Embedded Platform Service Controller All services bundled with the Platform Services Controller are deployed on the same virtual machine or physical server as vCenter Server.
External Platform Service Controller The services bundled with the Platform Services Controller and vCenter Server are deployed on different virtual machines or physical servers.
You cannot switch the models after deployment, which means that after you deploy vCenter Server with an embedded Platform Services Controller, you cannot switch to vCenter Server with an external Platform Services Controller, and the reverse.
An external PSC can provide services to both vCenter on Windows and the vCenter Server Appliance (VCSA).
The default single sign-on domain is vsphere.local. This can be changed during the PSC installation.
The default single sign-on administrator user is administrator. The default administrator user cannot be changed during installation.
Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers. <- New in vSphere 6
Enhanced Linked Mode supports linking vCenter on Windows and vCenter Server Appliance (VCSA).
Enhanced Linked Mode allow you to view, search, and manage across all linked vCenter systems. Roles, permissions, licensing, policies, and tags are replicated between all linked vCenter systems.
Enhanced Linked Mode requires External PSC deployment.
By default the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority.
Certificates for vCenter Server and the vCenter Server services are stored in the VMware Endpoint Certificate Store (VECS).
The VMCA root certificate expires after ten years by default. All certificates that VMCA signs expire when the root certificate expires.
When upgrading from earlier versions of vSphere the self-signed certificates are replaced with certificates signed by the VMCA.
ESXi Certificate Replacement Modes
VMware Certificate Authority mode – this is the default. VMCA issues certificates to hosts.
Custom Certificate Authority mode Manually update and use certificates not signed or issued by the VMCA.
Thumbprint mode Retain 5.5 certificates.
View ESXi SSL Thumbprint in the DCUI from the View Support Information menu.
Certificate replacement mode set using the vpxd.certmgmt.mode vCenter server advanced setting to vmca, custom, or thumbprint.
Understanding Certificate Mode Switches in the vSphere Security Guide on page 140.
Viewing Certificates in the Web Client -> Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
In the Web Clinet you can view Active Certificates, Revoked Certificates, Expired Certificates, and Root Certificates.
– Enable/Disable Single Sign-On (SSO)
vCenter Single Sign-On is part of the Platform Services Controller (PSC).
Understanding vCenter Single Sign-On in the vSphere Security Guide on page 20.
vCenter Single Sign-On allows vSphere components and services to communicate with each other through a secure token mechanism.
Single Sign-On configuration using the Web Client -> Administration -> Single Sign-On -> Configuration -> Policies
Password Policy
Lockout Policy
Token Policy
– Identify available authentication methods with VMware vCenter
Single Sign-On Identity Sources are configured using the Web Client -> Administration -> Single Sign-On -> Configuration -> Identity Sources
SSO Identity Sources:
Active Directory Integrated
Active Directory LDAP
OpenLDAP
localos
vCenter Single Sign-On can authenticate users from its own internal users and groups, or it can connect to trusted external directory services such as Microsoft Active Directory.
