@JoJoGabor 1. Do any certificates issued by the VMCA get replicated between the PSC nodes? If we have a primary datacentre failure, can I be certain that any certificates are also stored in the second PSC VECS? DOes it actually matter if the certificate is already on the host?
Best practice is to share the same cert between the PSCs. This is after both PSCs have been added/trusted in the cert chain. (verified in cert properties to see that both are listed) = 1 cert (same one) on both PSCs
2. VMCA has no CRL abilities. THis is a manual process as of today.
3. This is the order I am using in several different scenarios but I have read you can install vCenter before the 2nd PSC. I have also read that the vCenter should be last, or at least after the PSCs have been included in the cert chain.
Any of you actively using F5 GSLB for PSC HA?
We have two datacenters (UK and US), and we're planning on deploying the following in each one:
2 x PSCs behind F5 LTM VIP
1 x vCenter (in linked mode)
3 Node mgmt cluster in each site, all PSCs in the same SSO domain, two SSO sites defined (one for each datacenter).
Just wondering if we could throw GSLB into the mix, and have single, unified entry point for PSC services - and maybe remove the need for deploying 2 PSCs in each site.
I know it's been discussed on this thread but it anyone actually doing it? Is it recommended or supported? Too much complexity for little gain?
No its not supported by VMware. That's what I tried to setup initially but was told then. However my problem may have been related to a bug I found in 6.0 U0 where you cant failover between PSCs where the site name is different. This has been fixed in Update 1, but I havent deployed that yet.
I suspect now that's fixed it may work, although not sure if the support stance has changed
Lovely - thanks for the quick response.