This document provides an overview and technical deep dive of vCenter Server and vCenter Single Sign-On. It discusses the components of vCenter including the installer, inventory service, vSphere web client, and database. It also covers reference architectures, system requirements, upgrades, and new features in vCenter Single Sign-On 5.5 such as improved Active Directory integration, simplified installation, and diagnostic tools.
2. 2
Overview
vCenter Server – A Technical Deep Dive
• vCenter Installer
• Inventory Service
• vSphere Web Client
• vCenter Database
• vCenter Single Sign-On
Reference Architecture (Best Practices)
• Single vCenter Environments
• Multi vCenter Environments
We want to answer all questions… at the end
3. 3
What This Session Is/Target Audience
Other VMworld sessions of similar interest
• Upgrades
• VSVC5690 vSphere Upgrade Series Part 1: vCenter Server
• Performance
• VSVC5234 Extreme Performance Series: vCenter of the Universe
• vCenter Single Sign-On
• VSVC5635 vSphere vCenter Single Sign-On Best Practices
• vSphere Web Client
• VSVC5436 vSphere Web Client – Technical Walkthrough
5. 5
Simple Install
Simple Install Changes
• Added Web Client
• Installer Order changes
5.1
Single Sign-On
Inventory Service
vCenter
5.5
Single Sign-On
vSphere WebClient
Inventory Service
vCenter
Why?
• In the rare case SSO goes wrong, users
can log into Web Client and configure/edit
Best practice: Simple Install puts all
components in a single server
• VMware’s suggested best practice
6. 6
Custom Install
Why would you run this?
Distribute services across
multiple servers
Customize location
Advanced configurations
• E.g. additional vCenter servers
1 2 3 4
8. 8
What Is the vCenter Server Inventory Service?
Maintains a cache of the vCenter
Server inventory
• (VMs, Hosts, etc)
Reduces the load on VPXD by
offloading client requests
Installs locally to vCenter Server
(although can be separated)
Enables use of Tags
• Remember to backup Inventory
service data files to provide
recovery of tags
Inventory Service provides a query service into VPXD
10. 10
What Is the vSphere Web Client?
The NEW virtual infrastructure client
• THE client for vSphere administrators (starting in vSphere 5.1)
• Matched functionality to legacy VI Client (almost – we’ll get to this)
• Additional vCenter 5.1/5.5 functionality, only available thru the vSphere
Web Client
Browser based
• Internet Explorer / FireFox / Chrome fully supported on Windows and Mac
The new face of
vSphere Administration
11. 11
vCenter Server 5.5
vSphere Web Client
• Increased Platform Support
• Added support for OS X
• VM Console access
• Deploy OVF Templates
• Attach Client Devices
• Enhanced Usability Experience
• Drag and Drop
• Filters
• Recent Items
12. 12
• But…
• You need your solutions
• And the performance could be better
Web Client
Last release for VI Client (5.5)
• Why did we keep it around?
• VUM
• Host Client
• After playing with the new client for 2 days,
most admins like the NEW client
13. 13
VMware vSphere Web Client Plugins
vcOps
Infrastructure Nav
Orchistrator
Data Protection
Others:
• vFabric Elastic
Memory for Java
• vSphere Replication
• vSphere Data
Protector
16. 16
Stats and Database Performance Improvements
We have improved each activityStats Operations
Insert stats
Roll up stats into new
granularities
Purge stats when they
get too old
Partitioned database tables
Faster to insert into smaller partition tables
than in one really large table
No collisions
No collisions between data that is being
inserted and data that is being rolled up
Faster Purges
By partitioning we are able to drop tables
and NOT search and drop stale rows.
