WilliamLam.com

Hybrid environment leveraging SSO Multi-Master Replication between vCenter Server for Windows & VCSA

by // 13 Comments

In vSphere 5.5, the SSO (Single-Sign On) component has been completely re-designed to help simplify the management of your SSO Server(s). A built-in automatic multi-master replication architecture is now used to ensure that all SSO instances are always kept in synced. This works great for a pure Windows based environment but what if you wanted to run a hybrid environment that includes a mix of vCenter Server on Windows and the VCSA (vCenter Server Appliance)?

A great use case for this would be for ROBO site management for which you want to simplify the deployment and management of these sites from a centralized location. Instead of deploying additional vCenter Servers on Windows and spend more on Windows licenses, you could leverage the VCSA. With this hybrid model you can still gain all the benefits of having a distributed SSO security domain as well as a centralized place for managing and accessing all your vCenter Servers and Virtual Machines. As you can see from the diagram below, the SSO replication is bi-directional from all SSO instances and this occurs by default every 30seconds. By joining all SSO instances under a common SSO security domain (vsphere.local), you also have the added benefit of being able to see inventory from all SSO instances by logging into anyone of the vSphere Web Clients at each site.

I was recently asked by a couple of VMware colleagues about this particular configuration and whether it would be possible with using the VCSA. It took a couple of days of tinkering in the lab, talking to some folks and several dozen snapshot reverts, but I am please to say I have been successful in getting this to work!

Disclaimer: This configuration is not officially supported by VMware as the configuration has not been officially been tested. Please use at your own risk.

Requirements:

  • Configured Windows vCenter Server
  • Un-configured VCSA deployed

Step 1 - Deploy vCenter Server 5.5 on a Windows server as you normally would.

Step 2 - Deploy a VCSA but do not configure it just yet, we have a script that will automate this for you.

Step 3 - Download configureAdditionalVCSAUsingCommonSSODomain.sh script which will automatically configure the VCSA to point to the external vCenter Server SSO instance as well as setup the SSO multi-master replication configuration. You can either run the script remotely or run it within the VCSA, but before you do you will need to edit the script and modify the following variables.

PRIMARY_VC
VC_USERNAME
VC_PASSWORD
SSO_SITE_NAME

The first three variables pertains to your Windows vCenter Server and make sure the username is *protected email* The SSO Site name can be identified by following the instructions found here. In addition to the above mandatory variables, there are a couple other variables that will automatically join the VCSA to an Windows Active Directory, you just need to enable the flag and fill in the variables.

Step 4 - You are now ready to run the script! The output is a bit verbose, but if you take a look at the script itself is is only a couple of lines 🙂 This is wayyy easier than deploying a Windows OS and then go through all those complex install wizards!

The majority of the script is actually from an earlier script that I wrote during vSphere 5.1 release for the VCSA. However, there are a couple of additions to the script that I would like to highlight. The first is starting all the VMware SSO Services and also ensure it is automatically started up during boot by running the following commands:

/etc/init.d/vmdird start
/sbin/chkconfig vmdird on
/etc/init.d/vmware-sts-idmd start
/sbin/chkconfig vmware-sts-idmd on
/etc/init.d/vmkdcd start
/sbin/chkconfig vmkdcd on
/etc/init.d/vmcad start
/sbin/chkconfig vmcad on

The final part is to configure the replication between the two vmdird instances using the /usr/lib/vmware-vmdir/bin/vdcpromo command. The command requires both the source and target username/password of the SSO administrator account as well as the source SSO Site name which can be identified by following the instructions here.

Once the script has finished (should only take a minute or two) you now can login to either vCenter Server instances and you will be able to see both your vCenter Server on Windows as well as your VCSA.

Note: Currently, the Lookup Service is shared between all vCenter Servers joined to the common SSO security domain. This behavior is not expected and is currently being investigated by engineering. In the meantime, if the primary vCenter Server hosting the Lookup Service is unavailable, you will not be able to login to your other vCenter Servers. You should ensure proper high availability solutions is provided for the vCenter Server hosting the Lookup Service until this issue is resolved.

In just under a couple of minutes you can easily deploy several VCSA's joined to a common SSO security domain with built-in replication and get a "poor" mans Linked Mode to view and manage all your vCenter Servers from a single place.

