VMware Cloud Community
JPM300
Commander
Commander

How to setup Orchestrator 5.1 with SSO multisite/Vcenter Linked mode

Hello all,

Just wondering on how you would go about setting up Orchestrator 5.1 in a SSO multi-stie with vCenter in Linked mode

Currently our setup is as such

Site1

VC01

SSO01

VCSQL01

Site2

VC02

SSO02

VCSQL02

Our SSO is in multi-site configuration and our Vcenters are in linked mode.  So would I setup on Orchestrator on each side like so:

VC01

SSO01

VCSQL01

Orchestrator01 - Linked to VC01

VC02

SSO02

VCSQL02

Orchestrator2 - Linked VC02

Or do you only need to set one orchestrator up when you have an SSO multi-site/vCenter in linked mode.

I would assume you would need two Orchestrators as each VC has a separate database but I can't seem to find any information on this.

Any info would be great,

Thanks

Reply
0 Kudos
6 Replies
pslavova
VMware Employee
VMware Employee

You don't need to have two VCO servers for this case, if you use shared session for one of the vCenter Server.

If I have understood correctly, the objects registered in the two SSO servers are separate (you can not register in SSO 1 and use its token for SSO2), so you can register your VCO server to authenticate in SSO1 for eaxmple. The VC01 can be added using session per user and VC02 can be added using shared session configuration.

In this case the problem is that you will be able to manipulate the VC02's object using the credentials provided for the shared session configuration and you might want to restrict the permissions to the VC02 objects.

If you want to have more restricted access to these object you will need two VCO servers - this way you will register the VCO to authenticate against SSO and you will be able to register VC02 in VCO02 using session per user.

Reply
0 Kudos
JPM300
Commander
Commander

Well I have admin access on both vCenter's and use SSO/LDAP credentials to gain access.  So would I still not be able to manipulate VC02's objects or run any workflows on VC02?  If this is the case would it just be better to run another VCO on VC02 and connect to that to do any work flows on VC02?

Reply
0 Kudos
pslavova
VMware Employee
VMware Employee

It depends on the SSO setup. There is a fast way you can check.

Register your VCO server against SSO01 and add the two VC servers with session per user configured and restart the VCO server.

Start the VCO Java client and go to inventory - if the tokens created from SSO01 are not valid for SSO02, you won't be able to browse VC02's objects.

Everything depends on the two SSO servers configurations.

If the two servers are completely separate installations, that are just using the same LDAP added as identity source - then the tokens generated from SSO01 can not be used to authenticate in SSO2.

I'm not completely sure how willl VCO work if the SSOservers are configured in cluster mode or in HA mode.

Reply
0 Kudos
cdecanini_
VMware Employee
VMware Employee

vCO setup should be irrelevant to linked mode.

If your vCO has LAN type connection to your vCenter servers set up a single vCO server in which you add all your vCenter hosts.

If your vCenter are geographically distributed with high latency / low bandwith, use one vCO located on each vCenter LAN. To make a vCO in something close to link mode, use an additional vCO with the multi-node plug-in to remote control all your vCO from a single one.

- edit - Not sure if the currently released multi-node plug-in supports SSO. If not you may be able to get a version supporting it opening a ticket to VMware GSS.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
Reply
0 Kudos
JPM300
Commander
Commander

So I could use one vCO server to manage both our vCenter servers even though there is two SSO servers in multi-site mode?  We have dark fibre between the two sites, however SSO is installed in Multi-site mode due to vCEnter being in Linked mode.   So with one vCO server will it be able to communicate with both SSO servers?

Reply
0 Kudos
imthemp3king
Contributor
Contributor

Did you ever come to a conclusion for this issue?  I am setup the same way you are, with multi-site SSO and a vCO server in each location.  However, only one vCO server shows up in the Web Client and the Multi-Node plugin (while supporting SSO) hasn't resolved the issue for me

Reply
0 Kudos