STOP! It's dangerous to upgrade to VMware 6.5 alone. Read this
Please don't be like the admin who failed to update PSC first
At a client site recently, we had to investigate why the upgrade from VMware vSphere 6.0 to 6.5 had gone wrong in that the normally rock-solid environment was a bit ill – to say the least.
On-site conversation ran something along the lines of:
“Webservices say: ‘No’.”
Cue PSC reboots, vCenter reboots and increasingly desperate measures. The service limped along like a one-legged frog with a hangover. It was one of those issues where nobody really understood why. It was a simple upgrade, right? VMware support were engaged. Even level-three support were a bit unsure and a lot of “WTF” was exhaled. Finally, the whole tale was unravelled after the admin in question was quizzed about how he had performed the upgrade.
He had upgraded the environment without upgrading the PSC first, essentially pulling the security foundation from underneath while it was running. It took VMware’s best several days to fix. During that time the weirdness varied. Some people could get work done, then not.
Software is becoming ever more complex in order to provide new experiences, doubly so for the cloud. Unfortunately, complexity also makes the upgrades a bit more difficult. Being a VMware admin and knowing VMware well, I thought it time to speak up and help those who are behind the curve to understand the process of upgrading to the all-singing, all-dancing, PSC-enabled world of 6.5 VMware. I would hope this would also serve as a bit of a template on upgrading VMware infrastructure.
With version 5.5 of vSphere came PSC or Platform Services Controller. PSC allows the linking of many vCenters without many of the limitations from earlier versions (i.e. linked mode).
One of the key jobs of the PSC is to act as a reverse proxy and single sign-on (SSO) infrastructure for vSphere authentication. Everything under one piece of glass. As a side note, all this refers to version 5.5 onwards. If for some crazy reason you are running older than 5.5, it means that:
- Little of this applies to you (a different PSC style was installed at that point, back in the day)
- You seriously need to upgrade. Spectre/Meltdown patches only go back as far as 5.5 for one
- Expect to pay a large chunk of cash for the upgrade licences
By default, vSphere 6.5 comes with its own local authentication system to manage the vSphere environment and is hosted on the PSC but can (and almost always does) get superseded by Active Directory integration that is turned on shortly after. The PSC can handle multiple authentication system and supports all the commonly used ones (AD, LDAP, local account). VMware didn’t put PSC in there just for laughs. It is a modern, expandable authentication system and should be treated as such. It provides a key part of their cloud-supporting infrastructure. Before the administrator attempts the upgrade, the PSC upgrade needs to be handled with care.
Admins who have only one site can stop reading now, as they have swerved the complexity by only having one PSC. This means the upgrade becomes a simple affair and the upgrade scenario is included in the out-the-box upgrade.
For the rest of us, here is what you need to do.
Sponsored: Becoming a Pragmatic Security Leader