check-circle-line exclamation-circle-line close-line

vCenter Server 6.7 Update 3g |  APR 28 2020 | ISO Build 16046470 

vCenter Server Appliance 6.7 Update 3g |  APR 28 2020 | ISO Build 16046470 

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New

  • New alarms in vCenter Server: vCenter Server 6.7 Update 3g adds a Replication State Change alarm to the vCenter Server Appliance with an Embedded Platform Services Controller that displays when a replication state changes to READ_ONLY. The alarm resolves when the state changes to Normal. 
    The Replication Status Change alarm is available for all types of vCenter Server Appliance instances and reports replication issues between nodes. The alarm resolves when connection between nodes restores.

  • In vCenter Server 6.7 Update 3g, you can use the sso-config utility to replace a Security Token Service (STS) certificate.
    To complete the replacement of an STS certificate, you must:

    1. Enable SSH login to vCenter Server.
    2. Create a PEM file containing the certificate chain and private key on the vCenter Server file system.
    3. Log in to the vCenter Server shell as root.
    4. To update the STS signing certificate, run the sso-config utility.
      For example:/opt/vmware/bin/sso-config.sh -set_signing_cert -t vsphere.local ~/newsts/newsts.pem
    5. Restart the vCenter Server node, which restarts both the STS service and the vSphere Client.
    6. Restart vCenter Server for authentication to work correctly.
  • The vCenter Server 6.7 Update 3g release addresses issues documented in the Resolved Issues section.

  • For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches

Earlier Releases of vCenter Server 6.7

Features and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 6.7 are:

For internationalization, compatibility, installation and upgrade, open source components and product support notices see the VMware vCenter Sever 6.7 Update 1 Release Notes.

Patches Contained in This Release

This release of vCenter Server 6.7 Update 3g delivers the following patch. See the VMware Patch Download Center for more information on downloading patches.

NOTE: vCenter Server 6.7 Update 3g does not provide a security patch to update the JRE component of vCenter Server for Windows and Platform Services Controller for Windows. Instead, you must download the VMware-VIM-all-6.7.0-16046470.iso file from vmware.com.

Full Patch for VMware vCenter Server Appliance 6.7 Update 3g

Product Patch for vCenter Server Appliance containing VMware software fixes, security fixes, and third-party product fixes (for example, JRE and tcServer).

This patch is applicable to the vCenter Server Appliance and Platform Services Controller Appliance.

For vCenter Server and Platform Services Controller Appliances

Download Filename VMware-vCenter-Server-Appliance-6.7.0.44000-16046470-patch-FP.iso
Build 16046470
Download Size 2003.6 MB
md5sum 8962293a7d4d40b3eb32d2c88c55be78
sha1checksum d902a6e6259dc25aede5d558057fb86cb242499d

Download and Installation

You can download this patch by going to the VMware Patch Download Center and selecting VC from the Select a Product drop-down menu.

  1. Attach the VMware-vCenter-Server-Appliance-6.7.0.44000-16046470-patch-FP.iso file to the vCenter Server Appliance CD or DVD drive.
  2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

For more information on using the vCenter Server Appliance shells, see VMware knowledge base article 2100508.

For more information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For issues resolved in this patch see Resolved Issues.

For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server Appliance by Using the Appliance Management Interface.

Resolved Issues

The resolved issues are grouped as follows.

Security Issues
  • You cannot log in to the vSphere Client by using an RSA SecurID

    If the external Active Directory identity source is configured as Integrate Windows Authentication and RSA is using an LDAP attribute other than UPN for the User ID, you cannot log in to the vSphere Client.

    This issue is resolved in this release.

  • You cannot add a Key Management Server to a vCenter Server Appliance by using an FQDN in a pure IPv6 environment

    In a pure IPv6 environment, adding a Key Management Server to a vCenter Server Appliance by using an FQDN might result in an error such as cannot retrieve the requested certificate. Adding a Key Management Server by using an IPv6 address works.

    This issue is resolved in this release.

  • Update of Eclipse Jetty

    Eclipse Jetty is updated to version 9.4.24.

  • Update to PostgreSQL

    PostgreSQL is updated to version 9.6.16.

  • Update to OpenSSL

    The OpenSSL package is updated to version openssl-1.0.2u.

  • Update to the libcurl library

    The ESXi userworld libcurl library is updated to version 7.68.

  • Update to the Perl Compatible Regular Expressions (PCRE) library

    The PCRE library is updated to version 8.43.

  • Update to the libxml2 library

    The ESXi userworld libxml2 library is updated to version 2.9.10.

  • Update to Simple Logging Facade for Java (SLF4J)

    The SLF4J package is updated to version 1.7.30.

  • Update of the Jackson package

    The Jackson package is updated to version 2.10.1.

