defaultHost="localhost"
                     name="Catalina" jvmRoute="node2">

    4. Save and close the server.xml file on both SSO nodes.

    5. Restart VMware Secure Toke Service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

  4. In the command prompt of the first SSO node, run this command to get the service endpoints. This command is found at C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso:

    ssolscli.cmd listServices https://sso1.example.com:7444/lookupservice/sdk

  5. Edit the sts_id, admin_id, and gc_id files to match the ServerId's from the output of the ssolscli.cmd listServices command.

    Each file should contain a single line similar to:

    SSO node1 Site name:a03772af-b7db-4629-ac88-ba677516e2b1

  6. Open the sts.properties file using a text editor and replace the SSO hostname with the load balancer hostname.

    For example:

    [service]
    friendlyName=The security token service interface of the SSO server
    version=1.5
    ownerId=
    type=urn:sso:sts
    description=The security token service interface of the SSO server
    productId=product:sso
    viSite=SSO node1 site name

    [endpoint0]
    uri=https://loadbalancer fqdn.com:7444/sts/STSService/vsphere.local
    ssl=C:\updateInfo\cacert.pem
    protocol=wsTrust

  7. Open the admin.properties file using a text editor and replace the SSO hostname with the load balancer hostname.

    For example:

    [service]
    friendlyName=The administrative interface of the SSO server
    version=1.5
    ownerId=
    type=urn:sso:admin
    description=The administrative interface of the SSO server
    productId=product:sso
    viSite= SSO node1 site name

    [endpoint0]
    uri=https://loadbalancer fqdn.com:7444/sso-adminserver/sdk/vsphere.local
    ssl=C:\updateInfo\cacert.pem
    protocol=vmomi

  8. Open the gc.properties file using a text editor and replace the SSO hostname with the load balancer hostname.

    For example:

    [service]
    friendlyName=The group check interface of the SSO server
    version=1.5
    ownerId=
    type=urn:sso:groupcheck
    description=The group check interface of the SSO server
    productId=product:sso
    viSite= SSO node1 site name

    [endpoint0]
    uri=https://loadbalancer fqdn.com:7444/sso-adminserver/sdk/vsphere.local
    ssl=C:\updateInfo\cacert.pem
    protocol=vmomi


  9. For each of the service ID, run the ssolscli.cmd updateService command:

    Important: Update the services in this order starting with STS. Performing the updates out of order prevents SSO starting.

    ssolscli.cmd updateService -d https://sso1.example.com:7444/lookupservice/sdk -u Administrator@vsphere.local -p ****** -si sts_id -ip sts.properties

    ssolscli.cmd updateService -d https://sso1.example.com:7444/lookupservice/sdk -u Administrator@vsphere.local -p ****** -si admin_id -ip admin.properties

    ssolscli.cmd updateService -d https://sso1.example.com:7444/lookupservice/sdk -u Administrator@vsphere.local -p ****** -si gc_id -ip gc.properties

  10. Restart the first SSO node.

  11. Restart the second SSO node.

  12. Restart the load balancer.

    You can now proceed to upgrade the vSphere Web Client, Inventory Service, and vCenter Server to version 5.5.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: