With the release last week of vSphere 6.0 also came the introduction of the Platform Services Controller (PSC). The Platform Services Controller combines Single Sign-on (SSO 2.0), Licensing and the VMware Certificate Authority. When you are installing vCenter Server, you have the option to embed the PSC on the same server as vCenter Server or deploy it externally. While performing an upgrade, the PSC will be placed wherever SSO is currently.
There are three common configurations for vRA 6.x and SSO today:
- vRA uses the Identity Virtual Appliance (IDVA) for it’s SSO authentication
- vRA uses the SSO embedded in a vCenter instance directly
- vRA uses clustered Windows-based vCenter Single Sign-On U2 in HA configuration
With the release of vSphere 6.0, it is possible to upgrade the SSO 2.0 instances from configurations #2 and #3 above to use the PSC. It is also possible to migrate from the Identity Virtual Appliance (IDVA) to the PSC.
New installations of the PSC and vRealize Automation 6.2.1 will work just fine. However, there are a few known issues and limitations with certain scenarios when upgrading from SSO 2.0 to the PSC with vRealize Automation 6.2.1. Knowledge Bank articles and documentation update are in the works, and some will be addressed in upcoming fix for PSC. Below is a list which have been identified. I will up date with KB or doc references, or when fixes are released!
- Default tenant must remain “vsphere.local”. The new PSC allows you to change the name of the default tenant, but the vRA installation does not allow this to be overridden. So for now, you need to stick with the old default value for your default tenant if you will be deploying a PSC for use with vRA.
- The 5.5 version of the Client Integration Plugin does not work with PSC. If you currently vRA configured with Native AD using SSO and users have the 5.5 Client Integration Plugin installed, the newest version will need to be installed by users for use with PSC. The plugin is specific to the vCenter version, so upgrading to the latest will make it incompatible with vCenter 5.5 instances (just so you are aware). You can download the Client Integration Plugin from here
- After upgrading from vSphere 5.5U2 to 6.0, the port 7444 is no longer valid to communicate with the PSC for authentication. If vRA login attempt results in a 404 error, the port for SSO must be changed to 443. For this reason, you should change the port on the vRA VAMI SSO tab to 443 as part of the upgrade process.
- After upgrading from vSphere 5.5U2 to 6.0, the vRA Identity Store configuration for non-default tenants held within PSC is missing and tenant configuration cannot be accessed. A workaround KB article is pending. Expected fix: vSphere 6.0 EP01.
- After upgrading from vSphere 5.5U2 to 6.0, the vRA tenants that were previously created (other than default sphere.local) can not be updated due to missing group in Lotus database of PSC. The work around can be found in KB#2109719. Expected fix: vSphere 6.0 EP01.
Kim Delgado is a Sr Solutions Engineer at VMware. She can be reached at @KCDAutomate