Dramatically reduced I/O requirements
Dramatically faster rollup times
Predictable rollup procedure
RESULT
18. 19
What About the Appliance
Limitations Today:
External database is Oracle only
• No SQL Server support planned
Embedded database scale
• 5 hosts / 50 VMs
• Will change 5.1 U2
IPv6
Linked Mode capability
Availability with vCenter Heartbeat
Future Direction:
Future direction is with appliance but we have work to do first
Proven itself with VMware HOL
Secure the appliance
Provide better availability
Add Linked mode functionality
Take a look, get familiar and prepare to adopt
20. 21
System Requirements (Hardware)
Simple Install (Min)
• 2CPU / 12GB RAM / 100GB Disk / 1Gbps
Custom Install (Min)
Single Sign-On
• 1CPU / 3GB RAM / 2GB Disk / 1Gbps
vSphere Web Client
• 1CPU / 2GB RAM / 2GB Disk / 1Gbps**
Inventory Service
• 1CPU / 3GB RAM / 5GB Disk / 1Gbps
vCenter Server
• 2CPU / 4GB RAM / 60GB Disk / 1Gbps
Simple Install (Recommended)
• 4CPU / 24GB RAM / 100GB Disk / 1Gbps
Custom Install (Recommended)
Single Sign-On
• 2CPU / 4GB RAM / 8GB Disk / 1Gbps
vSphere Web Client
• 2CPU / 4GB RAM / 8GB Disk / 1Gbps**
Inventory Service
• 1CPU / 8GB RAM / 32GB Disk / 1Gbps
vCenter Server
• 4CPU / 8GB RAM / 100GB Disk / 1Gbps
• Based on an Inventory Size of
400 hosts or 4000 virtual machines
21. 22
Deprecated Operating Systems
vCenter Server 5.5 removes support for
• Windows Server 2003 as a host operating system
• Windows Server 2008 (no SP) as a host operating system
• Windows Server 2008 SP1 as a host operating system
Upgrade Windows Server 2008 SP2 before upgrading vCenter Server
to version 5.5
vSphere Documentation Center
https://www.vmware.com/support/pubs/
VMware Compatibility Guide
http://www.vmware.com/resources/compatibility
Product Interoperability Matrix
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php
22. 23
Upgrade Matrix
VMware supports in-place upgrades on 64-bit systems from
• vCenter Server 4.x
• vCenter Server 5.0.x
• vCenter Server 5.1.x
*Exception being Windows XP Professional x64
VMware does not support directly migrating an existing, 5.0.x or
earlier vCenter Server to a new machine during an upgrade to
version 5.5
• You can migrate such an existing vCenter Server to a new machine during an
upgrade to version 5.0.x, and then perform an in-place upgrade from version
5.0.x to version 5.5
vCenter Server 5.5 can manage
• ESX 4.x/ESXi 4.x, ESXi 5.0.x, and 5.1 x hosts
• In the same cluster with ESXi 5.5 hosts
vCenter Server 5.5 cannot manage ESX 2.x or 3.x hosts
24. 25
The New vCenter Single Sign-On 5.5
With vSphere 5.5, VMware is delivering a greatly improved Single
Sign-On experience
• vCenter Single Sign-On was introduced in vSphere 5.1 to provide customers
with the ability to log into VMware vCloud Suite products once and then use
each product holistically as one common suite.
• This feature proved challenging to our customers for a variety of reasons.
• As a result VMware improved the vCenter Single Sign-On experience from the
ground-up
25. 26
Challenges with vCenter Single Sign-On 5.1
Active Directory Integration
• Does not work effectively in multi-forest / trusted
domain environments
• Does not scale in environments with 15K or greater users
• Administration is limited
Certificates
• SSL communications challenging
• Difficult to change / update
Installation
• Database requirements / security concerns
• Many installable configurations
• Difficult to change / reconfigure post install
• Complex
Diagnostics
• Troubleshooting tools – non existent
26. 27
What's New with vCenter Single Sign-On 5.5 (in Short)
Improved architecture
• Multi-master
• Built-in replication
• Site awareness
• Multi Tenant
Database
• There is no Database!
