Search the VMware Knowledge Base (KB)
View by Article ID

FAQ: VMware Platform Services Controller in vSphere 6.0 (2113115)

  • 22 Ratings
Language Editions

Purpose

This article provides information on some of the frequently asked questions about VMware Platform Services Controller (PSC) for vSphere 6.0. The PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA), licensing, and server reservation and registration services.
 
For more information, see:

Resolution

FAQs on various topics, see:

General Questions  

What is Platform Services Controller 6.0 (PSC)?

Platform Services Controller (PSC) is a component of the VMware Cloud Infrastructure Suite. PSC deals with identity management for administrators and applications that interact with the vSphere platform.

How is PSC 6.0 different from SSO 5.5? How is it different from SSO 5.1?

The architecture remains the same between vSphere 5.5 and 6.0. However, there are new features and services introduced at the PSC layer which are discussed below. To get a list of all the changes between SSO 5.5 and PSC 6.0, see What’s New in VMware vSphere 6.0 platform and VMware Education's What's New V5.5 to v6.0. To get a list of changes from SSO 5.1, see What's New in VMware vSphere 5.5 Platform.

What are the key capabilities of PSC 6.0?
  • PSC 6.0 remains a multi-master model, as was introduced in vSphere 5.5 in the form of vCenter Single Sign-On.
  • It can be deployed either in an Appliance-based or Windows-based flavor, both able to participate in multi-master replication. (With vSphere 5.x, the vCenter Server Appliance's embedded SSO was not supported to replicate with other SSO nodes)

    Both Appliance-based or Windows-based PSCs can interoperate with Appliance-based or Windows-based vCenter Servers.

  • It now handles the storing and generation of the SSL certificates within your vSphere environment. For more information, see Implementing CA signed SSL certificates in vSphere 6.0 (2111219).
  • It now handles the storing and replication of your VMware License Keys
  • It now handles the storing and replication of your permissions via the Global Permissions layer. For more information, see Reviewing and Managing Local and Global Permissions in vCenter Server 6.0 (2123931).
  • It now handles the storing and replication of your Tags and Categories. For more information, see Reviewing and Managing Tags and Tag Association in VMware vCenter Server 6.0 (2130130).
  • It has a built-in feature for automatic replication between different, logical SSO sites.
  • There is only one single default domain for the identity sources.

What are the components that are installed with Platform Services Controller 6.0?

Components that are installed with PSC 6.0 include:

  • VMware Appliance Management Service (only in Appliance-based PSC)
  • VMware License Service
  • VMware Component Manager
  • VMware Identity Management Service
  • VMware HTTP Reverse Proxy
  • VMware Service Control Agent
  • VMware Security Token Service
  • VMware Common Logging Service
  • VMware Syslog Health Service
  • VMware Authentication Framework
  • VMware Certificate Service
  • VMware Directory Service
What are the different products/components with which PSC 6.0 is supported?
 
PSC 6.0 is supported with:
  • VMware vCenter Server
  • VMware vCenter Inventory Services
  • VMware vSphere Web Client
  • VMware Log Browser
  • VMware NSX for vSphere
  • VMware Site Recovery Manager
  • VMware vCloud Air
  • VMware vCloud Director
  • VMware vRealize Automation Center
  • VMware vRealize Orchestrator
  • VMware vSphere Data Protection
  • VMware vShield Manager
How is PSC 6.0 packaged?

The Platform Services Controller is available on both the Windows vCenter Server ISO or within the vCenter Server Appliance (VCSA) ISO.

How is the PSC 6.0 licensed?

The Platform Services Controller, on both Windows and Appliance, is not a licensed product. It is currently bundled with the vCenter Server 6.0 in the vSphere and vCloud Suites, but only the vCenter Server component of the bundle requires a license.

What Platform Services Controller deployment modes are possible with the vCenter Server Appliance? With Windows-based vCenter Server?

New to vSphere 6.0, both the Appliance-based PSC and Windows-based PSC can be deployed in both multi-site or high availability configurations. Additionally, if you need multi-site in conjunction with high availability, you can now setup your vSphere environment to have multi-sites and then configure each site with secondary PSCs. A load balancer is still required per site to provide high-availability. Only local load balancers (often times referred to as LTM, or Local Traffic Manager) are supported for PSC HA. For more information about recommended and support topologies, see List of recommended topologies for vSphere 6.0.x (2108548).

