posted

45 Comments

With the announcement at VMworld on the upcoming vSphere 5.5 release, one area that I have been greatly involved with (hence why I have been in stealth mode), has been the new and improved vCenter Single Sign-On. You may still say why do we need it? and why change something that wasn’t broke to begin with! but hang in there and let me highlight the changes and the benefits you will see as you begin to look at vCenter Server 5.5.

With the new release, this shows we heard you loud and clear! vCenter Single Sign-On 5.1 at release lacked some expected functionality (limited Active Directory integration), complex to manage (SSL Certificates) as well as lack of guidance on how to best deploy vCenter Single Sign-On. Not to knock the current version with vCenter Server 5.1 Update 1b which is now a very stable platform to build on and guidance available via a recent deployment whitepaper, vCenter Single Sign-On 5.5 builds on these challenges and now provides a rich and fully capable vSphere authentication experience with much of the complexity removed.

Architecture

vCenter Single SIgn-On 5.5 has been rewritten from the ground up to provide the level of service expected from a VMware product. The new architecture is based on a multi-master model where each instance is automatically kept up to date with it peers via builtin replication. You can create sites to provide logical groupings of registered resources that maybe geographical or organizational separate as well as support for multiple tenants.

Database
Well that’s easy, we have removed the dependency on an external database completely. The multi-master architecture now provides the necessary storage for the vCenter Single Sign-On configuration as well any embedded users and groups defined.

 

Certificates
While the same concept from vCenter Server 5.1 has been maintained in vCenter Server 5.5, the vCenter Certificate Automation tool has been updated to support vCenter Server 5.5. If you are required to update certificates, simply create or obtain the new certificates and the tool will update the various vCenter Server components for you.

 

Installation
We can all agree to banging our heads on the best way to deploy vCenter Single Sign-On and with vSphere 5.5, vCenter Single Sign-On is now a simple single deployment model where the only decision is based on placement being the first vCenter Single Sign-On deployment or an additional vCenter Single deployment for an additional vCenter Server. Although we support the in-place upgrade of previous vCenter Single Sign-On 5.1 configurations, the updated architecture really benefits being local to vCenter Server, the terminology of Single Sign-On High Availability and Multisite have now merged into the single deployment option.

 

Troubleshooting and Diagnostics
In vCenter Single Sign-On little was to be said about the support tools to aid with diagnosing issues and troubleshooting authentications. With the general release of vCenter Server 5.5 and vCenter Single Sign-On 5.5 we are supplying a suite of tools that allow you to view your entire vCenter Single Sign-On configuration and make changes when necessary.

For example I may need to change the replication between many vCenter Single Sign-On instances or review certificates used by vCenter Single Sign-On.

All of these advanced or one time administration tasks are now possible with the tools being provided but remember the typical day to day administration tasks are best handled by the vSphere Web client 5.5. The best part of using these tools is there no longer is a notion of the master password which frustrated many with vCenter Single Sign-On 5.1, a vCenter Single Sign-On administrator has full functionality with no hidden extras.

 

I have plenty of great information to share with you on vCenter Single Sign-On so stay tuned for updates