You may have recently heard about the new vCenter SSO (Single Sign-On) feature that is now part of the latest release of vSphere 5.1 which provides centralized authentication and directory services (supports multiple identify sources) across your vCenter Servers. vCenter SSO also provides a true single pane of glass for managing and viewing all your vSphere infrastructure and solutions, unlike it's predecessor Linked Mode feature, which many used to get a centralized view of all their vCenter Servers but without the true single-sign on capabilities.
Note: If you would like to learn more about the new vCenter SSO, I would recommend you take a look at the What's New vCenter Server 5.1 whitepaper by Justin King.
I really love the new vCenter SSO feature, especially in my home lab where I have several vCenter Server 5.0 and 5.1 hosts running and I can view all of them in a single interface! One thing I tend to do a lot in my lab is automated deployments (you probably might have already guessed) and though the configuration web interface for vCenter Server is pretty easy to use, there is still a lot of clicking involved (as you know, I hate clicking a lot).
Just like with automating VCSA 5.1 deployments, I also looked into automating the joining of a VCSA to an existing vCenter SSO server. The example below will outline configuring a single VCSA to act as the primary vCenter SSO server and then configure two additional VCSA which will then connect to this primary vCenter Server providing them SSO capabilities.You can also run through this manually through the configuration web interface for each VCSA, but as mentioned earlier, it is manual and did I forget to mention ... tedious!
Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.
Step 1 - Configure your primary VCSA which will be the main SSO server. You will be leveraging the same script as shown in this article.
Step 2 - Next, you will need to configure you secondary and tertiary (or n-others) VCSA using a similar script as in Step 1, but instead of configuring for an embedded SSO server, it will connect to the external SSO server which is specified by the IP Address or hostname of your primary VCSA.
Here is a script with the minimal commands needed for configuring your additional VCSA:
Note: Make sure you update the PRIMARY_VC variable to reflect the IP Address or hostname of your primary VCSA that was configured in Step 1
You will notice the output to be very similar, but it actually queries for the primary VCSA's lookupservice SSL thumbprint to configure the VCSA to use an external SSO server.
Once you have successfully deployed and configure your additional VCSA servers, you should now be able to login to your primary VCSA and view all your vCenter Servers in the inventory.
Is this not a cool feature!? You no longer have to manage dozen of vSphere C# Clients to get a view of your vSphere infrastructure!
surya says
Hi william,
How to configure VCSA 5.1 as webclient server and how to enable only webclient in VCSA.When i am tried to start the webclient in command line its not starting.i am getting below error.
/etc/init.d/vsphere-client start
File /etc/vmware/ls_url.txt is missing.
regards
Surya
William says
@surya,
This is definitely possible, in 5.1 the process is a little bit different. I'm working on this and will share once I have more details.
mynamemet says
We got a similar error on customer's machine and all i did was to get the content of that file from a test vcenter appliance and it has only one entry in that text file.
https://x.x.x.x:7444/lookupservice/sdk
Used the touch command to create a new txt file with same name and i was able to start the webclient service on the machine.
Loren says
Hello, do you know if it's possible to set up the VCSA SSO instance in a multi-site or HA configuration? I read through all the documentation I could find on these configurations, but it only seems to apply to the Windows version of SSO.
Thanks,
-Loren
Justin King says
VCSA can only run as a standalone SSO server or be a slave in HA or multisite configurations
Justin
Loren says
Thanks Justin. That's too bad. Was hoping for full equivalence in VCSA 5.1. It is so much easier to set up compared to the Windows version.
I'm guessing that's the 'external' option in the VCSA config? I think I saw that only supports Oracle, though. We're mostly a SQL shop. Oh well.
Maybe I can still use the VCSA for only the web client...
Lycan says
Hello William,
I have three vCenter appliances, where i am using the SSO of the first vCVA and pointing the other two vCVA to the first vCVA's SSO.
All the vCVAs shows up when i login to any web client.
But, i get a warning message which says failed to verify the ssl certificate of one or more vCenter server. http://IP_Address:443/sdk.
I tried deleting the solution users and re-registering the one vCenter back to SSO and regenerated the certs using fqdn but i still see the same warning message on the web client.
William Lam says
Have you tried to re-generated the SSL certificates? Perhaps you might have changed the IP Address or hostname after it's initial deployment which might explain why you're seeing that?
Wolverine_logan says
Hi William,
I also work for VMware tech Support and i am a huge fan of your work.
The issue in this case there were solution users with stale entries but i did not remove them from the command line, removing the stale entries for the other vCenter fixed the issue.
I also happen to find the clear command only at your other article for removing solution users from your article 😀
Thanks a ton Sir!
William Lam says
Glad to hear you got the issue resolve and thanks for sharing!