Note: When configuring PSC High Availability, the load balanced pair are required to be the same type; it is not supported to mix Appliance-Base and Windows-Based PSCs in the same load balanced pair.

For information about setting up PSC High Availability (HA), see:

What are the minimum requirements to run PSC 6.0?

Requirements when deploying the Appliance-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB

    Note: In vSphere 6.0 Update 3 and later the PSC is deployed with 4 GB.

  • Disk storage - 30 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server Appliance Hardware Requirements and Storage Requirements section in the vSphere Install and Setup Guide.

Requirements when deploying the Windows-based Platform Services Controller:
  • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
  • Memory - 2 GB
  • Disk storage - 4 GB
  • Network speed - 1 Gbps
For more information, see the vCenter Server for Windows Hardware Requirements and Storage Requirements section in the vSphere Install and Setup Guide.


What happens when the PSC 6.0 server is down? How does this affect Enhanced Linked Mode (ELM)?

If the PSC 6.0 server is down, you cannot log in to vCenter Server or any second party VMware products that depends on it. Existing connections and user sessions to the vCenter Server remains active, and the vCenter Server services remains up and running. However, once the session ends, if the PSC is still down, the user cannot log in again. Additionally, if the PSC is down and the vCenter Server's services are restarted, vCenter Server is unable to fully start until the PSC's services are restored or the vCenter Server is repointed to an operation PSC in the same vSphere Domain.

Regarding an environment in which multiple PSCs are in the same vSphere Domain and Enhanced Link Mode is being used, if a PSC in which a vCenter Server is connected to fails, access to this vCenter Server through a different vCenter Server's vSphere Web Client is not possible. This is due to a user's SAML token from the vSphere Web Client being unable to be passed to the failed PSC, thus to vCenter Server. Unless the PSC is brought back online or vCenter Server is repointed to a different PSC in the same domain, users cannot access it.

What happens when the VMware Certificate Authority (VMCA) service in the PSC 6.0 server is down? If my Private Key Infrastructure (PKI) is down?

At this time the VMCA and VECS do not perform Certificate Revocation List (CRL) checking. This means that while the VMCA service is down, your vCenter Server(s) continues working and are able to be restarted. For more information, see Managing Certificate Revocation in the vSphere Security Guide.

Additionally, if your PKI is down, due to the the VMCA and VECS not performing CRL checking, your vSphere environment continues to run.

Do I need a database to successfully install/run PSC 6.0?

As with SSO 5.5, in vSphere 6.0 you do not need a database for the PSC.

How to backup and restore PSC 6.0?

For information on how to backup and restore the PSC, see How to back up and restore vCenter Server 6.0 external deployment models (2110294).

Can I use snapshots against my PSC 6.0? How about image-based backups?

You can snapshot a single Platform Services Controller so long as it does not exist in a multi-site or highly available configuration within a vSphere domain. This is due to the use of Update Sequence Number (USN) for replication, and when restoring a PSC via snapshot or image-based backup, the sibling nodes are out of sync. For more information, see Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 or Platform Services Controller 6.0 node (2086001).

You can use image-based backups for both stand-alone PSCs as well as multi-site or highly available configuration as long as the prescriptive backup and restore methodology covered in the section How to backup and restore PSC 6.0? has been followed.

How do I create a Service Principal Name (SPN)?

For instructions to create and use a Service Principal Account in PSC 6.0, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).

What is a vSphere Domain Name in PSC 6.0?

A vSphere Domain Name is defined when you are first configuring a PSC 6.0, or it is retained when you are upgrading your existing SSO 5.5 environment. This is the name in which your vSphere Domain's backing directory service (VMware Directory Service) bases all of its Lightweight Directory Access Protocol (LDAP) internal structuring upon. With vSphere 6.0, you can give your vSphere Domain a unique name. However, ensure that you do not name it the same as any of the other Directory Services (OpenLDAP, Microsoft Active Directory) as this causes conflicts with authentication. If you are upgrading from vSphere 5.5, your vSphere Domain Name remains the default vsphere.local. Changing the name of your vSphere Domain once it has been configured is not supported.

