Automatic replication of data between Single Sign-On sites is not supported in a multisite deployment. After you install or make a change to one of the Single Sign-On instances, you must perform a manual data export and import operation with a command-line tool.

The data to replicate includes local users and groups and the configuration of the STS server. Because this data rarely changes, you can schedule replications once a day or week, as appropriate. For specific instructions about manually replicating data between servers in a multisite Single Sign-On deployment, see the vSphere Security documentation.

These steps represent an accumulative change replication. Changes to one node are transported only to the node where the next changes will occur. After the last planned change is done, changes have been propagated to all nodes.

Alternatively, you can execute the replication sequentially. After a change in one node occurs, replicate it to all other nodes before making a change on any other node. During setup of the virtual infrastructure on each site, the better practice is to use the accumulative approach, which needs fewer steps, as the changes are planned and executed in a relatively short time span. For regular, ongoing operations, use the sequential approach.

Caution

To ensure that data remains in sync during the manual replication process, do not make any changes to the data to be replicated, for example adding or deleting identity sources or local users.

This procedure completely overrides the state of the target node. You must perform manual transport of replication data sequentially. This means that changes on a node are propagated to all other nodes in the deployment before changes occur on any other nodes.

Verify that you have vCenter Single Sign-On administrator privileges on the vCenter Single Sign-On systems where you export or import the replication data.

Install vCenter Single Sign-On and vCenter Inventory Service for each site in the multisite configuration before vCenter Server is installed.

1

Install vCenter Server in the first site.

2

Export the Single Sign-On data from the first site and copy it to the second site.

a

Change to the directory Single Sign-On install path\sso-replication-cli.

The default location is: C:\Program Files\Vmware\Infrastructure\SSOServer\sso-replication-cli\

b

Run repl_tool.cmd with the following parameters to export the replication state file.

repl_tool.cmd export -ffilename to use -uSingle Sign-On administrator user
Note

There is no space after the -f or -u switches.

For example, to export to a file named ssoexport.db into an existing directory named c:\ssobackup:, run the following command:

repl_tool.cmd export -fc:\ssobackup\ssoexport.db -uadmin@System-Domain
Note

The command does not create a directory called ssobackup. If the target directory does not exist, you must create it before running the command, by using the mkdir command.

c

Enter the password for the Single Sign-On administrator account admin@System-Domain.

d

The dialog Start executing full data export appears. When the file is successfully exported, the word Done should appear.

Note

If an error message appears about JAVA_HOME not being set, set the JAVA_HOME variable to the VMware jre folder, and run the command again. The default location is C:\Program Files\VMware\Infrastructure\jre. For example, to set the JAVA_HOME variable to the default VMware jre folder location, run the following command:

SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
3

Import the Single Sign-On data to the second site.

a

Log in to the vCenter Single Sign-On system where you will apply the change.

b

Change to the directory SSO install directorysso-replication-cli

The default location is C:\Program Files\Vmware\Infrastructure\SSOServer\sso-replication-cli\.

c

Run repl_tool.cmd with the following parameters to import the replication state file.

repl_tool.cmd import -ffile -uSingle Sign-On administrator user [-ppassword]

For example, to import a file named ssoexport.db, located in the c:\ssobackup directory, run the following command:

repl_tool.cmd import -fc:\ssobackup\ssoexport.db -uadmin@System-Domain
d

Enter the password for the Single Sign-On administrator account admin@System-Domain.

e

The dialog Start executing full data import appears. When the file is successfully exported, the word Done should appear.

4

Install vCenter Server in the second site.

5

Following the procedure in steps Step 2 and Step 3, export the single Sign-On data from the second site and import it to the third site

6

Repeat the procedures in steps Step 4 and Step 5 for each succeeding site in the multisite configuration.

Single Sign-On data has been propagated to all nodes.