To provide you with greater security, the Citrix Insight Services (CIS) website has extended its multi-factor authentication requirement to applications, like XenCenter, that use the API to upload data. As a result, we are making changes to how XenCenter interacts with CIS.

Important: XenCenter 8.2.x contains a version of a 3rd-party component, PuTTY, that is believed to contain a security vulnerability. For more information, see Citrix Hypervisor Security Update for CVE-2024-31497. To address this vulnerability, install the latest version of XenCenter (2024.2.0 or later). This version of XenCenter does not include a bundled PuTTY tool. To use the external SSH console feature, you must download the latest version of PuTTY or OpenSSH.

Download the latest XenCenter from the Citrix Hypervisor download page or the XenServer download page.

Review these changes and take the necessary actions to continue to receive support for your Citrix Hypervisor and XenServer deployments.

Recent changes

• XenCenter 2024.2.0 is supported for both XenServer 8 and Citrix Hypervisor 8.2 Cumulative Update 1: XenCenter 2024.2.0 supports all in-support versions of XenServer and Citrix Hypervisor. This XenCenter release supersedes previous versions of XenCenter. Install the latest version of XenCenter as soon as it is available. Installing XenCenter 2024.2.0 removes older versions of XenCenter.
  Notable changes in the upcoming version of XenCenter:
  
  • The version format for future versions of XenCenter has changed to be independent of the version of XenServer or Citrix Hypervisor. The new format is YYYY.major.minor - the year of release followed by a major and minor version number.
  • The installation location for XenCenter YYYY.x.x is different to that of XenCenter 8.2.x. In future, XenCenter is located in C:\Program Files (x86)\XenServer\XenCenter.
  • You can update XenCenter YYYY.x.x from within XenCenter. When a new version of XenCenter is available, XenCenter displays the notification XenCenter Update in the menu bar. You can choose to download and install the latest version from here.
• In effect from XenCenter 2023.3.1 for XenServer 8 customers and XenCenter 2024.2.0 for Citrix Hypervisor 8.2 CU1 customers: PuTTY is no longer bundled with XenCenter. To launch an SSH console to a XenServer host by using XenCenter, you must install an external SSH console tool and ensure that XenCenter is configured to use it. For more information, see Configure XenCenter to use an external SSH console.
  
  For customers using Citrix Hypervisor 8.2 Cumulative Update 1, XenCenter YYYY.x.x is not yet supported in production. To be supported at present, you must use XenCenter 8.2.7. XenCenter 8.2.7 and earlier contain a version of PuTTY that contains a security vulnerability. For more information, see  Citrix Hypervisor Security Update for CVE-2024-31497. To address this vulnerability, download the latest version of PuTTY and install it in place of the version bundled with XenCenter.
• In effect from XenCenter 8.2.7: The Health Check feature has been removed from XenCenter. If you are using XenCenter 8.2.6 and earlier, the Health Check feature will soon stop working when multi-factor authentication changes are made to the CIS website API.
• In effect from XenCenter 8.2.7: XenCenter 8.2.7 does not have the option to upload server status reports (SSRs) directly to the CIS website. Instead, you can generate the SSRs with XenCenter and then manually upload your SSRs through the CIS website. If you are using XenCenter 8.2.6 and earlier, the option to upload SSRs to CIS will soon be unavailable when the multi-factor authentication changes are made to the CIS website API.
• In effect from XenCenter 8.2.7: The URL used to check for XenCenter updates has changed to updates.ops.xenserver.com. If your XenCenter is behind a firewall, ensure that it has access to the updates.ops.xenserver.com domain.
• In effect for hotfixes released after Dec 31, 2022: Only XenCenter 8.2.6 and later can check for and download hotfixes. Earlier versions of XenCenter will no longer support this capability.
• In effect for hotfixes released after Dec 31, 2022: You can check for and download hotfixes through XenCenter only if you have set up a client ID for authentication.
• In effect from Nov 23, 2022: XenCenter can no longer be used to apply updates to the end-of-life XenServer 6.x releases. The hotfix files are still on the Citrix support site, but will shortly be withdrawn.

All of these changes also affect XenCenter YYYY.x.x.

Other XenCenter features are not affected by these changes and will continue to work as before.

What actions do I need to take?

1 - Upgrade to the latest version of XenCenter

Only XenCenter 8.2.6 and later is able to check for and download hotfixes released from January 2023. XenCenter 8.2.5 and earlier is no longer supported.