After defining the name of your domain, you can populate it with objects in the form of Machines (PSCs, vCenter Servers, vRealize Automation, etc.), Users (users@vsphere.local) or Groups (groups@vsphere.local). These objects can then be organized into individual logical sites, explained below.

What are Sites in PSC 6.0?

A Site in the VMware Directory Service is a logical container in which we group the Platform Services Controllers' server objects within a vSphere Domain. You can name them in an intuitive way for easier implementation. Additionally, when Platform Services Controllers are deployed, they publish their service information (service registrations) into the defined Site. When vCenter Servers are deployed against the Platform Services Controllers, the vCenter Server will publish its service information into the Site in which the Platform Services Controller belongs. If you need to move vCenter Servers between Site, you must move their respective service information. For more information, see the section Can I repoint the vCenter Server to other PSCs in the same vSphere Domain? Can I repoint the vCenter Server to a new vSphere Domain? within this article.

Currently, the use of sites is for configuring PSC High Availability groups behind a load balancer.

What are the different types of Identity Sources that can be created with SSO 5.5?
 
The different types of Identity Sources that can be created with SSO 5.5 include:
  • Active Directory (Integrated Windows Authentication)
  • Active Directory as an LDAP server
  • OpenLDAP
  • Local OS
For more information, see Identity Sources for vCenter Server with vCenter Single Sign-On in the vSphere 6.0 Security Guide.

How do we generate the PSC Support Bundle for Windows? For the Appliance-based PSC?

Since both Appliance-based and Windows-based PSCs can be deployed external to the vCenter Server exist in the same environment in vSphere 6.0, there are multiple means to generate a support log bundle.

For the Platform Services Controller Appliance:
  • From a Web Browser
    1. Open a Web Browser and navigate to: https://Platform_Services_Controller_FQDN/appliance/support-bundle
    2. When prompted enter the root credentials and click Enter.
    3. The download begins automatically as vm-support.tgz.
  • From Command Line:
    1. Initiate an SSH connection to the vCenter Server Appliance.
    2. Provide the root user user name and password when prompted.
    3. Run this command to enable the Bash shell:

      shell.set --enable True

    4. Run this command to access the Bash shell:

      shell

    5. In the Bash shell, run the command to export logs to /storage/log/:

      vc-support -l

    6. This begins generating a log bundle as vc-<FQDN_of-PSC>-<Date>.tgz.
    7. After completing, use an SCP client to download the log bundle.
  • From vSphere Web Client UI
    1. Log in to the vSphere Web Client from vCenter Server connected to the Platform Services Controller with Administrator@vsphere.local
    2. Click on Administration > System Configuration
    3. Click Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and click Export Support Bundles.
    5. Click Export Log Bundle and select a location to export.
    6. Click OK.
For the Platform Services Controller for Windows:
  • From Windows Server UI
    1. Remote Desktop into the Windows Server.
    2. Click Start > All Programs (Windows 2008R2) or Start > All Apps icon (Windows Server 2012R2)
    3. Locate the VMware folder
    4. Click Generate vCenter Server log bundle
    5. This will begin generating a log bundle as vc-FQDN_of-PSC-<Date>.tgz on the desktop.
  • From Command Line:
    1. Remote Desktop into the Windows Server.
    2. Open an administrative command prompt.
    3. Run the below command to generate the log bundle:

      "%VMWARE_CIS_HOME%"\bin\vc-support.bat

    4. This will begin generating a log bundle as vc-FQDN_of-PSC-<Date>.tgz on the desktop.
  • From vSphere Web Client UI
    1. Log in to the vSphere Web Client from vCenter Server connected to the Platform Services Controller with Administrator@vsphere.local
    2. Click on Administration > System Configuration
    3. Click on Nodes in the left pane.
    4. Locate the Platform Services Controller in the left pane, right-click and click Export Support Bundles
    5. Click Export Log Bundle and select a location export.
    6. Click OK.
If you are running an embedded Platform Services Controller on your vCenter Server, the support bundle contain logs and also the information for the PSC. For more information, see Collecting diagnostic information for VMware vCenter Server 4.x, 5.x and 6.0 (1011641).

What is a VMware Solution and how does it affect my maximums?

