ESX Virtualization

VMware ESXi, vSphere, VMware Backup, Hyper-V... how-to, videos....

Nakivo Backup and Replication - #1 Backup solution for Virtual, physical, cloud, NAS and SaaS

What is VMware Platform Service Controller (PSC)?

By | Last Updated:

Shares

Several folks asked me recently What is VMware Platform Service Controller. I've published few guides on VMware vCenter Server Appliance (VCSA), the migration of vCenter to VCSA or in-place migration of Windows based vCenter but I think that I have not published enough information about VMware Platform Service Controller (PSC). Hence this post.

VMware PSC is not new. It was a part of vSphere 6.0 where it assured a number of services already. Services such as VMware Appliance Management Service, VMware License Service, VMware Component Manager, VMware Identity Management Service, VMware HTTP Reverse Proxy, VMware Service Control Agent, VMware Security Token Service, VMware Common Logging Service, VMware Syslog Health Service, VMware Authentication Framework, VMware Certificate Service, VMware Directory Service.

VMware PSC when deployed separately, in a separate VM, it deploys only the services bundled with the PSC, not the vCenter specific services. There are different topologies which exists and which has advantages or inconveniences.

PSC user interface allows many tasks already.

Such as:

  • Adding and Editing Users and Groups for Single Sign-On
  • Adding Single Sign-On Identity Sources
  • Configuring Single Sign-On Policies (for example Password Policies)
  • Adding Certificate Stores
  • Adding and Revoking Certificates

PSC allows:

  • Authentication via vCenter Single Sign-On (SSO)
  • Provision ESXi hosts with VMware Certificate manager (VMCA) certificates by default
  • Use custom certificates stored in VMware Endpoint Certificate store (VECS).

VMware Platform Service Controller

Using single PSC in Single domain

The most simple are to deploy VMware PSC and vCenter server on a single VM, together. As such, the PSC component does not need a network connection to the vCenter server (as it communicates already, it is within the same VM).

TIPHow to deploy VMware VCSA 6.5 (VMware vCenter Server Appliance)

vCenter with embedded PSC

Further, it has some following advantages:

  • Fewer Windows Licenses
  • Fewer Virtual machines to manage
  • Using fewer resources

Disadvantages:

  • Suitable for smaller-scale environments only
  • Single sign-on domain only

Using multiple PSCs in single domain

Single PSC has several vCenter servers “hooked” into it.

Two vCenters talking to the same PSC

Advantages:

  • can assure HA with an external load balancer

Disadvantages

  • consumes more resources

The notion of a site, vSphere domain, Domain names….

PSC Domain – when installing PSC, there is a prompt to create vCenter SingleSign-On Domain (SSO) or join an existing domain. The domain name is used by VMware directory service for their internal LDAP structuring. You should always use another name then you're using for your Microsoft AD, Open LDAP or other directory services within your organization.

PSC Site – You can organize PSC domains into logical sites. A site in the VMware Directory Service is a logical container for grouping PSC instances within a vCenter Single Sign-On domain.

PSC can also be deployed without a load balancer, but in this case, in a case of failure the PSC, you must manually fail over the vCenter Server instances that are registered to it by repointing them to other functional PSC instances within the same site.

PSC without load balancer

Know that other types of deployments exist which we will sum here:

  • Mixed Operating system – Windows VM hosting PSC with two or more VMs running Windows based vCenters, hooked into PSC.
  • External PSC with a load balancer
  • External PSCs with a Load balancer on multiple sites – you must install or deploy at least two joined PSC instances in your vCenter SSO domain.

External PSCs with two load balancers across two sites

Platform Service Controller (PSC) services:

There is quite a few of them in vSphere 6.5.

  • VMware Appliance Management Service – (applmgmt) – appliance configuration and provides public API endpoints for appliance lifecycle management. Included on the Platform Services Controller appliance.
  • VMware License Service  – (vmware-cis-license)  -Each PSC includes VMware License Service, which manages and delivers centralized licenses and has a reporting functionality to VMware products in your environment. The license service inventory replicates across all Platform Services Controller in the domain at 30-second intervals.
  • VMware Component Manager – (vmware-cm) – offers service registration and lookup.
  • VMware PSC client – (vmware-psc-client) – it is the back end to the PSC web UI.
  • VMware Identity Management service – (vmware-sts-idmd) – those are the services for vCenter SSO, for authentication to VMware software components and users.
  • VMware Security Token Service – (vmware-stsd) – SAML token exchange mechanism.
  • VMware HTTP Reverse proxy – (vmware-rhttpproxy ) – this proxy runs on every PSC and in each vCenter Server. It is an entry point into the node. Allows secure communication between services running on the node.
  • VMware Service Control Agent – (vmware-sca) – Manages service configurations. You can use the service-control CLI to manage individual service configurations.
  • VMware Appliance Monitoring Service – (vmware-statsmonitor) – monitors vCSA Guest OS system ressources utilization and performance.
  • VMware vAPI Endpoint – (vmware-vapi-endpoint) – single point of access to vAAPI services
  • VMware Authentication Framework – (vmafdd) – services for a client-side framework for vmdir authentication and serves the VMware Endpoint Certificate Store (VECS).
  • VMware Certificate Service – (vmcad) – uses the VMware Endpoint Certificate Store (VECS) to serve as a local repository for certificates on every Platform Services Controller instance. Although you can decide not to use VMCA and instead can use custom certificates, you must add the certificates to VECS. 
  • VMware Directory Service – (vmdir) –  multitenant, multimastered LDAP directory service that stores authentication, certificate, lookup, and license information.
  • VMware Lifecycle Manager API – (vmonapi) – start and stop vCenter server services and monitor service API health.
  • VMware Service Lifecycle Manager – (vmware-vmon) – is centralized platform-independent service the manages the lifecycle of PSC and vCenter server.
  • Likewise Service Manager – (lwsmd) – enables joining the host to a Microsoft Active Directory domain and then authentication of users through AD.

Wrap up:

Most of the time you can stick with single VM where vCenter server and PSC collaborate together. If you want enhanced linked mode for your vCenter, and being able to manage several sites within a single console, than you'll probbably deploy an external PSC, or 2 external PSCs behind a load balancer. You should know that not all load balancers are supported. Only F5, Netscaler, and NSX are supported. Nginix, haproxy, A10, etc are not supported.

Check more articles from ESX Virtualization:

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)

Shares
4.7/5 - (3 votes)

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x16, Veeam Vanguard x9, VCAP-DCA/DCD, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.

Connect on: Facebook. Feel free to network via Twitter @vladan.