What’s New in This Release
VMware Cloud Director version 10.2 includes the following:
- Support modern applications in VMware Cloud Director with Tanzu runtime vSphere with Kubernetes: Provider and tenant UI for managing and consuming Kubernetes clusters
- VMware Cloud Director Virtual Appliance Enhancements: Validation of user input during initial deployment; Simplified cell restore with streamlined standby cell creation
- Storage Enhancements: Disk level IOPS control for providers and tenants; Shared disks
- Security Enhancements: See the Security section
- UI Enhancements: Quick Search; Advisories; Certificate Management
- Platform extensibility enhancements
- Scale Enhancements: See VMware Configuration Maximums
For information about the new and updated features of this release, see What’s New in VMware Cloud Director 10.2.
For the latest release notes for the VMware Cloud Director add-on solutions, see the following links:
- Container Service Extension 3.0
- Object Storage Extension 2.0
- App Launchpad 2.0
- Terraform
- Tenant App 2.5
Security
VMware Cloud Director 10.2 virtual appliance ships with Photon OS updated up to this Photon Security Advisory.
VMware Cloud Director 10.2 supports PKCS12 keystores. You can use a PKCS12 formatted keystore when you configure the network and database connections of VMware Cloud Director, or when you use the cell management tool to generate or replace certificates. For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
Product Support Notices
TKG cluster nodes are isolated. However, the services that a TKG cluster exposes are accessible to anyone with network access to the service virtual IP or endpoint and are protected by the services’ own authentication and authorization mechanisms. Because authentication is the only protection to secure access to the workloads, it is strongly recommended that you allow only encrypted traffic, such as TLS, on the ingress services.
End of Life and End of Support Warnings
- VMware Cloud Director API version 29 and earlier are not supported.
- VMware Cloud Director API versions 30 and 31 are deprecated.
- VMware Cloud Director API version 30 is due to become unavailable in the next release.
- The
/api/sessionsAPI login endpoint is deprecated since VMware Cloud Director API version 33.0/VMware Cloud Director 10.0 and is due to become unsupported in a future VMware Cloud Director release. You can use the separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director. - The API
/cloud/server_statusis deprecated for both HTTP and HTTPS protocols. The removal of/cloud/server_statusis due in a future VMware Cloud Director release. You must use the/api/server_statusfor both HTTP and HTTPS protocols. - The reset actions
/amqp/action/resetAmqpCertificateand/amqp/action/resetAmqpKeyStoreare removed from VMware Cloud Director API Version 35.0 due to the way VMware Cloud Director stores and handles SSL certificates. You must use the/cloudapi/1.0.0/ssl/trustedCertificatesendpoint to untrust certificates. - The update actions
/amqp/action/updateAmqpCertificateand/amqp/action/updateLdapKeyStoreare deprecated. The removal of the actions is due in a future VMware Cloud Director release. You can use the new endpoint for trusting of AMQP certificates/cloudapi/1.0.0/ssl/trustedCertificates. - The reset actions
/ldap/action/resetLdapCertificateand/ldap/action/resetLdapKeyStoreare removed since VMware Cloud Director API Version 34.0 due to the way VMware Cloud Director 10.1 stores and handles SSL certificates. You must usethe /cloudapi/1.0.0/ssl/trustedCertificatesendpoint to untrust certificates. - The update actions
/ldap/action/updateLdapCertificateand/ldap/action/updateLdapKeyStoreare deprecated and are due to become unsupported in a future release. VMware Cloud Director introduces a new endpoint for trusting of LDAP certificates/cloudapi/1.0.0/ssl/trustedCertificates. - vSphere deprecates the vSphere SSO as a SAML IDP. All VMware Cloud Director deployments configured to use vSphere SSO as their SAML IDP must migrate to a different external SAML IDP. The use of this IDP is due to become unsupported in the next vSphere and VMware Cloud Director releases.
- DSA and DSS certificates are no longer supported because no recommended cipher suites are available for them.
Upgrading from Previous Releases
For more information on upgrading to VMware Cloud Director 10.2, upgrade and migration paths and workflows, see Upgrading and Migrating the VMware Cloud Director Appliance or Upgrading vCloud Director on Linux.