A VMware Solution is defined as a product that creates a Machine Account and one or more Solution User (a collection of vSphere services) within the VMware Directory Service when the product is joined to the PSC, thus the vSphere Domain. The Machine Account and Solution User(s) are used to broker and secure communication between other Solutions available within the vSphere environment. In order to count against these maximums, the Machine Account and Solution Users must be fully integrated with all of the PSC's available feature sets (Identity Management and Authentication Brokering, Certificate Management, Licensing, etc.) such that the product makes full use of the PSC. At this time, only vCenter Server is defined as a fully integrated solution and counts against these maximums.

Partially integrated solutions, such as vCenter Site Recovery Manager, vCloud Director vRrealize Orchestrator, vRealize Automation Center, and vRealize Operations, do not count against these defined maximums

Upgrade Questions   

How do I upgrade from SSO 5.1 to PSC 6.0? From SSO 5.5 to PSC 6.0?

If the SSO service is bundled with the vCenter Server, referred to as an embedded deployment, the upgrade from 5.x to 6.0 is handled all-inclusively via the installer for both Windows and the vCenter Server Appliance.
  • vSphere 5.1: If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.1 for External Deployment section in the vSphere Upgrade Guide.
  • vSphere 5.5: If the SSO service is deployed externally, see the Upgrade vCenter Single Sign-On 5.5 for External Deployment section in the vSphere Upgrade Guide.

What is the sequence when upgrading my SSO 5.x to PSC 6.0? What if I have multiple SSO nodes in the same domain?

When planning your vSphere 5.x upgrade to 6.0, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760) which cover when to upgrade the Platform Services Controller.

In vSphere environments in which multiple SSO nodes exist in the same vSphere domain, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in the vSphere Upgrade Guide.

What happens to the database that I have with SSO 5.1?

After upgrading to PSC 6.0, the old SSO database is no longer needed. However, the database is not removed from your database server during the upgrade. You must manually remove the database and all users associated with it.

After upgrading, will the PSC 6.0 retain my old Identity Sources?

Yes, all your old Identity Sources are retained after the upgrade.

In SSO 5.1, my SSO domain was system-domain and the administrator user was the admin. Will I still be able to log in using the same username in PSC 6.0?

Yes, you can continue to log in to your SSO server with the old user (admin@system-domain) and password. This account is an alias of the administrator@vsphere.local after you have upgraded.

Will PSC 6.0 work with vCenter Server 5.1? With vCenter Server 5.5?
  • vSphere 5.1: No, PSC 6.0 will not work with vCenter Server 5.1.
  • vSphere 5.5: Yes, PSC 6.0 will continue working with vCenter Server 5.5 in an environment in which you are performing a rolling upgrade.

However, VMware does not support fresh installs or repointing of vCenter Server 5.5 against a PSC 6.0, nor does VMware support leaving your environment in a hybrid-type deployment of vSphere 5.5 with vSphere 6.0. VMware recommends you to upgrade to vCenter Server to 6.0 along with your PSC. For more information, see Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades in the vSphere Upgrade Guide.


Will PSC 6.0 work with SSO 5.5?

Yes, PSC 6.0 will continue to work with SSO 5.5. However, as with vCenter Server backward compatibility, VMware recommends you to upgrade all of your SSO 5.5 nodes to 6.0. For more information, see Replace the VMware Directory Service Certificate in Mixed Mode Environments in the vSphere Security Guide.

When do I Patch (Appliance) or Update (Windows) a PSC 6.0?

The Platform Services Controller and the vSphere Domain sit above the vCenter Server and the rest of the VMware Product stack. When planning an update for your vSphere environment, the Platform Services Controller(s) are the first system that needs to be patched or updated. At this time, updating the Platform Services Controllers must be performed in a serial fashion where each PSC is updated one by one. Parallel installation of patches or updates on PSCs is not supported.

When patching your vSphere Domain environment, VMware recommends to always patch all of the PSCs at the same time to bring them to the same version.

For more information on the sequence of updating your vSphere environment, see Update sequence for vSphere 6.0 and its compatible VMware products (2109760).

How do I check the current vSphere version or build number that my PSC 6.0 is running?
  • Checking the Platform Services Controller Appliance:
    1. SSH to the appliance and log in with root.
    2. Run the command:

      com.vmware.appliance.version1.system.version.get

      You see output with the build number, the release date of the build, and type of the Appliance.

