vCAC 6.1 build out to distributed model: Clustered vCAC Appliances
Sam McGeownWith the release of vCAC 6.1 there have been some great improvements in the setup of the clustered vCAC appliances - none of the previous copying of configuration files between appliances - just a simple wizard to do it all for you. In my opinion this is superb.
You’ll need to have deployed a load balancer of some sort - vCAC 6.0 build-out to distributed model – Part 3.1: Configure Load Balancing with vCNS or vCAC 6.0 build-out to distributed model – Part 3.2: Configure load balancing with NSX
Deploy vCAC Appliances
Deploy three vCAC appliances by running through the OVF deployment wizard, two to be configured as vCAC Appliance nodes and one to be the external vPostgres database.
- vCAC-61-PG-01.definit.local
- vCAC-61-VA-01.definit.local
- vCAC-61-VA-02.definit.local
Initial configuration of vCAC Appliance used as external vPostgres
Before powering on the appliance I reduce the RAM down to 4GB - this is more than enough when you’re just running vPostgres.
Configure NTP
Log on to the administration interface (https://ApplianceFQDNorIP:5480) using root and navigate Admin > Time Settings and configure NTP to use the same settings as your Identity Appliance and vCAC Appliances.
Disable un-used services
SSH to the deployed and running appliance and log in using root and disable un-used services:
service apache2 stop chkconfig apache2 off service rabbitmq-server stop chkconfig rabbitmq-server off service vcac-server stop chkconfig vcac-server off service vco-server stop chkconfig vco-server off
Configure vPostgres to accept external connections
In the same SSH session, use the following to configure vPostgres
Accept connections from anywhere:
sed -i -re 's/^#(listen_addresses=.\*.)/\1/' /var/vmware/vpostgres/current/pgdata/postgresql.conf
Set the max connections to 400:
sed -i -re 's/^(max_connections *= *)([0-9]+)(.*)/\1 400 \3/' /var/vmware/vpostgres/current/pgdata/postgresql.conf
And restart vPostgres
service vpostgres restart
Configure the vPostgres user for vCAC
Finally, we need to set the password for the vPostgres user ‘vcac’
su - vcac cd /opt/vmware/vpostgres/9.2/bin ./psql ALTER USER vcac WITH PASSWORD 'password here'; \q exit
Configure the Primary vCAC Appliance
Configure NTP
Log on to the administration interface (https://ApplianceFQDNorIP:5480) using root and navigate Admin > Time Settings and configure NTP to use the same settings as your Identity Appliance and vCAC Appliances.
Configure the external vPostgres Database
Go to the vCAC Settings tab > Database and enter the details for the appliance we just converted to vPostgres only, then save your settings:
A nice new feature of the VAMI in 6.1 is that it disables the local vPostgres DB if you configure an external one - that saves a manual step!
Configure vCAC Settings
Select the vCAC Settings > Host Settings tab and enter the URL for the load balancer and Save:
Go to the SSL tab and import the SSL certificate:
Go to the SSO tab and enter the details for the Identity Appliance, remembering to append the port (7444) to the appliances FQDN, the user is [email protected] and the password is the one you specified when configuring the identity appliance. It’s worth noting that this can take some time to initialise!
Once the SSO is configured the vCAC services will start to load - this can take a while, but it’s important to wait until they’re all (20) started before moving on to the next step.
Check the status of the services from the Services tab, or you can monitor the catalina.out log file to see them starting by connecting via SSH to the appliance and using
tail -f /var/log/vcac/catalina.out
Go to the vCAC Settings > Licensing tab and enter your license
All being well, you can now log into your new vCAC Appliance using the new /vcac instead of /shell-ui-app (massive improvement for usability there, thanks VMware!) using the [email protected] account.
Configure the secondary vCAC Appliance
Log into the admin console of the second appliance and configure the NTP settings to use the same time servers as the first appliance under Admin > Time Settings
This is where the biggest improvement for clustering vCAC appliances comes into play - to configure this secondary node into the cluster we just go to vCAC Settings > HA and join the secondary appliance to the primary:
Now have a look at the config and the Services - you should see they all match the primary appliance (e.g. License is installed, SSL certificate matches primary)
To save on resources we now disable the unused services on the secondary vCAC appliance via SSH (the services may already be stopped, it’s safe to ignore warnings from the stop commands):
service vpostgres stop chkconfig vpostgres off service vco-server stop chkconfig vco-server off
The easiest way to verify that the cluster is in fact working is to modify the load balancer to only connect to a single instance and log on to the https://vcloud.definit.local/vcac site, then flip the load balancer around to point to the other node and check you are able to log in again.