Installation
• One simplified deployment model
• Select vCenter Single Sign-On for the first or an additional vCenter Server
Diagnostics
• Full suite of diagnostic / Troubleshooting tools
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Web Client
Inventory Svc
vCenter Single Sign-On 5.5
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2
27. 29
vCenter Single Sign-On 5.5 – Installation
Prerequisites
• Hostname has a FQDN and is DNS resolvable (forward/reverse)
• Joined to an Active Directory domain (most use cases)
• Windows 2008 x64 SP2 or higher (or use vCenter Appliance)
Installer contains several core components required for vCenter
Single Sign-On (STS, Admin server, Lookup Svcs & VMDir)
Installer Steps
1. Accept License agreement (EULA)
2. Prerequisite check summary
3. Edit default port number 7444 (if necessary)
4. Select Deployment placement
5. Provide Administrator@vSphere.local password
6. Provide a site name or select a previous site name
7. Edit destination directory (if necessary)
8. Summary
9. Installation Complete
Upgrading?
admin@system-domain?
Account becomes an alias of
administrator@vsphere.local
28. 30
Supports Upgrade of All vCenter 5.1 Configurations
Previous vCenter Single Sign-On 5.1 deployment models
• Fully Maintained via Upgrade
• Basic (Stand-alone or shared server)
• Single Sign-On High Availability
• Single Sign-On Multisite
New recommendations with vSphere 5.5
• Better use of new technology
• Single virtual machine for all vCenter components**
• Distributed virtual machines add complexity
• Availability
• Backup & Restore
• Easily migrate to new recommendations during upgrade
** Enterprise customers with 6 or more local vCenter servers can use a centralized instance
29. 31
Upgrading What about 5.1 Configurations?
SSO
Architecture is unchanged
Supports
• Up to maximum scale
• All identity source types
No SSO database
SSO Basic Mode
30. 32
vCenter Single Sign-On High Availability (SSO HA)
Shared
Database
Host or VM
SSO Server
(Primary)
Load Balancer
Host or VM
SSO Server
(HABackup)
Host or VM
Load Balancer
Host or VM
SSO Server
SSO HA
Now supports active / active
• No loss of admin service
• vCenter restarts possible
More than two instances supported
Requires:
• Third Party Network Load Balancer
• Updating of certificates
• Reregistration of solutions
vSphere 5.1 vSphere 5.5
31. 33
vCenter Single Sign-On Multisite (Linked Mode)
Web Client
Inventory Svc
Web Client
Inventory Svc
Web Client
Inventory Svc
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Multi Site
SSO Server
Primary
SSO Server
Web Client
Inventory Svc
Web Client
Inventory Svc
Web Client
Inventory Svc
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
SSO Server
SSO Server
SSO Server
Automatic Replication
Identity Sources
SSO Users/Groups/Policies
Solutions
NOTE: When Upgrading/Deploying, only one first server selection is required to setup
authentication domain otherwise you will have multiple duplicate vsphere.local domains
32. 34
Types of Identity Sources
What is an identity source?
An external domain or repository of users and groups
Identity Sources supported with 5.5
1. Native Active Directory (Recommended)
• Uses kerberos via machine account or SPN
2. Active Directory as an LDAP server
• This was done for backward compatibility to 5.1
• Not likely to be supported post 5.5
• Same limitations as in 5.1
3. OpenLDAP
4. LocalOS
• For Windows
Configuring your VC Server
When you configure your VC Server,
make sure to set the VC Administrator as
administrator@vsphere.local. DO NOT
SET THE VC Administrator to be a Local
OS account.