  • Update to the Apache Tomcat server

    The Apache Tomcat server is updated to version 8.5.50.

  • Update to Apache Commons Compress library

    Apache Commons Compress library is updated to version 1.18.

  • Update to Apache Struts

    Apache Struts is updated to version 2.5.22.

  • Update to the Spring Data Commons

    Spring Data Commons is updated to version 1.11.23.

  • Third-party plug-ins cannot use the Log4j package delivered by the vSphere Web Client

    Third-party plug-ins cannot use the Log4j package delivered by the vSphere Web Client due to security considerations. Use the SLF4J library instead.

    This issue is resolved in this release.

  • Update to JRE

    Oracle (Sun) JRE is updated to version 1.8.0.241.

  • Update to the Expat XML parser

    The Expat XML parser is updated to version 2.2.9.

  • Users with restricted access cannot view or edit the scheduled tasks they create

    Users with restricted access might be able to create schedule tasks for virtual machines, but cannot see them in either the vSphere Web Client or vSphere Client. For example, a user with read and manage virtual machines credentials can create a scheduled task, but after navigating to the Scheduled Tasks view, the task might not be in the list, although it is active. This happens when a user has full access to some objects, such as virtual machines, but does not have access to a parent path, such as a folder. Failed access checks to the parent object might affect the user views in the vSphere Web Client or vSphere Client.

    This issue is resolved in this release. 

  • Import from file:// scheme URLs to a Content Library is not supported

    Import from file:// scheme URLs to a Content Library is no longer supported due to a possible security vulnerability.

    This issue is resolved in this release.

  • The TLS reconfiguration utility cannot be configured on mixed version cluster host

    vCenter Server 6.7 Update 3g adds an enhancement to the TLS reconfiguration utility that allows you to configure TLS protocol settings on ESXi hosts from the 6.5 and 6.0 lines. You can also manage the TLS protocol configuration of a mixed cluster of ESXi hosts from the 6.7, 6.5 and 6.0 lines by using a single instance of vCenterCluster in the TLS configuration utility.

    This issue is resolved in this release.

Installation, Upgrade, Convergence, and Migration Issues
  • Converging vCenter Server with an external Platform Services Controller to vCenter Server with an embedded Platform Services Controller fails with an STS system tenant error

    Converging vCenter Server with an external Platform Services Controller to vCenter Server with an embedded Platform Services Controller by using the vSphere Client might fail with an error similar to Failed to set up STS system tenant. The failure happens during firstboot, while downloading RPM files for the Platform Services Controller if the update repository location is not up-to-date.

    This issue is resolved in this release. The fix detects when the update repository location is not up-to-date and prompts an update.

  • You cannot open the vCenter Server Appliance installer app in Linux virtual machines by double-clicking it

    Linux file managers do not recognize the PIE format that some upgraded components of the vCenter Server Appliance installer app use. As a result, you cannot open the vCenter Server Appliance installer app in Linux virtual machines by double-clicking it.

    This issue is resolved in this release. To avoid opening the vCenter Server Appliance installer app by using the Linux terminal, vCenter Server 6.7 Update 3g introduces an installer-linux.desktop file that opens by a double-click in the same way as the original installer.

Virtual Management Issues
  • If you set the memory limit to 0 MB when cloning or deploying a virtual machine from a template, the vCenter Server system might become temporarily unresponsive

    If you set the memory limit to 0 MB by using the vSphere Client or the vSphere Web Client when cloning or deploying a virtual machine from a template, the vCenter Server system might become temporarily unresponsive. Other production virtual machines might require a restart to recover.

    This issue is resolved in this release. The fix removes the 0 MB value from the Memory drop-down menu in the vSphere Client or the vSphere Web Client.

  • The vpxd service might fail if the PodSelectionSpec.storagePod parameter is not specified in a StoragePlacementSpec API call

    If you do not specify a PodSelectionSpec.storagePod parameter in the StoragePlacementSpec call to the VMware vSphere Storage DRS placement API, the call becomes invalid and the vpxd service might fail.

    This issue is resolved in this release.

  • Memory resource settings of virtual machine templates might persist when deploying new virtual machines

    If you set the memory resource settings of a virtual machine template to a certain value and deploy a new virtual machine by using the template with a different size memory, the original memory setting might persist.

    This issue is resolved in this release.

Server Configuration Issues
  • In some environments, after migrating vCenter Server for Windows to vCenter Server Appliance, management APIs might fail with an authorization error

    In some environments, after migrating vCenter Server for Windows to vCenter Server Appliance, management APIs might fail with an authorization error for vCenter Single Sign-On users. New line characters in the SAML token are causing the issue, because the vCenter Server Appliance uses a different message digest algorithm than vCenter Server for Windows.