      For example:

      Version:
      Product: VMware vCenter Server Appliance
      Summary: Patch for VMware vCenter Server Appliance 6.0
      Releasedate: June 16, 2015
      Version: 6.0.0.5120
      Build: 2800573
      Type: VMware Platform Services Controller
  • Checking the Platform Services Controller for Windows:
    1. Remote desktop to the Windows Server
    2. Open an administrative command prompt
    3. Run this command to get the build number:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v BuildNumber

      For example:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
      BuildNumber REG_SZ 2800572


    4. Run this command to get the type of deployment:

      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server" /v INSTALL_TYPE

      For example:

      HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\vCenter Server
      INSTALL_TYPE REG_SZ infrastructure


      There are two types that can be displayed here:
      • Embedded indicates the PSC is embedded with the vCenter Server.
      • Infrastructure indicated that the PSC was deployed separate from the vCenter Server

How do I Patch (Appliance) or Update (Windows) a PSC 6.0?

The Platform Services Controller Appliance and the Platform Services Controller for Windows use different update mechanisms to patch the software. This includes using the software-packages for the Appliance and running the autorun executable from Windows. Due to the differences, when using the appliance, it is often referred to as Patching; when using the Windows equivalent, it is referred to as Updating. The below operations results in updating your PSC(s) to the latest versions of vSphere 6.0.
  • Patching the Platform Services Controller Appliance:

    The Patches for the Platform Services Controller Appliance are located on the MyVMware Patch Repository.
    1. Download the Patch ISO for the the Platform Services Controller Appliance.
    2. Mount the ISO to the Appliance using the vSphere Client or vSphere Web Client
    3. SSH to the appliance and log in with root.
    4. Ensure you are running the Platform Services Controller appliance under the Appliance Shell. For more information, see Toggling the vCenter Server Appliance 6.x default shell (2100508).
    5. Stage the patches from the mounted ISO by running the command:

      software-packages stage --iso --acceptEulas

    6. Install the staged patches by running the command:

      software-packages install --staged

    7. If prompted, reboot the Platform Services Controller Appliance:
      1. Run this command to enable the Bash shell:

        shell.set --enabled True

      2. Run this command to access the Bash shell:

        shell

      3. Run this command to reboot the PSC:

        reboot

    8. After completion, repeat this process on any additional Platform Services Controllers.
  • Updating the Platform Services Controller for Windows:

    The Updates for the Platform Services Controller for Windows are located on the MyVMware Downloads.
    1. Download the latest ISO for the Windows vCenter Server 6.0
    2. Mount the ISO to the Platform Services Controller
    3. In the software installer, double-click the autorun.exe file to start the update.
      The installer will run to identify which versions of Platform Services Controller you are using and will identify if it needs to be upgraded.
    4. Click Next, Accept the EULA
    5. Click Next
    6. Click Update
    7. If prompted, reboot the Platform Services Controller system.
    8. After completion, repeat this process on any additional Platform Services Controllers.

Best Practices    

What are the best practices for installing PSC 6.0?


What are the best practices for upgrading to PSC 6.0?


How many PSC servers can exist behind a load balancer?

With the use of a load balancer, there can be a maximum of 4 PSCs per site within the vSphere domain. For more information, see the Platform Services Controller Maximums in the vSphere 6.0 Configuration Maximums Guide.

What are the compatible load balancers with PSC HA? What are the requirements of the load balancer?

VMware has tested and certified the use of Citrix Netscalar, F5 Networks Big-IP and VMware NSX for vSphere 6.2 for use with PSC HA. For information on the requirements for using Citrix Netscalar, F5 Networks Big-IP, and VMware NSX for vSphere 6.2 as well as other load balancers with PSC HA, see vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix (2112736).

PSC HA requires the use of SSL Termination with the compatible load balancer rather than SSL Passthrough. What does this mean?

