The recommendation to customers on these prior VCF 4.1, 4.1.0.1, 4.2. 4.2.1, 4.3 versions, is to upgrade to the latest VCF 4.3.1 release.
If customers are unable to do so, the purpose of this article is to provide guidance for such customers to upgrade just vCenter Server appliance
The information contained in this article also applies to VCF on VXRail environments, and also to vSAN Ready Nodes
The JAR file attached to this article can be used to automate the steps required.
See details on how to use this utility below
VMware Cloud Foundation Version | If you are unable to upgrade to VCF4.3.1 at this time |
4.1 or earlier | First upgrade to VCF version 4.1 or later and follow the respective recommended approach |
4.1.x | Apply the steps in the Workaround section of this article |
4.2.X | Apply the steps in the Workaround section of this article |
4.3 | Apply the steps in the Workaround section of this article |
NOTE: You can also choose to upgrade to VCF 4.3.1 to consume VC security patch and other product fixes and enhancements. Please refer to VCF 4.3.1 upgrade guide and release notes for more details.
To apply the vCenter Server 7.0 U2d patch on VCF 4.1.x, VCF 4.2.x and VCF 4.3 follow these steps in the exact sequence
STEP 1: Perform below steps on each vCenter Server VM deployed in your Cloud Foundation environment
STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
NOTE: If you are running VMware Cloud Foundation versions 4.3, this step is not needed
a. Take backup of existing keys of SDDC manager known hosts file
cp /etc/vmware/vcf/commonsvcs/known_hosts /etc/vmware/vcf/commonsvcs/known_hosts.bak
STEP 3: Perform below add-on steps on the upgraded vCenter Server VM in your Cloud Foundation environment
Known Issue: After upgrade of vCenter Server to 7.0 Update 2d in Cloud Foundation environment, if SDDC Manager VM is rebooted, SDDC Manger UI cannot communicate to newly upgraded vCenter Server VM. vCenter server 7.0 Update2 onwards SHA1 is removed from SSH. SDDC Manager 4.1.x, 4.2.x uses SHA1 based SSH to communicate with vCenter server. This issue is fixed in SDDC Manager 4.3 and above versions
NOTE: If you are running VMware Cloud Foundation versions 4.3, this step is not needed
a. Login to upgraded vCenter Server via SSH
b. Take backup of sshd_config file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
c. Open the sshd_config file in editor and locate "HostKeyAlgorithms"
vi /etc/ssh/sshd_config
d. Change the HostKeyAlgorithms entry by appending "ssh-rsa" towards the end of the line
From
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
To
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
e. Save and exit the file /etc/ssh/sshd_config
f. Restart SSH daemon in vcenter
systemctl restart sshd
Note:
Repeat STEP1, STEP2 and STEP3 for all workload domain vCenters in your Cloud Foundation environment.
Every time a new VI workload domain is created, these steps need to be performed.
Alternatively: STEP2 and STEP3 can be executed via automated script as follows
(1) Download and scp the VCF4x-KB_85718.jar file to SDDC manager in /tmp location
(2) Login to SDDC manager VM via SSH and sudo to root account and provide executable permission to the binary:
chmod ugo+x /tmp/VCF4x-KB_85718.jar
STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
(1) Update VCF inventory following the steps below:
<vcenter_FQDN> = Fully qualified domain name of upgraded vCenter Server
java -jar /tmp/VCF4x-KB_85718.jar --vcsaip <vcenter_FQDN> --username root --updateVCFInventory
NOTE: If you are running VMware Cloud Foundation versions 4.3, this step is not needed
(2) Import host keys for the upgraded VMware vCenters
java -jar /tmp/VCF4x-KB_85718.jar --vcsaip <vcenter_FQDN> --username root --importSSHKeys
STEP 3: Perform below add-on steps on the upgraded vCenter Server VM in your Cloud Foundation environment
NOTE: If you are running VMware Cloud Foundation versions 4.3, this step is not needed
(1) Enable SHA1 host key algorithm
java -jar /tmp/VCF4x-KB_85718.jar --vcsaip <vcenter_FQDN> --username root --enableSHA1
Sample Output
NOTE: We will be required to perform aliasing steps when further upgrades are required after we have completed the steps from the KB.