As of last month, customers must generate a new download token from the Broadcom Support Portal (BSP) for in-product downloads of VMware software binaries (e.g. updates, security patches using SDDC Manager, vCenter Server, ESXi, etc.). The Broadcom download token must then be appended after the new product download base URI (e.g. https://dl.broadcom.com/TOKEN/...) and this will ensure you will be able to continue to download updates directly or indirectly (via network proxy) from within the products.
UPDATE (05/02/2025) - A new Broadcom KB (395322) has also just been published with additional endpoints for troubleshooting download tokens.
Note: For customers that have setup or are using an offline method to retrieve updates, there are no changes in your workflow, this is only for those pulling software update directly from Broadcom.
A Broadcom download token is scoped to a SiteID and depending on your organization you may have one or more SiteIDs and users can generate a unique download token for each SiteID. It is important to understand that a download token itself does not contain an expiration, while you can revoke an existing token, its validity is based on whether a given SiteID has an active entitlement for the particular VMware SKU that you are attempting to download.
Each time a download request is made, the BSP backend will validate whether the token for a given SiteID has an active entitlement for the product download, if it does the download will be allowed and if not, it will fail.
An organization can create as many download tokens as needed and one question that quickly came up was how can you validate a token is still functional, without directly going into the product to test? In fact, I had the same question and knowing that most of the product repos have some sort of metadata file that we can test for connectivity, I figured this would be the quickest way to validate a download token.
Here are three different endpoints in which you can test the validity of a download token:
- SDDC Manager (VCF):
- https://dl.broadcom.com/${TOKEN}/PROD/COMP/SDDC_MANAGER_VCF/index.v3
- vCenter Server:
- https://dl.broadcom.com/${TOKEN}/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/8.0.3.00000/manifest/manifest-latest.xml
- ESXi:
- https://dl.broadcom.com/${TOKEN}/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
Here is an example using either cURL or PowerShell to validate the token against an SDDC Manager endpoint:
TOKEN="FILL_ME"
curl https://dl.broadcom.com/${TOKEN}/PROD/COMP/SDDC_MANAGER_VCF/index.v3
$TOKEN="FILL_ME"
Invoke-WebRequest -URI "https://dl.broadcom.com/${TOKEN}/PROD/COMP/SDDC_MANAGER_VCF/index.v3"
Here is an example using either cURL or PowerShell to validate the token against an vCenter Server endpoint:
TOKEN="FILL_ME"
curl https://dl.broadcom.com/${TOKEN}/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/8.0.3.00000/manifest/manifest-latest.xml
$TOKEN="FILL_ME"
Invoke-WebRequest -URI "https://dl.broadcom.com/${TOKEN}/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/8.0.3.00000/manifest/manifest-latest.xml"
Here is an example using either cURL or PowerShell to validate the token against an ESXi endpoint:
TOKEN="FILL_ME"
curl https://dl.broadcom.com/${TOKEN}/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
$TOKEN="FILL_ME"
Invoke-WebRequest -URI "https://dl.broadcom.com/${TOKEN}/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml"
Regardless of the endpoint that you use to test the download token, you should get some output as demonstrated in the example below or you confirm that you get an HTTP 200 response:
If the download token is invalid, you will get the following error:
Is this required for customers with perpetual licenses and no support contract?
This is global change for everyone, you need an active entitlement to download updates
VMware has been supplying patches for the high severity security threats through lifecycle manager (and the vcenter update function in the appliance). These will require a token to receive?
Sorry if this seems like a redundant question.
What about the promise to provide zero day / critical security patches for vSphere perpetual license customers with expired support contracts that is documented in this KB article? https://knowledge.broadcom.com/external/article/314603
just got off a chat with broadcom support. The support person told me you can't have one without an active support contract. I asked how to get the high sev patches as you note. Was told that VMware will provide announcements when these happen on how to obtain the patch. Should be interesting...
The previous unauthenticated method of pulling patches via hostupdate.vmware.com was shutdown by Broadcom on April 24 2025
Yeah, it's a Catch 22 for anyone using VMUG Advantage licensing. You have a valid license key, but VMUG licensing doesn't come with any entitlements, so no access to patches anymore.
So running a perpetual license without active support means any errors and flaws in Broadcom’s code, any security issue will stay un-mitigated?
Time for some drastic changes in liability for software, imho.
Even people *with* active contracts will not have working automatic updates since 4/24 and will probably never notice.
A common issue is that people don’t have the required rights in their support portal.
It’s a requirement you have this permission as per the Auth Token KB.
How can one validate they have admin rights in their portal?
Only way to validate this I’ve seen is the token panel isn’t present. Wondering if there’s a clearer way.
Also to add to validating the token.
The initial step should be seeing if your envt can access the dl.broadcom.com endpoint before validating the token.
EG: curl dl.broadcom doesn’t work , but curl -k on this address works.
This simple step can validate if you have a proxy to address first and foremost.
Support is totally unprepared for issues after this change.
I adjusted the URLs, sync in vCenter was ok, but vLCM failed to patch and download patches.
I tested the URLs with curl on cli and get a 200 for the index and manifest. But a 403 Not Entitled for vib packages. We have v7 and v8 entitlements and I can download ISOs etc just fine via portal.
So this looks not like a technical issue as it even fails with curl. I opened a non technical case with all the debug information. It was immediately transferend without any further check to a new technical case.
And as always when update manager is involved the next step from support is... please reset update DB. Even after multiple mails and explanations that this happens even without update manger involved on cli, there is 0 understanding how to debug this and that this will not help. I don't think this will be solved quickly.
So free users aren't able to patch their environments? What a shame. Will make the step to Proxmox soon. Bye VMware, with thanks to Broadcom :(.
Sad times - home lab will now have to switch to another hypervisor