Updated 29-08-2016

Configuring PSC HA to utilise SSL Pass-through basically means we don’t have any SSL Certificate on the Load Balancer VIP. To achieve this all PSC’s in the PSC HA Cluster are required to present the same certificate.

It also means that if you suspect your load balancer may be the cause of an issue, you can make vCenter bypass the load balancer directly to a PSC by creating a hosts file entry on the vCenter which maps the IP of a PSC to the Load Balanced FQDN.

Disclaimer: This process isn’t officially supported by VMware GSS

Initial “Day 1” deployment & setup

(I’m using PSC 6.0 Appliances, the same process can be used for Windows, just translate the relevant paths)

In the examples below my two PSC’s are called psc-ha-a.domain.com and psc-ha-b.domain.com with the load balanced name being psc-ha-vip.domain.com. Obviously change to match your own environment.

In this first we will just use default VMCA certificates. If you wish to use VMCA a Subordinate CA you can do that after you deploy the PSC’s but before you generate any certificates.

1. Configure your Load Balancer

I’m most familiar with the F5 BIG-IP Load Balancer. VMware documents the configuration needed in the following KB.

Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0

Since we’re using SSL Pass-through, we don’t need a certificate on the load balancer so you can skip the section titled “Uploading Certificates to the F5 BIG-IP” and “SSL Client/Server Profiles” in the above KB.

2. Deploy two (or more) PSC 6.0 in the same SSO Site.

Deploy two PSC 6.0 Appliances, making sure that both exist in the same SSO Site. If you have additional PSCs that you do not want to be part of this PSC HA setup, ensure that they exist in their own SSO Site.

3. Download the PSC HA scripts.

Download PSC HA Scripts from VMware

Extract the contents of the zip to /ha on the First PSC.

4. Edit the “gen-lb-cert.py” script

Edit the gen-lb-cert.py file and comment out the following section. The existing scripts try generate a certificate for you but we need to generate this certificate ourselves so it contains all the required FQDNs.

#if env.primary_node == True:
#    createdir()
#    shutil.copyfile(env.srcfile,env.dstfile)
#
#    args = ["--genkey", "--privkey="+env.lb_key_file, "--pubkey="+env.lb_key_pub_file, "--config="+env.certool_cfg]
#
#    output = certoolCmd(args[0:])
#
#    del args[:]
#    args = ["--gencert","--priv="+env.lb_key_file,"--Name="+env._LB_FQDN,"--FQDN="+env._LB_FQDN,"--Hostname="+env._LB_FQDN,
#            "--cert="+env.lb_crt_file,"--server=localhost", "--config="+env.certool_cfg]
#    output = certoolCmd(args[0:])
#    print output
#
#    del args[:]
#
#    args = ["pkcs12","-export","-in", env.lb_crt_file, "-inkey", env.lb_key_file, "-out", env.lb_p12_file,
#                "-name", "ssoserver","-passout","pass:"+env.cert_password,"-CAfile",env.dstfile,"-caname","rootca"]
#    output = opensslCmd(args[0:])
#
#    del args[:]
#    args = [ "rsa", "-in", env.lb_key_file, "-out", env.lb_rsa_key]
#    output = opensslCmd(args[0:])

5. Configure some certificate config files

Create a cfg file /ha/psc_ha_csr_cfg.cfg which contains the certificate Subject Information and Load Balanced VIP FQDN

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:psc-ha-a.domain.com, DNS:psc-ha-b.domain.com, DNS:psc-ha-vip.domain.com
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = Cork
localityName = Cork
0.organizationName = VMware
organizationalUnitName = vTSU
commonName = psc-ha-vip.domain.com

6. Generate a certificate from VMCA

Run the following two commands to generate the certificate and key

openssl req -new -nodes -out /ha/lb.csr -newkey rsa:2048 -keyout /ha/lb.key -config /ha/psc_ha_csr_cfg.cfg

openssl x509 -req -days 3650 -in /ha/lb.csr -out /ha/lb.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /ha/psc_ha_csr_cfg.cfg

Prepare the certificate chain for use with the Certificate-Manager later

cat /ha/lb.crt >> /ha/lb-chain.crt

cat /var/lib/vmware/vmca/root.cer >> /ha/lb-chain.crt

7. Run the “Primary Node” script

python gen-lb-cert.py --primary-node --lb-fqdn=psc-ha-vip.domain.com

8. Update the MachineSSL on the First PSC

Launch the Certificate-Manager and select Option 1, then select sub Option 2.

/usr/lib/vmware-vmca/bin/certificate-manager

Provide the lb-chain.crt, lb.key and root.cer

Please provide valid custom certificate for Machine SSL.
File : /ha/lb-chain.crt
 
Please provide valid custom key for Machine SSL.
File : /ha/lb.key
 
Please provide the signing certificate of the Machine SSL certificate
File : /var/lib/vmware/vmca/root.cer

9. Copy the STS cert, Scripts & Certs to the additional PSC

Copy the STS certs to the /ha directory

mkdir /ha/keys
cp /etc/vmware-sso/keys/* /ha/keys

Copy the entire /ha directory to the additional PSC using scp.

scp -r /ha root@psc-ha-b.domain.com:/

10. Run the “Secondary Node” script on the additional PSC

python gen-lb-cert.py --secondary-node --lb-fqdn=psc-ha-vip.domain.com --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys

11. Update the MachineSSL on the additional PSC