Ensure that you upgrade to the latest version of XenCenter as soon as possible.

It is available from the Citrix Hypervisor downloads site https://www.citrix.com/downloads/citrix-hypervisor/ in the Citrix Hypervisor 8.2 LTSR section.
 

2 - Set up your client ID in XenCenter

To provide a more secure service for hotfix downloads, XenCenter 8.2.4 introduced a feature that requires authentication with Citrix to automatically download and apply hotfixes.

If you haven't already set this feature up, do so now.

Complete the following steps to set up this capability on your XenCenter instance:

1. Check that your Citrix account has the correct permissions to download Citrix Hypervisor hotfixes:
   1. Log in to https://support.citrix.com with your Citrix account
   2. Go to a Citrix Hypervisor hotfix article, for example https://support.citrix.com/article/CTX472925/
   3. Check that you have permissions to download the attached zip file.
2. If you cannot download the hotfix zip file, contact Citrix Customer Service to ensure that your Citrix account meets the following requirements:
   • You are registered as a contact for your organization.
   • Citrix Customer Service created your Citrix account as a web login associated with the registered contact.
   • Your organization has an active Citrix Success Services agreement.
3. In the XenCenter menu, go to Tools > Options. The Options window opens.
4. In the Updates tab, go to the Client ID section.
5. Click the provided link to go to the page Generate and Download a Client ID in your web browser.
6. Log in with the Citrix account that you ensured had the correct permissions.
7. Click the Download Client ID button. The client ID is provided as a JSON file (xencenter_client_id.json).
8. Return to XenCenter.
9. In the Location field, browse to the location of the JSON file you downloaded (xencenter_client_id.json) and select the file.
10. Click OK.

For more information, see Authenticating your XenCenter to receive updates.

 

3 - Move your out-of-support XenServer and Citrix Hypervisor deployments to the latest LTSR

Hotfixes for out of support versions of XenServer and Citrix Hypervisor will be removed from the Citrix support site and will no longer be available through XenCenter.

If you are still using an end-of-life version of the product, we strongly recommend that you install XenSercer 8 or Citrix Hypervisor 8.2 CU1 LTSR on your servers instead. Using the latest supported release of XenServer or Citrix Hypervisor ensures that you continue to receive the latest security and functional fixes for your environment.
 

4 - Set up multi-factor authentication on your Citrix account 

If you have already set up multi-factor authentication on your Citrix account, you do not need to repeat this step. The CIS site uses the MFA options you have already set up.

To access the CIS web site directly, ensure that you have multi-factor authentication set up on your Citrix account. For more information, see Setting Up Multi-Factor Authentication for Citrix Accounts.

To upload a server status report, go directly to the CIS website, instead of uploading through XenCenter.
 

5 - Disable Health Check 

If you are using XenCenter 8.2.6 and earlier, these versions of XenCenter include Health Check or the option to upload SSRs to CIS. These features will stop working when multi-factor authentication changes are made to the CIS web site API.

The disable Health Check in XenCenter:

1. From the Tools menu, click Health Check. The Health Check Overview window opens.
2. In the right-hand panel, click Disable Health Check
3. Click Yes to confirm and then close the Health Check Overview window.

XenCenter 8.2.7 does not include the Health Check or CIS upload features.

 

6 - Allow access to updates.ops.xenserver.com

XenCenter can periodically check and notify you when a new XenCenter version is available. To provide these update notifications, XenCenter requires internet access. If your XenCenter is behind a firewall, ensure that it has access to the new URL used by XenCenter to check for updates, updates.ops.xenserver.com.

7 - Install the latest version of PuTTY on the system that hosts XenCenter 

Note: If you are using XenServer YYYY.x.x, PuTTY is no longer bundled with XenCenter and you must install an external SSH console tool and ensure that XenCenter is configured to use it. For more information, see Configure XenCenter to use an external SSH console.

If you are using XenCenter 8.2.x, it includes a version of PuTTY that is believed to contain a security vulnerability. For more information, see Citrix Hypervisor Security Update for CVE-2024-31497. To mitigate this issue, install the latest version of XenCenter and install an external SSH console tool. 

To provide you with greater security, the Citrix Insight Services (CIS) website has extended its multi-factor authentication requirement to applications, like XenCenter, that use the API to upload data. As a result, we are making changes to how XenCenter interacts with CIS. Review these changes and take the necessary actions to continue to receive support for your Citrix Hypervisor and XenServer deployments.