Supported LDAP Servers
You can import users and groups to VMware Cloud Director from the following LDAP services.
| Platform | LDAP Service | Authentication Methods |
|---|---|---|
| Windows Server 2012 | Active Directory | Simple, Simple SSL |
| Windows Server 2016 | Active Directory | Simple, Simple SSL |
| Linux | OpenLDAP | Simple, Simple SSL |
Supported Security Protocols and Cipher Suites
VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:
- TLS version 1.2
- TLS version 1.1 (disabled by default)
- TLS version 1.0 (disabled by default)
Supported cipher suites enabled by default:
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
System administrators can use the cell management tool to explicitly enable other supported cipher suites that are disabled by default.
Note: Interoperation with releases of vCenter Server earlier than 5.5-update-3e and versions of ovftool earlier than 4.2 require VMware Cloud Director to support TLS version 1.0. You can use the cell management tool to reconfigure the set of supported SSL protocols or ciphers. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
Supported Browsers
VMware Cloud Director is compatible with the current major and previous major release of the following browsers:
- Google Chrome (Paradigm Official Support)
- Mozilla Firefox
- Microsoft Edge (Paradigm Official Support)
Note: Internet Explorer 11 is not supported in VMware Cloud Director 10.2 and later. You can use Microsoft Edge or another supported browser. If you must use Internet Explorer 11, consider staying on VMware Cloud Director version 10.0.x or 10.1.x until you can use another browser.
Supported Guest Operating Systems and Virtual Hardware Versions
VMware Cloud Director supports all guest operating systems and virtual hardware versions supported (Windows 2019 & RedHat 8 with Last kernel)
VMware Cloud Director WebMKS 2.1.1
The VMware Cloud Director WebMKS 2.1.1 console adds support for:
- the PrintScreen key in Google Chrome and in Mozilla Firefox for Windows.
- the Windows key in Windows and macOS. To simulate pressing the Windows key, press Ctrl+Windows in Windows OS, or Ctrl+Command in macOS.
- Automatic keyboard layout detection in Google Chrome and Mozilla Firefox.
Resolved Issues
- Attempting to add a NAT rule to an NSX-T edge gateway failsAttempting to add a NAT rule to an NSX-T edge gateway fails with the error:
New and deprecated values have been updated together for redistribution., error code 503266. - Moving a VM across clusters fails if the target storage container is a datastore clusterMoving a VM across clusters fails if the target storage container is a datastore cluster. The logs show the following error.
2020-05-18 15:51:12,083 | ERROR | task-service-activity-pool-23 | SdrsPlacementManagerImpl | SDRS invocation error | requestId=eaa593e5-e051-4423-ac02-97ad09a39f4c,request=POST https://bos1-vcd-sp-static-203-38.eng.vmware.com/ap i/vApp/vm-c2b0ee1f-02f1-4377-8852-a9711c2a571e/action/reconfigureVm,requestTime=1589817067877,remoteAddress=10.150.203.38:32049,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=application/*+xml;version 3 4.0 vcd=6e36bc7a-3850-4f2a-a057-d96758ef5fbe,task=1e8217b8-88f1-41f8-8292-1bb6178b0b3e activity=(com.vmware.vcloud.backendbase.management.system.TaskActivity,urn:uuid:1e8217b8-88f1-41f8-8292-1bb6178b0b3e) (vmodl.fault.InvalidArgument) { faultCause = null, faultMessage = null, invalidProperty = spec.host } - Cannot deploy appliance if the « Expire Root Password Upon First Login » setting is enabledWhen attempting to deploy an appliance, the deployment fails and the following error is found in the
/opt/vmware/var/log/firstbootlog:Invoking postgresauth script ... sudo: Account or password is expired, reset your password and try again Changing password for root. sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper sudo: unable to change expired password: Authentication token manipulation error cp: cannot stat '/var/vmware/vpostgres/current/.ssh/id_rsa': No such file or directory chown: cannot access '/opt/vmware/vcloud-director/id_rsa': No such file or directory [ERROR] postgresauth script failed to execute. - In the VMware Cloud Director Tenant Portal, advanced filtering of VMs based on VDC location does not workIn the VMware Cloud Director Tenant Portal UI, if you try to use advanced filtering based on VDC location to filter VMs, the search fails with an error.