As a system administrator in ACME Corporation, who deploys a wide range of vCloud Suite components you must deploy vCenter Single Sign-On to achieve simple and secure authentication.

In this scenario, you are going to deploy the VMware recommended highly available option consisting of two vCenter Single Sign-On instances placed behind an industry standard network load balancer. This deployment gives you a validated enterprise-ready design to reduce the authentication load of multiple vCloud Suite products.

Deployment Configuration
Deployment Configuration

In your data center, you can use the vCenter Single Sign-On solution as an SSO site pair for placement behind an industry standard network load balancer. You can use a fully qualified domain name with a virtual IP to front all registrations to vCenter Single Sign-On to provide an authentication endpoint. The network load balancers, in this scenario, are also available as virtual appliances that let you virtualize the whole deployment.

A centralized Single Sign-On solution has multiple benefits.

A shared and standardized authentication service for multiple products.

An authentication process with fewer components to reduce resource requirement and footprint.

Reduced dependency on other Single Sign-On solutions.

Placing your SSO servers behind a network load balancer provides several additional benefits.

Distribution of authentication requests and workload.

Authentication availability if a vCenter Single Sign-On server becomes unavailable.

The ability to increase authentication compute by adding additional Single Sign-On severs into the load-balanced pool.

Required vCloud Suite Components for This Scenario

vCloud Suite component

Version

Description

ESXi

5.5 Update 2

The VMware bare-metal hypervisor that lets you run a virtualized environment.

vCenter Server

5.5 Update 2

The installation of vCenter Single Sign-On is a component of vCenter Server installer.

Optional vCloud Suite Components for This Scenario

vCloud Suite component

Version

Description

vSphere Data Protection

5.8

Provides advanced data protection with backup and recovery to disk via VMware vSphere with Operations Management Data Protection features.

vCloud Automation Center

6.1

Provides functionality for deploying and provisioning of business-relevant cloud services across private and public clouds, physical infrastructure, hypervisors, and public cloud providers.

vCenter Orchestrator

5.5.2.1

Provides the capability to create workflows that automate activities such as provisioning virtual machine, performing scheduled maintenance, initiating backups, and many others.

Required Scenario Environment Details

Object

Host Name

FQDN

IP Address

Description

Load balancer

SSO

sso.acme.local

192.168.110.40

Industry standard load balancer.

SSO Server A

SSO1

sso1.acme.local

192.168.110.41

Microsoft Server 2012 R2 virtual machine for vCenter Single Sign-On installation.

SSO Server B

SSO2

sso2.acme.local

192.168.110.42

Microsoft Server 2012 R2 virtual machine for vCenter Single Sign-On installation.

vCenter Server

VC

vc.acme.local

192.168.110.45

Microsoft Server 2012 R2 virtual machine for vCenter Server installation. You also register your load balancer with the vCenter Server instance.

Active Directory

CONTROLCENTER

controlcenter.acme.local

192.168.110.10

Microsoft Server 2012 R2 with Active Directory Domain Services and installed certificate authority role service. You use the service to generate signed certificates that are needed for the trusted connection between the load balancer and the SSO servers.

Optional Scenario Environment Details

Object

Host Name

FQDN

IP Address

Description

vSphere Data Protection VM

VDP

vdp.acme.local

192.168.110.46

vSphere Data Protection appliance VM.

vCloud Automation Center instance

VCAC

vcac.acme.local

192.168.110.47

vCloud Automation Center appliance VM.

vCenter Orchestrator instance

VCO

vco.acme.local

192.168.110.48

vCenter Orchestrator instance. You can select between a standalone Windows deployment and a VM appliance deployment.

Load Balancers in This Scenario

Load Balancer

Version

Description

VMware NSX™ with VMware NSX Edge™

6.1.1

VMware NSX is a software networking and security virtualization platform that delivers the operational model of a virtual machine for the network. NSX Edge provides network edge security and gateway services to isolate a virtualized network.

F5 BIG-IP with Local Traffic Manager

11.6.0

F5 BIG-IP provides intelligent traffic management.

VMware vCloud® Networking and Security Edge™

5.5.3.1

VMware vCloud Networking and Security Edge provides firewall protection, traffic analysis, and network perimeter services to protect your vCenter Server virtual infrastructure.

Additional Required Software for Download

Object

Description

Win32OpenSSL Software version 0.9.8zc

Win32OpenSSL is used to generate certificate requests. Software version 0.9.8zc is required to successfully complete this scenario.

Microsoft Visual C++ 2008 Redistributable Package 32bit

OpenSSL has a dependency on this software package.

JXplorer

JXplorer is used to connect to LDAP on the second vCenter Single Sign-On server and to remove attributes that are not needed when a load balancer is used.

Java Runtime Environment

JXplorer has a dependency on this software package.

Single Sign-On Deployment Workflow
Single Sign-On Deployment Workflow
1

Before you proceed to vCenter Single Sign-On installation, you must install required software on SSO Server A and SSO Server B virtual machines.

2

You have installed all the software that vCenter Single Sign-On needs, and can proceed with the installation of the first vCenter Single Sign-On instance on SSO Server A.

3

You have installed your first vCenter Single Sign-On instance. Proceed with the installation of the second SSO server and pair it to the first to work in high availability mode.

4

After you have successfully installed vCenter Single Sign-On servers, you must update their certificates to reflect the load balancer entry point. You use OpenSSL to prepare a request and Microsoft certificate authority (CA) as a trusted root authority to generate a signed certificate.

5

After you have generated signed certificates, configure your first vCenter Single Sign-On server to use the certificates.

6

After you have configured your first vCenter Single Sign-On server, you must copy the certificates to the second vCenter Single Sign-On server and reconfigure the server to use these certificates.

7

After both vCenter Single Sign-On servers are installed and configured, you must install a vCenter Server that will later be paired with your load balancer.

8

After you have configured both your SSO servers, you must configure your load balancer to manage the load to the SSO servers.

9

After you have deployed and configured all nodes, you must test your highly available vCenter Single Sign-On deployment.

10

When the load balancer is fully configured as an entry point for all requests to the vCenter Single Sign-On, you can configure other vCloud Suite products to use the virtual IP of the load balancer as their SSO.