A colleague of mine recently attended the NYC VMUG event held on April 10 which featured Justin King @vCenterGuy. Brandon Henriquez assembled a nice write-up and wanted to share it with everyone. This should help people understand the new 5.1 SSO feature set a little more.
Earlier this week, I went to my first VMware User Group meeting at the New York Times Building near Port Authority. Allow me to briefly describe the building…It’s AWESOME. The exterior architecture, the interior design, and general layout of the building have a very modern and elegant feel. I should point out that after exiting the elevator I did quickly get lost attempting to find the actual meeting, but I located another VMUG member who, with our powers combined, we located the main conference room and slightly more importantly the food.
Enough about my initial foray into the building, it’s time to get to the meat and potatoes about my visit, VMware VCenter Server 5.1. The illustrious VCenter Guru, Justin King (of course his name was Justin), was the main speaker for the meeting and he is considered a widely renowned and respected resource for the VMware community. He came to discuss the changes in VMware VCenter Server 5.1 and primarily discussed VCenter Single Sign On Server (SSO). VCenter is being developed as a framework of common services, one of those being SSO.
SSO creates an authentication domain that users are authenticated through in order to access available resources. This allows the functionality of not having to log in to multiple VCenter and VSphere servers separately with separate credentials, similar to the application Single Sign On application Microsoft uses for its BPOS suite. SSO allows the ability to have multiple Active Directories attached as well as OpenLDAP, allowing you to move across different domains freely. SSO works by providing Secure Token Exchange (SAML 2.0). After logging in through the web client a token is issued, which is then authenticated through whichever Active Directory/OpenLDAP accounts have the proper permissions (it should be noted that you can create a SSO user and give it admin rights which would be similar to having the root user in VSphere). Once approved, the token is issued back to the web client and access is given to all the appropriate VCenters and VSphere servers.
There are some limitations and requirements to SSO, such as it should be the first VMware installation when setting up VCenter. It also requires its own database which preferably should be on it’s own server (you can technically use this database server for the VCenter server database as well). Linked mode would no longer be required for unified views of local VCenter servers however would be required for sharing permissions, roles and licenses. Lastly, SSO should not be configured for use over WAN without some assistance through VMware support and even then it’s not the “best solution.” Since SSO is consistently reaching out to Active Directories and OpenLDAP authentication, if the WAN were to drop, you would be left without a way to access the SSO (unless you have a SSO specific user configured). In addition, you may lose the ability to access the SSO altogether.
There are several different types of “setups” used when building out a VCenter Single Sign On Server. The most basic is actually the most recommended setup as stated by Justin King himself. The reason being is that it’s not made more complex than it has to be and is kept very simple. On one host server (or VM server) you place the following servers: a Single Sign On server, a VCenter server, an Inventory Service server, a Web Client server and a database server. To briefly touch on the Inventory Service (IS) and Web Client (WC) servers, the IS server provides a query service into VPXD for keeping track and tagging specific virtual devices. The WC server is to mainly maintain the Web Client, which is supported on IE, Firefox and Chrome and has a “Work in Progress” mode where your last inputs would be saved until you can come back to the client to finish what was started.
The three other setups include configuring a VCenter Single Sign On server as a “Primary” and setting up another as a “Backup” essentially allowing redundancy but there are limitations. The first and more prominent limitation is that there can only be 1 Primary SSO and only the Primary can manage the SSO. This means that if the Primary SSO goes down, the Backup SSO wont be able to make changes to the SSO setup at all, making it essentially not a “true backup” and instead a active/passive solution. The other setups are also more complex by either involving other protocols, devices, or manually input that all take away from the purpose of the SSO, which is to have a single sign on point.
Before time ran out, Justin shared little bits of information that I am eager to share. The first being that the next update to VMware will be a minor update, expect a 5.2 before the end of the year. This update will most likely see the return of cluster databases. For the near future, Update 1 should be out within the next couple of months, bringing with it a more stable SSO and lots of minor fixes including a Update Manager update. For the next Major release, which is slated for next year, expect the Desktop client to be…NON-EXISTENT! VMware is planning on moving towards a Web-only client, which is definitely big news. In addition, they are working to have a physical VCenter Appliance box to be purchased, which will come all preconfigured and be able to put up “up to 500 hosts/5000 VM’s “. I’m really excited to see how that turns out.
VMware VCenter 5.1 is definitely making some defining moves and on it’s way to becoming a true services framework. SSO sounds very good, but after some research I found that it is very hard to get up and running properly. In addition, it requires a hefty load of hardware in terms of RAM and processing power to get up and running. Also, the Web Client and Inventory Services are works in progress at best and are more of a after-thought for the time being (but will definitely become prominent services in future revisions of VCenter). Overall, the whole VCenter package just doesn’t seem appealing enough to start deploying just yet but there are moves that are being made in the right direction. I can, however, see it being the go to VMware management services package in the near future!
-Justin Vashisht (3cVguy)