Everything is encrypted on port 443 up to the Reverse Proxy, which utilizes the __Machine_SSL certificate stored in the MACHINE_SSL_CERT VECS store, on the backing Platform Services Controller nodes. When vCenter Server (acting as a client) connects, it create an SSL session (encrypted) which terminates at the load balancer, at which point a new SSL connection from the load balancer is initiated where we then hand off this session to one of the PSC nodes (encrypted), resulting in vCenter Server session being connected to the Reverse Proxy on the PSC (443). For the load balancer to proxy and have visibility of the traffic it has to decrypt it. Then it re-encrypts it in another session to the PSC.

There are other RPC and LDAPS ports that we communicate with, which are called out in the different load balancer setup guides:
How many PSC servers can exist in a vSphere Domain?

VMware has tested up to 8 PSCs within the vSphere domain. For more information, see the Platform Services Controller Maximums in the vSphere 6.0 Configuration Maximums Guide.

Is there any way to add Identity Source through command line?

Yes, however this is limited to just the Active Directory (Integrated Windows Authentication) identity source. For more information, see Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vSphere 5.5/6.0 (2063424).

What are the other PSC's maximums?

For more information, see the Configuration Maximums for vSphere 6.0.

Can I deploy PSCs over a WAN?

While it is possible to deploy PSCs over a WAN, it is recommended that the latency between PSCs, as with any replicating directory service, to be as low as possible. Additionally, now that Enhanced Linked Mode (ELM) and all features that utilize ELM are facilitated via the PSC, for the best user experience within a vSphere environment, low latency is highly recommended. VMware recommends no higher than 100 ms RTT between Platform Services Controller spanning sites and no higher than 10 MS RTT between PSCs within a site.

How should I deploy my PSC 6.0 regarding Active Directory? Regarding OpenLDAP?

When using the Active Directory (Integrated Windows Authentication) identity source, pair the PSC as close to the local Active Directory Domain Controller(s) (DC) as possible, with minimal hop count to reach them. The PSC, both Windows-based and Appliance-based, have improved logic to allow for SAML token creation, requests as well as User and Group querying that will leverage the nearest DC within the environment to provide the best performance for log-in. Additionally, depending on the complexity of your Active Directory environment, there are known limitations. For more information about support Active Directory topologies, see Microsoft Active Directory Trusts supported with VMware vCenter Single Sign-On (2064250).

When using the other available Identity Source, such as OpenLDAP and Active Directory as a LDAP Server, the PSC is performing simple binds via the service account that was provided during identity source creation. While distance and latency in regards to the Domain Controllers is of extreme importance, since we are performing a simple bind when querying the users, these identity source will have performance limitations and problems due to parsing recursion. For more information, see Logging into vCenter Server using the vSphere Client with vCenter Single Sign-On in a multi-domain environment fails (2037410).

When should I use Embedded? When should I used External? What is the optimal PSC to vCenter Server Architecture?

vCenter Servers with Embedded Platform Services Controllers are designed for environments in which no vCenter Servers, or second party VMware products, need to communicate (via Enhanced Linked Mode) and the vSphere environment stays relatively static. In these environments, often there is only a single vCenter Server. When using the Embedded Platform Services Controller with the vCenter Server, it is not recommended to setup replication partnerships with External Platform Services controllers or other embedded Platform Services Controllers.

As of vSphere 6.0 Update 1, customers can now move their vCenter Server with Embedded Platform Services Controller to a vCenter Server with External Platform Services Controller. For more information, see the Reconfigure a Standalone vCenter Server with Embedded Platform Services Controller to vCenter Server with External Platform Services Controller section in the vSphere Installation and Setup guide. Using Update 1, you can only move a single vCenter Server with Embedded Platform Services Controller to an External Platform Services Controller; having multiple vCenter Servers with Embedded Platform Services Controllers in the same vSphere domain and attempting to migrate them to External Platform Services Controllers is not supported with the cmsso-util reconfigure command with this version of vSphere.

As of vSphere 6.0 Update 2, customers can now move multiple vCenter Servers with Embedded Platform Services Controller that are in the same vSphere domain to a vCenter Servers with External Platform Services Controllers. For more information, see the Reconfigure Multiple Joined Instances of vCenter Server with Embedded Platform Services Controller to vCenter Server with External Platform Services Controller in the vSphere section in the vSphere Installation and Setup guide. In vSphere 6.0 Update 2, you can only move multiple vCenter Server with an Embedded Platform Services Controller to External Platform Services Controllers.

