Deploying vSphere 6.5 Update 2 Platform Services Controller (PSC) and vCenter in an HA configuration [Part 2]

This is Part 2 of this process. If you need to review Part 1, you can do that here: Deploying vSphere 6.5 Update 2 Platform Services Controller (PSC) and vCenter in an HA configuration [Part 1]

I want to point out a really good article: https://haveyoutriedreinstalling.com/psc-ha-6-5-1-introduction/psc-ha-6-5-2-prepare-a-load-balancer/psc-ha-6-5-3-preparing-a-certificate/

You may also want to make your VMCA a Subordinate CA. You can follow this article to accomplish that. Just repeat the steps for each PSC: https://www.virtuallytrivial.com/index.php/2018/10/05/vmca-6-5-update-2-as-a-subordinate-ca/

Yes, during the deployment of this configuration, I had to open a Support Request due to what I can only refer to as “bugs”. The case was escalated and the second tier engineer actually pointed me to that post. It is done by one of their VMware Engineers. Sadly, I had been referring to the article already. What I’m going to try to do is provide detail on Update 2 as there seems to be slight updates there.

Adjusting the Machine SSL Certificate on your Platform Services Controllers (PSCs) for Load Balancing

  1. SSH into your first PSC
  2. Type: cd /certs  (if the directory doesn’t exist, type mkdir /certs)
  3. Type: vi psc_ha_csr_cfg.cfg
  4. Type: i
  5. We need to paste in the following:

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:psc01.contoso.ad, DNS:psc02.contoso.ad, DNS:pscvip01.contoso.ad
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Washington
localityName = Seattle
0.organizationName = Contoso
organizationalUnitName = Contoso, Inc.
commonName = pscvip01.contoso.ad

Things to note:

  • subjectAltName = This needs to have the FQDN of all of your PSCs in that single site along with the FQDN of your VIP
  • commonName = This will be the FQDN of your VIP
  • Make sure you change countryName, stateOrProvinceName, localityName, 0.orgianizationName and organizationUnitName
  1. Once all of that is pasted in and edited hit ESC and then type: :wq
  2. Now type: openssl req -new -nodes -out /certs/psc_ha_vip.csr -newkey rsa:2048 -keyout /certs/psc_ha_vip.key -config /certs/psc_ha_csr_cfg.cfg

  1. Now type: openssl x509 -req -days 1094 -in /certs/psc_ha_vip.csr -out /certs/psc_ha_vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg

This generates a certificate off of the VMCA certificate and it’s corresponding private key. We have to do it this way because the certificate-manager tool cannot handle SANs (even though the certificate-manager claims you can put in multiple FQDNs, it will drop all of them except for the first one… seems like a bug to me). Note that the validity period is 1094 days in my example. You can adjust this for your particular organizational requirements.

  1. Now type the following to get the cachain cert out of the VMCA and into the /certs folder for easier access: cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt
  2. The next command is used to create a new Machine SSL Certificate chain that contains the two new certificates we created above. This command will create another certificate which we will use later. This will basically copy the the contents and combine them into one:

cat /certs/psc_ha_vip.crt >> /certs/psc_ha_vip_chain.crt
cat /certs/cachain.crt >> /certs/psc_ha_vip_chain.crt

  1. Now type the folloiwng: openssl x509 -in /certs/psc_ha_vip_chain.crt -noout -text

This will display a fairly large amount of text. Here is what we want to validate:

Issuer = Make sure this has the VMCA information in it.
Subject = Make sure this has the right information for the PSC along with the VIP FQDN
DNS = This has all of your SANs displayed (your PSCs and VIP FQDN)

  1. Type: /usr/lib/vmware-vmca/bin/certificate-manager
  2. Type: 1
  3. Enter in the administrator username and password
  4. Type: 2
  5. Type: /certs/psc_ha_vip_chain.crt
  6. Type: /certs/psc_ha_vip.key
  7. Type: /certs/cachain.crt
  8. Type: Y

  1. It will now walk through configuring the PSC Machine Cert. This will take a few minutes. At the end of it, services will be restarted.
  2. If vCenter isn’t attached yet, you can ignore the messages about restarting the vCenter Services. If it is attached, you will have to restart vCenter services as indicated.
  3. Now open up the https://PSC-FQDN of the first PSC in your browser of choice. Make sure that the web site is secure and open the certificate itself. Make sure the Subject Alternative Name has all of your SANs.
  4. Make sure the Certification path has the full chain of certificates all the way down to the VIP FQDN
  5. Now we need to update the second PSC. Note: You are going to use the same certificate that you used on the first PSC. So we need to copy over the following files from the first PSC to the second PSC:

/certs/psc_ha_vip_chain.crt
/certs/psc_ha_vip.key
/certs/cachain.crt

  1. To move them, you can WinSCP into the PSCs to do this. You can follow this to connect: https://kb.vmware.com/s/article/2107727
  2. Once you have those files copied over to your second PSC (you might as well put them in the /certs directory also) you can do the following:
  3. Type: /usr/lib/vmware-vmca/bin/certificate-manager
  4. Type: 1
  5. Enter in the administrator username and password
  6. Type: 2
  7. Type: /certs/psc_ha_vip_chain.crt
  8. Type: /certs/psc_ha_vip.key
  9. Type: /certs/cachain.crt
  10. Type: Y
  11. Now open up the https://PSC-FQDN of the second PSC in your browser of choice. Make sure that the web site is secure and open the certificate itself. Make sure the Subject Alternative Name has all of your SANs.
  12. Make sure the Certification path has the full chain of certificates all the way down to the VIP FQDN

If you have a second site, follow this section again on those PSCs before you continue.

vSphere 6.5 Update 2 PSC Load Balancing Configuration Scripts

There are a couple of scripts that need to be run on the PSCs. You will want to SSH into all of them.

  1. Type: cd /usr/lib/vmware-sso/bin
  2. Type:
    • For both of the PSCs in the first site: python updateSSOConfig.py –lb-fqdn=pscvip01.contoso.ad (note that you will have to change the –lb-fqdn switch to whatever the actual name is for your VIP)
    • For both of the PSCs in the second site: python updateSSOConfig.py –lb-fqdn=pscvip02.contoso.ad (note that you will have to change the –lb-fqdn switch to whatever the actual name is)
    • These commands will take a minute to complete as it stops all services and starts them back up. I would do one PSC at a time before moving on to the next.
  3. Now, you will run the following command on just ONE of the PSCs in each site (NOTE: These commands assume this is a brand new installation and you are using SSL Passthrough on your Load Balancer (meaning, no SSL certificate are on the Load Balancer). There are other commands for SSL Termination, Upgrades, etc)
    • Site 1: python UpdateLsEndpoint.py –lb-fqdn=pscvip01.contoso.ad –user=administrator@vsphere.local –password=VMware1!  (changing the –lb-fqdn to the FQDN VIP of your first site)
    • Site 2: python UpdateLsEndpoint.py –lb-fqdn=pscvip02.contoso.ad –user=administrator@vsphere.local –password=VMware1!  (changing the –lb-fqdn to the FQDN VIP of your second site)
  4. During the execution of these commands, a bunch of stuff will scroll on the screen for a few minutes.

Further Reading

Now that we have the PSCs completely set up, we can now move to Part 3 of the configuration to start on vCenter

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.