Several folks asked me recently What is VMware Platform Service Controller. I’ve published few guides on VMware vCenter Server Appliance (VCSA), the migration of vCenter to VCSA or in-place migration of Windows based vCenter but I think that I have not published enough information about VMware Platform Service Controller (PSC). Hence this post.
VMware PSC is not new. It was a part of vSphere 6.0 where it assured a number of services already. Services such as VMware Appliance Management Service, VMware License Service, VMware Component Manager, VMware Identity Management Service, VMware HTTP Reverse Proxy, VMware Service Control Agent, VMware Security Token Service, VMware Common Logging Service, VMware Syslog Health Service, VMware Authentication Framework, VMware Certificate Service, VMware Directory Service.
VMware PSC when deployed separately, in a separate VM, it deploys only the services bundled with the PSC, not the vCenter specific services. There are different topologies which exists and which has advantages or inconveniences.
PSC user interface allows many tasks already.
- Adding and Editing Users and Groups for Single Sign-On
- Adding Single Sign-On Identity Sources
- Configuring Single Sign-On Policies (for example Password Policies)
- Adding Certificate Stores
- Adding and Revoking Certificates
- Authentication via vCenter Single Sign-On (SSO)
- Provision ESXi hosts with VMware Certificate manager (VMCA) certificates by default
- Use custom certificates stored in VMware Endpoint Certificate store (VECS).
Using single PSC in Single domain
The most simple are to deploy VMware PSC and vCenter server on a single VM, together. As such, the PSC component does not need a network connection to the vCenter server (as it communicates already, it is within the same VM).
Further, it has some following advantages:
- Fewer Windows Licenses
- Fewer Virtual machines to manage
- Using fewer resources
- Suitable for smaller-scale environments only
- Single sign-on domain only
Using multiple PSCs in single domain
Single PSC has several vCenter servers “hooked” into it.
- can assure HA with an external load balancer
- consumes more resources
The notion of a site, vSphere domain, Domain names….
PSC Domain – when installing PSC, there is a prompt to create vCenter SingleSign-On Domain (SSO) or join an existing domain. The domain name is used by VMware directory service for their internal LDAP structuring. You should always use another name then you’re using for your Microsoft AD, Open LDAP or other directory services within your organization.
PSC Site – You can organize PSC domains into logical sites. A site in the VMware Directory Service is a logical container for grouping PSC instances within a vCenter Single Sign-On domain.
PSC can also be deployed without a load balancer, but in this case, in a case of failure the PSC, you must manually fail over the vCenter Server instances that are registered to it by repointing them to other functional PSC instances within the same site.
Know that other types of deployments exist which we will sum here:
- Mixed Operating system – Windows VM hosting PSC with two or more VMs running Windows based vCenters, hooked into PSC.
- External PSC with a load balancer
- External PSCs with a Load balancer on multiple sites – you must install or deploy at least two joined PSC instances in your vCenter SSO domain.
Platform Service Controller (PSC) services:
There is quite a few of them in vSphere 6.5.
- VMware Appliance Management Service – (applmgmt) – appliance configuration and provides public API endpoints for appliance lifecycle management. Included on the Platform Services Controller appliance.
- VMware License Service – (vmware-cis-license) -Each PSC includes VMware License Service, which manages and delivers centralized licenses and has a reporting functionality to VMware products in your environment. The license service inventory replicates across all Platform Services Controller in the domain at 30-second intervals.
- VMware Component Manager – (vmware-cm) – offers service registration and lookup.
- VMware PSC client – (vmware-psc-client) – it is the back end to the PSC web UI.
- VMware Identity Management service – (vmware-sts-idmd) – those are the services for vCenter SSO, for authentication to VMware software components and users.
- VMware Security Token Service – (vmware-stsd) – SAML token exchange mechanism.
- VMware HTTP Reverse proxy – (vmware-rhttpproxy ) – this proxy runs on every PSC and in each vCenter Server. It is an entry point into the node. Allows secure communication between services running on the node.
- VMware Service Control Agent – (vmware-sca) – Manages service configurations. You can use the service-control CLI to manage individual service configurations.
- VMware Appliance Monitoring Service – (vmware-statsmonitor) – monitors vCSA Guest OS system ressources utilization and performance.
- VMware vAPI Endpoint – (vmware-vapi-endpoint) – single point of access to vAAPI services
- VMware Authentication Framework – (vmafdd) – services for a client-side framework for vmdir authentication and serves the VMware Endpoint Certificate Store (VECS).
- VMware Certificate Service – (vmcad) – uses the VMware Endpoint Certificate Store (VECS) to serve as a local repository for certificates on every Platform Services Controller instance. Although you can decide not to use VMCA and instead can use custom certificates, you must add the certificates to VECS.
- VMware Directory Service – (vmdir) – multitenant, multimastered LDAP directory service that stores authentication, certificate, lookup, and license information.
- VMware Lifecycle Manager API – (vmonapi) – start and stop vCenter server services and monitor service API health.
- VMware Service Lifecycle Manager – (vmware-vmon) – is centralized platform-independent service the manages the lifecycle of PSC and vCenter server.
- Likewise Service Manager – (lwsmd) – enables joining the host to a Microsoft Active Directory domain and then authentication of users through AD.
Most of the time you can stick with single VM where vCenter server and PSC collaborate together. If you want enhanced linked mode for your vCenter, and being able to manage several sites within a single console, than you’ll probbably deploy an external PSC, or 2 external PSCs behind a load balancer. You should know that not all load balancers are supported. Only F5, Netscaler, and NSX are supported. Nginix, haproxy, A10, etc are not supported.
Check more articles from ESX Virtualization:
- vSphere 6.5
- How to Configure VMware High Availability (HA) Cluster
- Free Tools
- How to reset root password in vCenter Server Appliance 6.5
- How to Migrate Windows Based vCenter to VCSA 6.5 [Lab] – Windows to Linux
- VMware VCSA 6.5 Active-Passive Setup with Simple Configuration – [LAB]
- VMware vCSA 6.5 HA Failover Test – Video
- VMware VCSA 6.5 Backup and Restore How-To