VMware Cloud Community
JoJoGabor
Expert
Expert
‎04-29-2015 04:30 AM

Vcenter 6 Design Questions

Hi,

I am putting together a VCenter 6 Design currently with two VCenters and two external PSCs (one in each datacentre) load balanced using F5 GSLB. The PSCs VMCA component will be a subordinate of my client's internal Microsoft PKI. SO my questions are:

1. Do any certificates issued by the VMCA get replicated between the PSC nodes? If we have a primary datacentre failure, can I be certain that any certificates are also stored in the second PSC VECS? DOes it actually matter if the certificate is already on the host?

2. Are certificates checked against a CRL for revocation? Does the VMCA perform the CRL checking or is this done by the PKI?

3. What order does the install and certificate configuration happen? I am assuming;

     Install PSC1

     Configure PSC1 to be a subordinate of PKI

     Install PSC2

     Configure PSC2 to be a subordinate of PKI also

     Configure Load balancing

     Install VCenters using GSLB of PSCs.

Thanks all in advance

Reply
0 Kudos
4 Replies
tonto_22
Contributor
Contributor
‎05-15-2015 07:47 AM

@JoJoGabor 1. Do any certificates issued by the VMCA get replicated between the PSC nodes? If we have a primary datacentre failure, can I be certain that any certificates are also stored in the second PSC VECS? DOes it actually matter if the certificate is already on the host?

Best practice is to share the same cert between the PSCs. This is after both PSCs have been added/trusted in the cert chain. (verified in cert properties to see that both are listed) = 1 cert (same one) on both PSCs

2. VMCA has no CRL abilities. THis is a manual process as of today.

3. This is the order I am using in several different scenarios but I have read you can install vCenter before the 2nd PSC. I have also read that the vCenter should be last, or at least after the PSCs have been included in the cert chain.

Reply
0 Kudos
mrstorey
Contributor
Contributor
‎01-19-2016 05:40 AM

Any of you actively using F5 GSLB for PSC HA?

We have two datacenters (UK and US), and we're planning on deploying the following in each one:

2 x PSCs behind F5 LTM VIP

1 x vCenter (in linked mode)

3 Node mgmt cluster in each site, all PSCs in the same SSO domain, two SSO sites defined (one for each datacenter).

Just wondering if we could throw GSLB into the mix, and have single, unified entry point for PSC services - and maybe remove the need for deploying 2 PSCs in each site.

I know it's been discussed on this thread but it anyone actually doing it?  Is it recommended or supported?  Too much complexity for little gain?

Reply
0 Kudos
JoJoGabor
Expert
Expert
‎01-19-2016 05:49 AM

No its not supported by VMware. That's what I tried to setup initially but was told then. However my problem may have been related to a bug I found in 6.0 U0 where you cant failover between PSCs where the site name is different. This has been fixed in Update 1, but I havent deployed that yet.

I suspect now that's fixed it may work, although not sure if the support stance has changed

Reply
0 Kudos
mrstorey
Contributor
Contributor
‎01-19-2016 06:16 AM

Lovely - thanks for the quick response.

Reply
0 Kudos