A platform services controller, or a PSC (which can be an external appliance, or embedded into VC) handles vSphere single sign-on (SSO), licensing, tagging, global permissions, custom roles, and certificate management. More Info:

https://blogs.vmware.com/vsphere/2017/10/platform-services-controller-psc-6-x-faq-now-available.html

We often read about PSCs replicating between each other, but more often than not, it is unclear WHAT exactly is being replicated between the PSCs. When you deploy multiple PSCs (or vCenters with embedded PSCs) in the same SSO domain, the PSCs will be replicating VMDIR data with each other, depending on how replication is configured.

Based on VMware documentation available here:

 https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-FE4E0496-A14C-4331-A7D6-1200F7C068A5.html 

VMDIR data includes: authentication, certificate, lookup, and license information. If your domain contains more than one Platform Services Controller instance, an update of VMDIR content in one VMDIR instance is propagated to all other instances of VMDIR (i.e the other PSCs or embedded VCs).

In this example, we are using 3x 6.7 PSCs, all part of the same "vsphere.local" domain.

A KMS or Key Management Server is basically a server used to store and generate encryption keys, that can be used by other applications for the purposes of encryption.

We already ran through the process of install HyTrust KeyControl in a VM in a previous post. So in this post, we are going to configure a HyTrust KeyControl KMS to use with a vCenter 6.7.

Lets start by first logging into the Hytrust KeyControl web client - I am logged in with the default root accout "SECROOT" - ofcourse the right way to do this would be use a user account with the required level of permissions, but for this demonstration, the root account is fine.

Click on the KMIP Section, and change the "State" of the KMS from DISABLED to ENABLED, click on Apply, and Proceed to overwrite the existing KMIP Server settings.