External Platform Services Controllers are used in large environments in which multiple vCenter Servers are all working in conjunction through Enhanced Linked Mode and/or you have multiple second party applications (vRealize Automation Center, vRealize Orchestrator, etc.) that integrate with the PSC. In these environments, often there are multiple vCenter Servers connected to the same vSphere domain, and there are other second party applications that integrate with the vCenter Server, using it as an endpoint for automation or Cloud services.


Can I install mixed versions of PSCs in the same vSphere domain?

No, VMware does not recommend deploying different versions of the PSC in the same vSphere domain. You can only join a new PSC to a federation if the PSC and federation are at the same level/version. It is required to always patch or update all of the PSCs to the same versions, and once this has been completed, when adding additional PSCs to the vSphere domain, use the same version as the existing PSCs. Deploying PSCs that with older or higher build numbers can lead to unknown issues with the federation.

What kind of topology should I used in my vSphere Domain? How should my PSCs be connected?

VMware recommends using a Ring-based replication topology when organizing your vSphere Domain. The use of a Ring provides the most optimal communication path between all PSCs, providing two redundant links for replication communication between all nodes within a vSphere Domain in the event of a networking interruption. Additionally, the use of a Ring provides a minimal amount of replication agreements that must be established, which is both favorable with regards to performance of the individual PSCs as well as the administrative overhead required to maintain a vSphere Domain.

For more information and how to maintain your topology, see How can I review my current vSphere domain topology? Can I setup new replication agreements between my PSCs? under Application Questions within this article.

Application Questions   

Can I change the PSC 6.0 administrator username from administrator@vsphere.local to another user name?

No, PSC 6.0 administrator username cannot be changed from administrator@vsphere.local to another user name. You can, however, create a separate administrator user for this purpose.

Do I still need to have a master password with PSC 6.0?

No, there is no Master password anymore. By default, administrator@vsphere.local, is the administrator in PSC 6.0 as it was in SSO 5.5.

Can I create or manage SSO users in the vSphere.local domain with PSC 6.0? With a command-line interface (CLI)? With an application program interface (API)?

You can now easily create and manage SSO Users using a new command-line utility that is included within the PSC 6.0 called dir-cli. For guidance on using dir-cli, see the dir-cli Command Reference section in the vSphere Security Guide.

At this time, the APIs required to for this process are not publicly exposed. For more information, see Overview of vSphere Command-Line Interfaces section in the vSphere 6.0 Command-Line Documentation Guide.

What do all of the built-in Groups do within my vSphere Domain? Can I remove any of these built-in Groups?

Each of these groups provides an integral set of privilege and corresponding set of available actions in the vSphere Domain. For more information, see Groups in the vSphere.local Domain in the vSphere Security Guide. Removing any of the built-in Users or removing any of the built-in Groups is not supported and can cause irreparable damage to your vSphere Domain.

Can I add an Active Directory or OpenLDAP Group to one of the PSC built-in Security Groups, such as Administrators or SystemConfiguration.Administrators?

Yes. As of vCenter Server 6.0 Update 1b and later adding Active Directory groups into the vSphere Domain's built-in security groups is supported. For previous versions of vSphere, you must add individual users. For more information and caveats, see Unable to administer vCenter Single Sign-On after adding a User Group and individual users from a Directory Service (OpenLDAP or Active Directory) (2095342).

What hash and cipher algorithm are used by the VMCA as a Root Certificate Authority when provisioning certificates? What are the default key size and validity period of those certificates? What if I make it into a subordinate Certificate Authority?

The default certificates from the VMCA as a certificate authority are generated with:
  • SHA256 with RSA Encryption
  • 10 Year Validity Period
  • 2048 Key Size
When the VMCA is replaced with a signing certificate from your PKI, the settings (For example hash, cipher, key size and validity period) provided from your PKI will dictate what the VMCA can provision. The VMCA cannot provision certificates with a validity period or other settings past the of its own signing certificate.

How can I review my current vSphere domain topology? Can I setup new replication agreements between my PSCs?

You can review your topology by using the vdcrepadmin CLI packaged with the Platform Services Controller. This CLI allows you to list out the replication partners for your vSphere domain. Additionally, it allows you to create new replication partnerships between PSCs in your vSphere domain. However, this CLI cannot be used to create replication agreements between disparate (separate) vSphere domains. For more information, see Determining replication agreements and status with the Platform Services Controller 6.0 (2127057).

