Platform Services Controller

Platform Services Controller (PSC) is a component of the VMware Cloud Infrastructure Suite. PSC deals with identity management for administrators and applications that interact with the vSphere platform.

With this new architecture of  vCenter Server 6.0 you learned about the Platform Services Controller, a new functional component of vCenter that moves beyond just Single-Sign On to include additional platform services such as:

  • Licensing Service
  • Certificate Authority (VMCA)
  • Certificate Store (VECS)
  • Lookup Service for Component Registrations

In vCenter Server 6.0 Update 1, we’re excited to introduce the next stage of the administration with the Platform Services Controller Interface, a fully HTML5-based interface to administer and configure many of the services that run on the PSC.

Using the Platform Services Controller Interface you can perform tasks, such as:

  • Adding and Editing Users and Groups for Single Sign-On
  • Adding Single Sign-On Identity Sources
  • Configuring Single Sign-On Policies (e.g Password Policies)
  • Adding Certificate Stores
  • Adding and Revoking Certificates


vCenter Linked Mode

vCenter Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers. 2 PSC can work in HA mode.

Enhanced Linked Mode lets you view and search across all linked vCenter Server systems and replicate roles, permissions, licenses, policies, and tags.

When you install vCenter Server or deploy the vCenter Server Appliance with an external Platform Services Controller, you must first install the Platform Services Controller. During installation of the Platform Services Controller, you can select whether to create a new vCenter Single Sign-On domain or join an existing domain.

Call API of vCenters in Linked Mode

When two or more vCenters are connected to a PSC (i.e. in Linked Mode), we can follow the steps below to retrieve data from each vCenter.

  1. Lookup vCenter Servers IP in PSC. The python script “lookup-vcenters-in-psc.py PSC_IP” can list all vCenter Servers IP in PSC, and this script does not require authentication.
  2. Use the API to login PSC and get a token. This is the same API with the API to login vCenter with embedded PSC.
  3. Use the token to call API of each vCenter. These is not a single API call to get data from both vCenters, so you need to call each vCenter separately.

lookup-vcenters-in-psc.py :

from pyVim import connect
import requests
import sys,ssl
from xml.etree.ElementTree import XML, fromstring, tostring
from requests.packages.urllib3.exceptions import InsecureRequestWarning
url = "%s://%s:%s/%s" % (protocol, server, port, path)
baseVersion = 'lookup'
# Disabling SSL certificate verification
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_NONE
versionId = 'urn:lookup/2.0'
headers = {'content-type': 'text/xml; charset=utf-8', 'Accept': 'text/xml,multipart/*,application/soap', 'SOAPAction': versionId}
         <List xmlns='urn:lookup'>
           <_this type='LookupServiceRegistration'>ServiceRegistration</_this>
response=requests.post(url,data=body,headers=headers, verify=False)
soapResponse = fromstring(response.content)
returnvalList = soapResponse.findall('.//{urn:' + baseVersion + '}returnval')
for retVal in returnvalList:
  nodes = retVal.findall('.//{urn:' + baseVersion + '}url')
  for node in nodes:
    if node.text.endswith(':443/sdk'):
print vCenterList
Cloudify Scalr Juju GUI Alien4Cloud OpenStack Heat Aliyun ROS Apache Brooklyn
Since 2012 2008 2012 2014 2012 2015.12 2012
Written in Python PHP Python Java/Javascript Python ? Java
License Apache License Apache License AGPL Apache License Apache License Proprietary Apache License
CLI Yes Yes Yes No Yes Yes Yes
GUI Yes Yes Yes Yes Patial Patial Patial
very similiar to AWS CloudFormation
Drag and Drop Blueprint Designer Yes + Commercial No Yes + AGPL Yes + Apache License No No Yes + Apache License
Supported Application Components only a few; no official repo a lot on here ; over 300 services listed here ; only a few ; simple bash scripts TBD only a little:
a few
IaaS Support AWS, OpenStack, vSphere,
vCloud Air
OpenStack OpenStack , vSphere, AWS, Azure, etc. Depends on Cloudify/Brooklyn Depends on OpenStack Only Aliyun ECS AWS
OpenStack, SoftLayer, etc.
Globalization No Yes. English/Japan/French No No

http://docs.chef.io/server/install_server.html#standalone does not mention how to configure knife.rb which is described on https://docs.chef.io/config_rb_knife.html . There is a outstanding difference of knife.rb for Chef Server 11 and 12:

In Chef Server 11:  chef_server_url 'http://localhost:4000/
In Chef Server 12:  chef_server_url 'http://localhost:4000/organizations/ORG_NAME

And the admin user in Chef Server 12 is named pivotal.  You only need to create a new user and a new ORG owned by this new user.

Here is a full install guide https://www.digitalocean.com/community/tutorials/how-to-set-up-a-chef-12-configuration-management-system-on-ubuntu-14-04-servers

Known issue : https://github.com/chef/chef-server/issues/50 Impossible to upload cookbooks if non-standard port is used

find then xargs

I like the find + xargs combinaiton so much.

On Mac OS X:

1. sed in several files:

find . -name filename-regex | xargs -I {} sed -i ” ‘s|abc|xyz|’ {}

2. remove several files:

find . -name filename-regex | xargs -I {} rm -rf {}

The VMware vSphere Big Data Extension product (aka Project Serengeti) needs to ensure the bootstrap order when deploying a hadoop cluster in which the slave nodes must wait for the master node.  BDE uses the native Chef way to implement it.

For example, hadoop datanode service should be started only after hadoop namenode service is started. In the chef recipe, we use this code to do this wait:

in namenode recipe github.com/vmwa…amenode.rb#L127 :

service ‘hadoop-namenode’ do

 action [:start]




in datanode recipe github.com/vmwa…datanode.rb#L29 :


service ‘hadoop-datanode’ do

 action [:start]


provide_service and wait_for_service are functions defined in the chef cookbook cluster_server_discovery.

The elastic_search and etcd or other service discovery solution can also be used in Chef cookbook.

sed -n ‘s/^.*\(<regex_pattern>\).*$/\1/p’ filename

This sed means substitute the whole line with the ‘\1’ (i.e. the matched pattern) and print the line. So it will print the text (not the whole line) which matches <regex_pattern>.

Googled 1 more hours to figure it out…

e.g.   sed -i ‘N; s/line1\n  line2/line1/’ /path/to/file

“N;” means multiline sed and “\n” means a NEW_LINE_CHAR

More example on http://www.thegeekstuff.com/2009/11/unix-sed-tutorial-multi-line-file-operation-with-6-practical-examples/