posted

5 Comments

Back in March, we introduced vSphere 6.0 and the new architecture for vCenter Server. With this new architecture you learned about the Platform Services Controller, a new functional component of vCenter that moves beyond just Single-Sign On to include additional platform services such as:

  • Licensing Service
  • Certificate Authority (VMCA)
  • Certificate Store (VECS)
  • Lookup Service for Component Registrations

In the 6.0 release, administration and configuration of the Platform Service Controller was primarily performed by an SSH session, the vSphere Web Client and selecting the node in System Configuration, or through the Direct Console User Interface of the appliance.

In vCenter Server 6.0 Update 1, we’re excited to introduce the next stage of the administration with the Platform Services Controller Interface, a fully HTML5-based interface to administer and configure many of the services that run on the PSC.

Using the Platform Services Controller Interface you can perform tasks, such as:

  • Adding and Editing Users and Groups for Single Sign-On
  • Adding Single Sign-On Identity Sources
  • Configuring Single Sign-On Policies (e.g Password Policies)
  • Adding Certificate Stores
  • Adding and Revoking Certificates

Here is a quick overview of the Platform Services Controller User Interface available in vCenter Server 6.0 Update 1.

Login

Connect to https://<fqdn-or-ip>/psc/ and login to the HTML5-based Platform Services Controller Interface with a Single-Sign On administrative user (e.g. administrator@vsphere.local.)

Once you’ve logged into the the Platform Services Controller Interface, you’ll be directed to the Home section.

Here you are presented with sections for Single Sign-On, Certificates and Appliance Settings.

Let’s take a look at each of these below.

Single Sign-On

Recall that beginning with vSphere 6.0, vCenter Single Sign-On is part of the Platform Services Controller. The Platform Services Controller contains the shared services that support vCenter Server and vCenter Server components. vCenter Single Sign-On is essentially an authentication broker and security token exchange infrastructure. When a user or a solution user authenticates successfully to vCenter Single Sign-On, that user receives SAML token. Thereafter, the user can use the SAML token to authenticate to vCenter services and perform any actions that user has privileges.

In vSphere 6.0, the vCenter Server management group of services needed to be deployed in order to administer and configure Single Sign-On through the vSphere Web Client. In vCenter Server 6.0 Update 1 the Platform Services Controller Interface provides you direct access to the configuration. This can be useful during initial deployment configuration or even troubleshooting exercises.

Single Sign-On > Users & Groups

Manage users, groups and registered solution users in the Single Sign-On domain (e.g. vsphere.local) by directly connecting to the Platform Services Controller.

2-PSCUI-SSO-UG

Single Sign-On > Configuration

Manage policies, such as, rules and restrictions for passwords (complexity requirements and lockout) plus the Secure Token Service clock tolerance, renewal, and re-authentication, etc.

3-PSCUI-SSO-Config-Policies

Add an identity sources for user authentication — these sources can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service.

4-PSCUI-SSO-Config-Identity

Manage the certificates for Identity Sources as well as the Secure Token Service Signing certificates.

5-PSCUI-SSO-Config-Certs

Certificates > Certificate Store

Add, delete and show details for certificates in VECS (vSphere Endpoint Certificate Store) Certificate Stores.

6-PSCUI-Certificate-Store

Certificates > Certificate Authority

In vCenter Server 6.0, the VMware Certificate Authority (VMCA) provides each vCenter Server, Solution User and ESXi hosts with certificates that are signed by VMCA. These certificates can be trusted through to a VMCA signed root certificate (default mode) or through to an Enterprise / Commercial CA (subordinate mode). Management was performed using the Certificate Manager python program or using the vecs-cli.

Now, in vCenter Server 6.0 Update 1 you have the option to manage portions of the VMware Certificate Authority using the Platform Services Controller Interface, such as, viewing active, revoked and expired certificates as well as replacing the root signing certificate for the VMCA (equivalent to Option 2 in the Certificate Manager) .

7-PSCUI-Certificate-Authority

8-PSCUI-Certificate-Authority-Root-Replace

Certificates > Certificate Management

You can also renew and replace both Machine SSL Certificates and Solution User Certificates in from within the Platform Services Controller Interface (equivalent to the options to replace Machine SSL Certificates and Solution User Certificates in Certificate Manager).

9-PSCUI-Certificate-Management-Solution-Users

10-PSCUI-Certificate-Management-Solution-Users-Replace

Appliance Settings > Appliance Settings

If you’re running the vCenter Server Appliance you can manage its settings, such as, access, networking, time synchronization, updates, plus the root account password and expiration from the Appliance Management User Interface that returned (previously, called the VAMI) in vCenter Server 6.0 Update 1.

11-PSCUI-Appliance-Settings

Learn more about this return of the Appliance Management UI in vCenter Server 6.0 Update 1 from Matt Meyer’s blog post.

Appliance Settings > Manage

In this section you can join the Platform Services Controller to your Active Directory domain, similar to how you can do so in the vSphere Web Client’s System Configuration > Node option. This is just way simpler.

12-PSCUI-Appliance-Settings-Manage

And there you have it. The all new Platform Services Controller Interface in vCenter Server 6.0 Update 1. A slick new, HTML5-driven inteface tto administer and configure many of the services that run on the PSC with ease.

You can download vSphere 6.0 Update 1 from the Product Download Center.

About the Author

Ryan Johnson

Ryan Johnson is a Staff Technical Marketing Architect at VMware. As an accomplished technologist his focus is enabling customers and community members to accelerate and simplify their infrastructure services and organizations through the Software-Defined Data Center. Ryan focuses on VMware Cloud Foundation and the VMware Validated Designs.

Follow Ryan on Twitter as @tenthirtyam.