Before you start with the update, make sure to create a backup of your VMware vCenter Server Appliance (VCSA) Virtual Machine (VM). The backup is usually done by your backup software, and you can also configure a file-level backup introduced in vSphere 6.5 and further enhanced with a scheduler in vSphere 6.7. The protocols supported for backup are FTPS, HTTPS, SCP, FTP and HTTP. So today's post is called How to Patch vCenter Server Appliance (VCSA) – and it's an easy one destined for non-VMware admins.
If you're new to VMware and do not manage VMware infrastructures on daily basis, you might do not know that VCSA is now the privileged vCenter server architecture and that vCenter Server on Windows will be phased out in the next major release of vSphere.
The VCSA Appliance (the VM) has it's own administration UI which is accessible through https://FQDN_of_the_appliance:5480 (Note: you can also use IP address for the access).
Security patches for VMware products are released fairly often so checking for those security patches is a necessity. But if you don't check for the updates for a long time, you'll end up with several patches (we'll see it in the video). Well, in this case, you only need to install the latest patch as the patches are cumulative. It means that the latest patch has all the previous patches already built-in, so no need to install the previous patch too.
How to Install the latest update for VMware vCenter Server Appliance – The Steps
First, connect to the VCSA Admin interface (often called VAMI). You'll be able to do it via the port 5480 which is the default administration port for the management of many VMware appliances and products.
https://ip_or_FQDN:5480
Then fill in the root user and password combination which were created during the installation of the appliance.
Next is to go to the Update Menu on the left > Click Check for Updates.
After a while, you'll see one or two (or even more patches) in the lower pane.
Note: Make sure that you have a valid backup or do at least a file-level backup of your vCenter server settings and configuration. We have a post about it here.
Next, just select the latest patch only, click stage and install. A new wizard window will appear.
Accept the EULA and make sure that you have a backup of your VCSA.
Follow the steps provided by the wizard.
Note: the VMware CIEP program is optional but useful. In the past, I've blogged about the benefits here.
The process can take a while. Usually, there is a number showing you how long you'll have a downtime of your vCenter server. Note that your VMs keeps running as normal and you don't have to worry about them. If you need to work with VMs, you can still connect directly to ESXi host which runs a particular VM and use the Host HTML5 console. You can access it by https://ip_or_fqdn_of_your_host/ui and then launch the built-in VM management overlay console.
In the end, the process reboots the VCSA appliance and shows back the connection screen.
Note: There are other ways to patch VCSA, especially if you don't have an internet connection. You can download the patches as an ISO, attach the ISO to the VM and then check for updates via CD-ROM.
Here is a quick video from the lab demonstrating the whole process. Note that parts of the video are heavily accelerated…..
The patching of VCSA is pretty straightforward and you don't have to be a Linux guru, but some basic rules must be respected. For example to have a backup of your settings. Remember about the before hitting the GO button. There can be (still) some surprises.
So this was easy to follow a post about patching VCSA. I hope that it wasn't too boring for other VMware folks. If you're only running ESXi free without vCenter for some lab scenarios, this post isn't useful. But for people even on the lowest licensing package, vSphere Essentials or Essentials PLUS they need to know how to patch their VCSA otherwise they'll be vulnerable to attacks. And you know, there is a ton of ransomware attacks those days, so better be safe than sorry.
Make sure to check our vSphere 6.7 page and some other links below. Enjoy…
More from ESX Virtualization
- vSphere 6.7
- VMware vSphere 6.7 Announced – vCSA 6.7
- VMware vSphere 6.7 Security Features
- What is Veeam Availability Orchestrator?
- What is The Difference between VMware vSphere, ESXi and vCenter
- How-to unlock the VMware VCSA root password?
- VMware Desktop Watermark Free Utility is Similar to BgInfo
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
Vladan. Can you talk about the best way to patch VCSA when running vCenter HA? Currently I destroy the HA cluster, patch the single VCSA appliance, then deploy the cluster again. I’m wondering if there is a better way. Thanks
Thanks, you helped me!