    This issue is resolved in this release.

  • If a trusted domain goes offline, the Active Directory authentication for some user groups might fail

    If any of the trusted domains goes offline, the Likewise agent returns none or a partial set of group membership for users who are part of any of the groups on the offline domain. As a result, the Active Directory authentication for some user groups fails.

    This issue is resolved in this release. This fix makes sure that the Likewise agent lists all groups from all the other online domains.

vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues
  • After an upgrade to vCenter Server 6.7 Update 3b, if you use Internet Explorer, the vSphere Web Client becomes unresponsive

    After an upgrade to vCenter Server 6.7 Update 3b, if you use Internet Explorer, the vSphere Web Client might become unresponsive after entering credentials. The issue is not observed with browsers other than Internet Explorer for the vSphere Web Client or with the vSphere Client.

    This issue is resolved in this release.

  • Even superAdmin users might not be able to change the password of other users

    Even a user with superAdmin privileges might not be able to change the password of another user by using the localaccounts.user.password.update API command. Running the command fails with an error similar to: Error in method: You must have privileges of a super administrator to change password of another user. (code com.vmware.applmgmt.err_missing_priv)

    This issue is resolved in this release.

Networking Issues
  • The MAC address of virtual machines might change on certain API calls

    In certain cases, the MAC address of a virtual machine might change to some random MAC address during an API call. ​For example, if you use the API to disconnect a vNIC, the vpxd service might assign a new MAC address for the vNIC, instead of keeping the original one.

    This issue is resolved in this release.

  • The vpxd service fails and the vCenter Server system becomes inaccessible due to a race condition in vSphere DRS

    A rare race condition between two networking functions in DRS causes one of the functions to access already released memory addresses. This leads to failure of the vpxd service and ultimately makes the vCenter Server system unresponsive.

    This issue is resolved in this release.

Storage Issues
  • If initial placement of vSphere Storage DRS requires migrating virtual machines by using Storage vMotion, the vpxd service might fail during the migration

    During the initial placement of vSphere Storage DRS, if the recommendations require migrating virtual machines by using Storage vMotion, processing of the Storage vMotion migration might lead to a failure of the vpxd service.

    This issue is resolved in this release.

  • If vSphere Storage DRS selects an ESXi host as a source host for vSphere Replication, but that host is missing in the snapshot object, the vpxd service might fail

    vSphere Storage DRS picks the first ESXi host which is connected to all datastores in a vCenter Server system as the source host for replicating disks by using vSphere Replication. However, if that host is not present in the snapshot object, a NULL pointer dereference might cause a failure of the vpxd service.

    This issue is resolved in this release. The fix adds an extra check to pick an ESXi host only if it is part of a snapshot object for a replicated disk.

VMware High Availability and Fault Tolerance Issues
  • Current Memory Failover Capacity metric displays above 100%

    The Current Memory Failover Capacity metric that is set under the Cluster Resources Reserved policy of vSphere HA, might display above 100% in environments where the total cluster level memory used exceeds 20 TB.

    This issue is resolved in this release.

Miscellaneous Issues
  • You cannot add or move ESXi hosts to a cluster with enabled Proactive High Availability (HA)

    If you add or move an ESXi host to a cluster with enabled Proactive HA, and if the host is not part of health monitoring, the operation might fail with an error, such as NotSupported.

    This issue is resolved in this release. The fix allows adding and moving ESXi hosts to clusters with enabled Proactive HA. If the host is not part of health monitoring at the time of joining the cluster, vSphere DRS treats it as in quarantine with a state Unknown.

  • Scripts and third-party applications might intermittently fail during vAPI Endpoint service reconfiguration

    The vAPI Endpoint service takes up to a minute to scan for configuration changes on every four minutes. During this scan, the service supports limited amount of requests. As a result, scripts and third-party applications might fail. You might see errors similar to com.vmware.vapi.std.errors.invalid_argument, or status code 429. The issue is more likely to occur in multi-node environments with a large number of tags.

    This issue is resolved in this release.

  • A vCenter Server system might fail while exporting a support bundle by using API

    When you use API to export a support bundle on a vCenter Server system, the command runs in the root partition and if the bundle is large, the root partition might fill up. As a result, all services in the vCenter Server system might fail.

    This issue is resolved in this release.

Known Issues

The known issues are grouped as follows.

Security Issues
  • The TLS configuration utility in vCenter Server 6.7.x does not install on certain versions of ESXi

    The TLS Configuration utility does not install on certain early versions of ESXi due to the replacement of expired digital signing certificate and key. 

    Workaround: The utility is signed with the same certificate and key as ESX VIBs. For more information on the impacted ESXi versions, see VMware knowledge base article 76555.

Known Issues from Prior Releases

To view a list of previous known issues, click here.