PSC 6.0 uses auto-generated certificates. Can we replace these certificates with custom generated certificates?

Yes, the VMware Certificate Authority (VMCA) on the Platform Services Controller can be replaced with a subordinate certificate authority signing certificate. This allows for certificates on both the PSC and for vCenter Server to be generated using CA-signed certificates. For customers forgoing this feature, customers can replace the certificates on the PSC using the vSphere Certificate Utility. For more information, see Implementing CA signed SSL certificates in vSphere 6.0 (2111219).

Some of the services bundled with the PSC are not fully VECS-integrated, so the certificate replacement process is manual. For more information, see the vSphere Security Guide.

After replacing the VMCA in PSC 6.0 with a Signing Certificate, do we need to do anything else?

After replacing the VMCA with a signing certificate for your own PKI, you need to wait 24 hours in order to add new ESXi 6.0 hosts to vCenter Server. Existing ESXi 6.0 or 5.x hosts are not affected after this process has occurred. For more information, see Unable to add ESXi 6.0 host to vCenter Server 6.0 with error "signed certificate could not be retrieved due to a start time error" (2123386).

Can I disable PSC 6.0 in vCenter Server?

No, you cannot disable vCenter Server dependency on PSC 6.0. This is similar to vSphere 5.1 and 5.5.

Can I repoint vCenter Server to other PSCs in the same vSphere Domain? Can I repoint vCenter Server to a new vSphere Domain?

When multiple, external PSCs are deployed in the same vSphere Domain and are replicating, repointing a vCenter Server between these PSCs can be performed vmafd-cli. This allows customers to move vCenter Servers between PSCs in the event they need to performance maintenance on a PSC. For more information, see Repointing the VMware vCenter Server 6.0 between External Platform Services Controllers within a Site in a vSphere Domain (2113917).

Introduced in vSphere 6.0 Update 1, customers can now move their vCenter Servers between different sites within the same vSphere domain using the cmsso-util repoint CLI. For more information, see Repointing the VMware vCenter Server 6.0 between Sites in a vSphere Domain (2131191).

With vSphere 6.0, you can no longer repoint a vCenter Server node to a PSC in a separate vSphere Domain as was available in vSphere 5.5 and 5.1. This is due to the other vSphere Domain not containing any of the important data from the originating vSphere Domain's VMware Directory Service as the two domains have no way of replicating to one another. Due to the way that vCenter Server now stores some data in itself but utilized some data in the vSphere Domain, you must perform a re-installation of vCenter Server if you would like to change domains.

Can I merge two vSphere Domains together?

No, there is no way to merge two vSphere domains together.

Can I get Enhanced Linked Mode between two, separate vSphere domains?

No, Enhanced Linked Mode requires that all PSCs be in the same domain and replicating. Since two separate vSphere Domains do not have a means of replicating, the new APIs that provide ELM cannot display the contents of both domains. For more information about Enhanced Linked Mode, see the Enhanced Linked Mode Overview section in the vSphere Upgrade Guide.

Is NTLM authentication still supported? If yes, does this mean that NT4 domains can also be authenticated?

No, NTLM authentication was deprecated in vSphere 5.5 and is no longer supported with PSC 6.0.

Can I configure multiple default domains in PSC 6.0?

No, there can only be one default domain.

What is the replication interval between two PSCs?

The replication interval between two PSCs is 30 seconds. However, under certain conditions, this replication time can increase in order for all PSCs to fully synchronize. For more information, see the VMware Directory Service Replication Can Take a Long Time section in the vSphere Security Guide.

How to verify a successful PSC 6.0 installation?

To verify if the PSC 6.0 installation is successful, perform the following:
How do I decommission a PSC 6.0 installation for Windows-based or Appliance-based servers?


After adding my Active Directory (Integrated Windows Authentication) identity source, it went to the Root of my Active Directory domain. My PSC is in a Child Domain, how do I adjust this?


Tags

platform services controller, vmware PSC

See Also

Update History

7/16/2016 -- updated section about adding users and groups to the vSphere Domain security group (KB2095342)

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 22 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 22 Ratings
Actions
KB: