vCenter SSO–High Availability Overview

You can configure vCenter Single Sign On for High Availability (HA) by installing two nodes in HA mode and putting them behind load balancing software. In HA mode, both the nodes work with the same database, use the same data, and have the same user stores.

 

SNAGHTML14ddbe3

 

1. SSO.PREETAM.COM act as a load balancer

2. SSO1.PREETAM.COM act as primary node

3. SSO3.PREETAM.COM act as Backup/Secondary node and is Joined to Primary node using High availability option shown below

4. SSODB.PREETAM.COM hosts the Database for SSO server.

For High Availability solution to work seamlessly, you must configured Load balancer

vCenter SSO installation Option

Below are the various options you see while installing vCenter SSO. In vSphere 5.1, vCenter Single Sign On (SSO) can be deployed in three modes: Basic, HA, or Multisite. HA mode can utilize a load balancer to increase the availability of the service

If you want to create to High availability or Multi-site vcenter SSO in future you must select Primary Node option as shown below & discussed above

SNAGHTML12283a6_thumb3

6 thoughts on “vCenter SSO–High Availability Overview”

  1. Hi,

    I have configured 2 SSO nodes and a LB in front of them.
    I am able to listServices on both nodes with URLs
    1. https://ssoa.domain.com:7444/lookupservice/sdk
    2. https://ssoha.domain.com:7444/lookupservice/sdk where ssoha.domain.com is going to VirtualServer on LB.

    I have replaced the root-trust.jks on SSOA node using
    ssocli configure-riat -a configure-ssl –keystore-file C:ProgramDataVMwareSingleSignOnSSLroot-trust.jks –keystore-password testpassword

    Do I need to replace root-trust.jks on SSOB as well?
    If yes, do I have to use the same root-trust.jks file as I used on SSOA?
    I dont think I can use the same, coz it was baked using SSOA certificate.

    What do you think?

    1. Same certificate cannot be used for sure, as certificate are identified by FQDN? Are you using self signed certificate? Where have you copied root-trust.jks certificate from? If it is coming from Load balancer it should work

  2. I m using Internal Enterprise Root CA.
    generated root-trust.jks file for both nodes by providing the certificates created for individual nodes.

    Till I did not update root-trust.jks on Node 2, both nodes were able to listServices for both URLs that I mentioned before.
    Once I updated, Node 1 is able to listServices, but Node 2 is throwing error 100 on both URLs. i.e.,
    https://ssob.domain.com:7444……
    https://ssoha.domain.com:7444…..
    and the most strange thing is.. there is no log for incoming traffic on LB from Node 2 !!.
    but if I try to browse https://ssob.domain.com:7444/lookupservice/sdk or https://ssoha.domain.com:7444/lookupservice/sdk, I am able to connect to the URL and SSL used by the browser is perfect.
    For ssob.domain.com i am getting ssob Cert, and ssoha i am getting ssoha Cert which is installed on LB.

    1. As long as certificate are having right hostname, they are valid. So certificate is not a problem here. Please copy the certificate for node-b as well there. When I choose to blog, I found except KB:2034157 there is no information on load balancer from vmware and enabling certificate makes it more challenging.

Comments are closed.