4 Replies Latest reply on Jan 19, 2016 6:16 AM by mrstorey

    Vcenter 6 Design Questions

    JoJoGabor Expert

      Hi,

       

      I am putting together a VCenter 6 Design currently with two VCenters and two external PSCs (one in each datacentre) load balanced using F5 GSLB. The PSCs VMCA component will be a subordinate of my client's internal Microsoft PKI. SO my questions are:

       

      1. Do any certificates issued by the VMCA get replicated between the PSC nodes? If we have a primary datacentre failure, can I be certain that any certificates are also stored in the second PSC VECS? DOes it actually matter if the certificate is already on the host?

      2. Are certificates checked against a CRL for revocation? Does the VMCA perform the CRL checking or is this done by the PKI?

      3. What order does the install and certificate configuration happen? I am assuming;

           Install PSC1

           Configure PSC1 to be a subordinate of PKI

           Install PSC2

           Configure PSC2 to be a subordinate of PKI also

           Configure Load balancing

           Install VCenters using GSLB of PSCs.

       

      Thanks all in advance

        • 1. Re: Vcenter 6 Design Questions
          tonto_22 Novice

          @JoJoGabor 1. Do any certificates issued by the VMCA get replicated between the PSC nodes? If we have a primary datacentre failure, can I be certain that any certificates are also stored in the second PSC VECS? DOes it actually matter if the certificate is already on the host?

          Best practice is to share the same cert between the PSCs. This is after both PSCs have been added/trusted in the cert chain. (verified in cert properties to see that both are listed) = 1 cert (same one) on both PSCs

          2. VMCA has no CRL abilities. THis is a manual process as of today.

          3. This is the order I am using in several different scenarios but I have read you can install vCenter before the 2nd PSC. I have also read that the vCenter should be last, or at least after the PSCs have been included in the cert chain.

          • 2. Re: Vcenter 6 Design Questions
            mrstorey Enthusiast

            Any of you actively using F5 GSLB for PSC HA?

             

            We have two datacenters (UK and US), and we're planning on deploying the following in each one:

             

            2 x PSCs behind F5 LTM VIP

            1 x vCenter (in linked mode)

             

            3 Node mgmt cluster in each site, all PSCs in the same SSO domain, two SSO sites defined (one for each datacenter).

             

            Just wondering if we could throw GSLB into the mix, and have single, unified entry point for PSC services - and maybe remove the need for deploying 2 PSCs in each site.

             

            I know it's been discussed on this thread but it anyone actually doing it?  Is it recommended or supported?  Too much complexity for little gain?

            • 3. Re: Vcenter 6 Design Questions
              JoJoGabor Expert

              No its not supported by VMware. That's what I tried to setup initially but was told then. However my problem may have been related to a bug I found in 6.0 U0 where you cant failover between PSCs where the site name is different. This has been fixed in Update 1, but I havent deployed that yet.

               

              I suspect now that's fixed it may work, although not sure if the support stance has changed

              • 4. Re: Vcenter 6 Design Questions
                mrstorey Enthusiast

                Lovely - thanks for the quick response.