VCSA Offline Patching

This is a short blog post on the patching process of the PSC\VCSA if you want to do it offline and to a particular patch level. The problem with the online option is that you will always be given the latest patch release from VMware, which may not be the idea situation if you wish to keep all VCSA at the same approved patch level in your organisation.

The first thing to remember to do is snapshot all the VMS! If you have multiple VCSAs and PSC in ELM then snapshot them all, plus it worth ensuring you have the latest backup available.

In my model I have the following,

So will first patch all the PSCs not being used, then do the active PSCs, before completing each VCSA in turn.

So it will be this order. (how to check the active PSC is covered in this William Lam blog)

01PSC02, 02PSC02, 01PSC01, 02PSC01

01VCSA01, 02VCSA01

 Obtaining the patch you need from MyVMware

So you don’t want the latest and greatest patch, you need to download the patch from MyVMware. Login with your account and from the top menu choose 

Products > All Products & Programs > Product Patches

Then search with the options, find you patch

MyVmware Patch Portal

You will need to look for the appropriate Appliance Patch, and download that

VCSA Appliance Patch



Add the patch to the datastore

Once this download you will need to upload to a datastore reachable to your VMs you need to patch. To do this the GUI way (it could be done via WinSCP also);

Also if you have vSAN, please review this KB for adding folders and files

Access vCenter, and browse to the relevant datastore, and choose the Files tab. Then click on the New Folder icon with the green plus icon to create a new directory, and give it a relevant name.





Then once the folder is created, double click the folder to open it, then use the Upload Files Option to add your downloaded ISO file to the datastore.




The progress of the upload can be monitored in the status bar at the bottom of the datastore browser windows, once it is completed we can start the patching process.





Attach the ISO 

I am going to presume you have your snapshots and backups in place before starting the next section.

Browse to the first PSC to be patched. Edit the hardware and go the CD/DVD Drive. Pull the option list and choose ‘Datastore ISO File’. You will then be able to browse to the ISO you uploaded just above





Ensure the ‘Connected’ box is ticked and then click on OK to save the changes

Access the VAMI and start the Patching of Standy PSCs

Browse to the VAMI interface, i.e. https://fqdn:5480. Login with root credentials. As stated above I am starting with 01PSC02 (my second pSC on the first site)

Go to the ‘Update’ section, choose ‘Check CDROM‘ from the dropdown list




Your ISO based update will shown below as the available update.  From the ‘Install Updates’ select the ‘Install CDROM Updates’.



You will be prompted to Accept the EULA.

The update will then start and a progress windows will be available to monitor the progress.






Once the upgrade is complete the progress windows will stay open, click on OK,  you will see the status message is the the Update has been been installed but not applied. A reboot of the system is required to complete the update.




Go the summary page and choose the ‘Reboot’ option.




Confirm the reboot and then close the tab.

Allow the system to reboot, after the reboot is normal it takes a while for the services to come up.  First log into the VAMI and wait for the Health status to go Green, ensure there is no Health Messages and the SSO Status is started. (this may take a few minutes)


Once you have this you are good to start on the Second PSC, in this instance 02PSC02.  I will follow the same steps as above.

Patching the Active PSCs 

Failover to second PSC on the same site

In my model 01PSC01 and 02PSC01 are active. I have choice to make, fail the vCenter over to the upgraded standby PSCs or leave as is and have a longer outage. Doing the below steps does cause an outage during the fail over period between PSCs, of about 20 minutes.  This outage means that users will not be able to log into vCenter and will be kicked out of existing sessions, as it restarts the web services of the VCSA.

I have decided to fail them over, so will follow this guide,

Log into the VAMI of the VCSA (https;//fqdn:5480) with root credentials. 

Go to the Access option and enable SSH.


Start a putty session to the VCSA

Run this command:
shell.set –enabled true

Run the shell command to get to the ESXi console


Run this command to repoint the vCenter Server Appliance to Platform Services Controller (PSC) appliance:
cmsso-util repoint –repoint-psc systemname_of_second_PSC

cmsso-util repoint –repoint-psc nv01psc02v.corp.local

Then ensure you can use the same VCSA to log in via the Web Client. (I normally find it best to attempt the connection in a ‘private’ browser tab so to ensure the connection attempt is clean). Once you have access to the vCenter successfully, you complete the same steps for the second site.

PSC repoint

I would check that partner status is up to date on PSC before starting to move on with patching. I would go to the first PSC (if you haven’t got a ring replication setup and check that it is in insync with all its partners).

One this is done, patch both now non active PSCs as done in the steps above.

Post install for reference I would revert each VCSA back to the first PSC on each site.


Leave a Reply

Your email address will not be published.