Note: Even though SSO multi-master replication between VCSA's is not officially supported by VMware, it does in fact work and is something I have been able to setup in my lab. To perform this, you just need to setup you first VCSA as you normally would and using the script above to join additional VCSA to the first one you setup.

In a follow-up blog post, I will show you how to verify SSO multi-master replication is properly configured and replicating using some free online tools.

Why is there a "No access" vSphere Role?

by // 5 Comments

vSphere's (vCenter Server & ESXi) authorization system includes several pre-canned Roles such as Read-Only, Administrator and Virtual Machine Administrator as an example. One of the roles that has intrigued me for awhile which is the "No access" role. This seems to be a really odd role to have, I mean what would you do with such a role if it does not have access to anything?

In a conversation I had last week with a fellow colleague, the "No access" role made its way into the conversation and I learned that there was a specific use case for this role, however it was unclear what that might have been. This go me interested and I decided to reach out to some folks to see if I can get to the bottom of this and the use case associated with it.

It turns out there are some customers who have some very interesting requirements in which they need to separate out users who have the Administrator role and prevent them from seeing and performing operations on specific vSphere Inventory objects. An example of this would be a vCenter Server with 4 vSphere Clusters where Admin1 can only see the first two Clusters and Admin2 can only see the last two Clusters and both users have the Administrator role.

To accomplish the above example, you can leverage the "No access" role in the following manner. As the "Uber" Administrator, you would assign both Admin1 and Admin2, lets call them Alan and Cormac the Administrator role at the vCenter Server level. This will grant them full access to the entire vSphere Inventory.

Now, to prevent Alan from seeing Cluster 3 & 4, we need to go into the Cluster object and add the "No access" role to both those objects. We do the same for Cormac but for Cluster 1 & 2. If we now login as the user Alan, we will see that only Cluster 1 & 2 are visisble.

If we login with the user Cormac, we can only see Cluster 3 & 4 as expected.

Although this may not be a common request in your environment, I can see some interesting use cases for having such a setup like on-boarding a new junior admin and wanting to provide them Administrative access to particular Clusters and removing the views for others they should not have access to.

I would like to thanks Rupam from our GSS organization for sharing the reasoning behind "No access" as well as a specific use case for the feature.

How do I find my SSO Server 5.5 Site name?

by // 11 Comments

During an SSO (Single-Sign On) Server 5.5 installation, you may have noticed a new input parameter called Site Name that you must now specify. This new Site name is meant to help users identify a specific SSO Server when more than one exists in an environment and used mainly for groupings today.

Note: Something to be aware of is that the Site Name can not be changed after installation which is a bit unfortunate, so choose carefully.

When adding an additional Windows-based SSO Server to an existing environment, a drop down list will automatically be populated with all the Site names. This is great if the Site name you selected makes sense (ideally it would) but in case you did not choose a specific name or forgot the relationship between the Site name and the SSO Server, then this can potentially post a challenge.

In my lab I have been recently doing some "SSO" testing and I needed to figure out the Site name for one a vCenter Server running on Windows as well as for a VCSA (vCenter Server Appliance). With a bit of digging and testing, here is how you can find the Site name for a given SSO Server.

Note: Since the VCSA is a pre-built Virtual Appliance, the Site name has already been configured to to always be "local".

Method 1 - You can leverage an SSO CLI utility found both in a Windows vCenter Server as well as the VCSA to query for this information.

Windows vCenter Server Utility: C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ssolscli.cmd

VCSA Utility: /usr/lib/vmware-sso/bin/vi_regtool

Both commands function exactly the same but do have different paths/name. The operation that we will be using is the "listServices" and we will also need to specify the Lookup Service URL which will be in the form of https://[SSO-SERVER]:7444/lookupservice/sdk

Here is an example of using the ssolscli.cmd in vCenter Server for Windows:

In the output you should see a list of services registered and you will also be able to find the Site name in either the serviceId property which includes the Site name in the pre-fix. In the screenshot above, the Site name is "Santa Barbara". You can also find the Site name by looking at viSite property for each service and based on the URL, you will see the IP Address/Hostname in which the Site name is associated with.

Method 2 - You can also find the Site name for a given SSO Server by logging into the vSphere Web Client and under the advanced vCenter Server settings, you can filter on config.vpxd.sso string and look for the serviceId property which will include the Site name. You can also find this same information by looking at the vCenter Server configuration file (vpxd.conf) but if you have access to the vSphere Web Client, it is a much quicker way as seen in the screenshot below.