33. 35
Backup / Restore / Availability
Backup / Restore
• Virtual Machine**
• Snapshot
• Tape / Disk
• vDP (now supports host level restore)
• Application (KB with GA)
• Registry Keys
• SSL Certificates (tcserver)
• Certificate server
• KDC
• VMDir (vdcbackup)
Availability of vCenter Single Sign-On server
• No different to vCenter
• Why? vCenter is the primary resident of the Single Sign-On server
• vSphere HA, vCenter Heartbeat
**Additional step required when multiple SSO instances are configured
34. 36
Diagnostics
vCenter Single Sign-On 5.5 Diagnostic Tools
Perform all administration and reconfiguration from MMC Snap in
• vCenter Single Sign-On services need to be running
KB to troubleshoot startup issues
Separate download
• So we can update independently and add exciting new features
35. 37
Replication
Builtin Replication
• Between each Single Sign-On server deployed in the same vSphere
authentication domain
Replication Partners
• Review / Add / Remove / Edit
Geographically Separated Single Sign-On sites
• Reduce overhead
• Provide Redundancy Links
36. 38
Certificates
SSL Automation tool
• Updated to support vSphere 5.5
• Command Line
Ability to Add / Remove certificates
• (MMC Snap-in)
37. 39
The log files provided by Single Sign On includes:
vminst.log: Single Sign On installer log
vim-sso-msi.log: MSI installer verbose logs for Single Sign On installation
vim_ssoreg.log: Single Sign On Lookup Service log
exported_sso.properties: Endpoint information about each of the Single Sign On Solution Users and
identity sources extracted from previous vCenter Single Sign On 5.1.0 instance
vim-openssl-msi.log: MSI installer verbose log for OpenSSL installation
vim-python-msi.log: MSI installer verbose log for Python installation
vim-kfw-msi.log: MSI installer verbose log for MIT Kerberos installation
Single Sign On logs are grouped by component and purpose:
vmdirdvdcpromo.log: Promotion and demotion operation information for the Single Sign On instance
when joined or removed from a linked configurations
vmdirdvdcsetupIdu.log: VMware Directory Service setup post-installation log containing information
about the localhost name
vmdirdvmdir.log: Health reports for the VMware Directory Service service and the Lotus VMDir
database
vmkdcdvmkdcd.log: Key Distribution Center (kdc) run-time log, reports ports conflicts preventing the
service from starting
vmware-ssovmware-sts-idmd.log: VMware Identity Management service run-time logs, time-
stamped records of user attempts when accessing Single Sign On for administrative purposes
vmware-ssovmware-sts.ldmd-perf.log: VMware Identity Management service performance counter
logs
vmware-ssoVMwareIdentityMgmtService.<date>.log: Commons Daemon log once the Identity
Management Service has started
38. 40
Additional Information
Deprecated Functionality
• NIS Identity Source
• More than one default domain per Identity Provider
• SMTP configuration and notification for password expiration by mail
TCP Ports Used by SSO
• 2012 Control interface RPC for VMDirectory
• 88, 2013 Control interface RPC for the Kerberos
• 2014 RPC port for all VMCA APIs
• 7444 vCenter Single Sign On - HTTPS
• 11711 vCenter Single Sign On - LDAP
• 11712 vCenter Single Sign On - LDAPS
• 12721 VMware Identity Mgmt Service
40. 42
Single vCenter Server 5.5 Design Recommendation
VC Database
vCenter Server Host or VM
vCenter
Server
SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
1. vCenter Single Sign-On
2. vSphere Web Client
3. vCenter Inventory Service
4. vCenter Server
No change to architecture
All services are local
• Reduced complexity
Supports 1-1000 Hosts /
1-10,000 Virtual Machines
41. 43
Multiple Remote vCenter Server Design Recommendation
By Default
Each site is independent
Does not provide a single pane of glass view
SSO automated replication
SSO Users & Groups
SSO Policies
Identity sources
Site awareness
Linked Mode
Maintains single pane of glass
Replicates Licenses, permissions and roles
Availability
vSphere HA
vCenter Heartbeat
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Web Client
Inventory Svc
SSO Server – vsphere.local
Los Angeles
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2 SSO Site 3
Single SSO Authentication Domain
42. 44
SSO
Server
Web Client
Multiple Local vCenter Server 5.5 Design Recommendations
A Datacenter with more than 5 vCenter Servers
Centralized SSO authentication
• Same Physical location
Single Centralized vSphere Web Client
Availability (Required)
• vSphere HA
• vCenter Heartbeat
• Network Load Balancer
vCenter Server 2
vCenter
Server 5.5
Inventory Svc
SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 3
vCenter
Server 5.5
Inventory Svc
vCenter Server 1
vCenter
Server 5.1
Inventory Svc
Backwards compatible to vCenter Server 5.1