VMware vSphere Foundation (VVF) and VMware Cloud Foundation (VCF) 9.0 introduced the concept of a unified VCF Software Depot, which can connect to either Broadcom’s online repository or an offline depot that is hosted within an organizations environment.
By default, an offline VCF Software Depot requires HTTPS with basic authentication. In VCF 9.0, HTTPS can be disabled using this workaround, which remains applicable in VCF 9.1, however, basic authentication is still required.
Note: If you do not or can not setup a basic web server for your VCF Offline Depot, you can use this simple Python script to serve up depot locally from your desktop as long as its accessible by VCF Installer and/or VCF Fleet Depot Service.
With VCF 9.1, both the VCF Installer and the new VCF Fleet Depot Service support an offline Software Depot configured with HTTP and no basic authentication. To take advantage of this capability, you must use the VCF Installer API for the initial VCF Fleet deployment, which automatically applies the same configuration to the Fleet Depot Service.
Note: The VCF 9.1 Installer UI currently does not support connecting to an offline VCF Software Depot using HTTP, the VCF Installer API must be used to apply this configuration.
If you accidentally used the VCF 9.0 workaround, you will need to reapply the HTTP configuration after the VCF Fleet has been deployed using the new VCF Fleet Depot Service API.
Here is a quick table on the different supported scenarios and applicable workarounds:
| Protocol | Basic Auth | 9.0.x | 9.1.0 | Behavior |
|---|---|---|---|---|
| HTTPS | ✅ | ✅ | ✅ | Default |
| HTTPS | ❌ | ❌ | ✅ | Supported via API |
| HTTP | ✅ | ✅ | ✅ | Requires previous workaround |
| HTTP | ❌ | ❌ | ✅ | Supported via API |
VCF Installer
As mentioned earlier, in order for the VCF 9.1 Installer to connect to an HTTP offline depot without basic authentication, you will need to use the VCF Installer API. Below is a PowerShell example that you can use to apply this configuration.
Note: If you apply the configuration below, you will NOT have to run the Fleet Depot Service as the configuration will automatically be transferred to your deployed VCF Fleet and the VCF Fleet Depot Service will contain your HTTP offline depot configuration.
$VCFInstallerFQDN = "sddcm01.vcf.lab"
$VCFInstallerRootPassword = "VMware1!VMware1!"
$VCFInstallerOfflineDepot = "http://192.168.30.29:8888"
# DO NOT EDIT BEYOND HERE #
$payload = @{
username = "admin@local"
password = $VCFInstallerRootPassword
}
$body = $payload | ConvertTo-Json
$params = @{
Uri = "https://${VCFInstallerFQDN}/v1/tokens"
Method = 'POST'
Headers = @{
'Content-Type' = 'application/json'
}
SkipCertificateCheck = $true
Body = $body
}
$requests = Invoke-WebRequest @params
if ($requests.StatusCode -eq 200) {
$accessToken = ($requests.Content | ConvertFrom-Json).accessToken
}
$depotPayload = @{
depotConfiguration = @{
isOfflineDepot = $true
url = $VCFInstallerOfflineDepot
}
}
$depotBody = $depotPayload | ConvertTo-Json
$params = @{
Uri = "https://${VCFInstallerFQDN}/v1/system/settings/depot"
Method = 'PUT'
Headers = @{
Authorization = "Bearer ${accessToken}"
'Content-Type' = 'application/json'
}
SkipCertificateCheck = $true
Body = $depotBody
}
Invoke-WebRequest @params
VCF Fleet Depot Service
As mentioned earlier, if you have applied the VCF 9.0 Installer workaround for connecting to an HTTP offline depot with basic authentication, once the VCF Fleet has been deployed, the offline depot configuration is NOT automatically transferred over to new VCF Fleet Depot Service. This is by design as the previous workaround was more of a "hack" to support non-HTTPS offline depot.
If you find yourself in this situation and would like to continue using an HTTP offline depot without basic authentication, then you will need to re-apply the configuration using the VCF Fleet Depot Service API. This API may also be applicable where you might want to reconfigure to alternative HTTP offline depot, so there maybe other Day-N use cases where you might find this to be useful. Below is a PowerShell example that you can use to apply this configuration.
# --- Configuration Variables ---
$VCFMSFQDN = "vcf-msr01.vcf.lab"
$VCFMSAdminPassword = "VMware1!VMware1!"
$VCFFleetFQDN = "vcf-flt01.vcf.lab"
$VCFInstallerOfflineDepot = "http://192.168.30.29:8888"
# --- Authentication ---
$authParams = @{
Uri = "https://${VCFMSFQDN}/api/v1/identity/token"
Method = 'POST'
Headers = @{
'Content-Type' = 'application/x-www-form-urlencoded'
}
SkipCertificateCheck = $true
Body = @{
grant_type = 'password'
username = "*protected email*"
password = $VCFMSAdminPassword
}
}
$authResponse = Invoke-WebRequest @authParams
if ($authResponse.StatusCode -eq 200) {
$accessToken = ($authResponse.Content | ConvertFrom-Json).access_token
} else {
Write-Error "Failed to authenticate. Status Code: $($authResponse.StatusCode)"
return
}
# --- Update Depot Service ---
$depotPayload = @{
depotConfiguration = @{
depotType = "OFFLINE"
url = $VCFInstallerOfflineDepot
}
}
$depotBody = $depotPayload | ConvertTo-Json
$connectivityParams = @{
Uri = "https://${VCFFleetFQDN}/depot-service/api/depot/v1/connectivity"
Method = 'PUT'
Headers = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer ${accessToken}"
}
Body = $depotBody
SkipCertificateCheck = $true
}
Invoke-WebRequest @connectivityParams
I was hoping Broadcom would build an OVA based upon Photon 5 pre-configured with everything needed with the OVA answer form for the unique data such as web user and password, IP address, machine name, etc....
Tom - While that might be handy for lab environment, the large majority of users (both small and large) already have an existing solution for hosting software updates (Microsoft, Linux, etc) or they have their standard of requirements for running web server which is exactly what VCF Offline Depot is at the very high level
VCF Download Tool (VCFDT) is all your need to pull down the binaries, metadata and then you simply host that on a dedicated HTTP(s) server or incorporate that into an existing software repository that you already have.
Actually such OVA exists and you can download as per https://vmware.github.io/Holodeck/downloads/#3-offline-depot-optional. Thanks to Jupyter Notebook you can download binaries in an easy way.
Thanks for the heads up on this! Much appreciated
With the OVA mentioned above will that serve as a turnkey offline repository for version VCF 9.1 that the VCF Installer 9.1 can use for an initial bring up of a greenfield environment? Would the VCFDT 9.1 install and work on this build? This is a for a home lab setup.
Thank You
Hi William,
In your first script, where you have below, should this read if($requests.StatusCode with an s to refer to the variable defined in the line above?
$requests = Invoke-WebRequest @params
if($request.StatusCode -eq 200) {
$accessToken = ($requests.Content | ConvertFrom-Json).accessToken
}
Yes, good catch. Just fixed
Hi William,
Will the vcf-offline-depot-metadata.zip be available for VCF 9.1?
curious, how are you using the metadata zip since this is automatically downloaded for you as part of using the VCF Download Tool (VCFDT)?
I created an offline depot during one of the VCF9 deployments and had to make use of the offline-metadata.zip file to put the installation files in specific folders. I did not used the VCF download tool.
Just curious, why not use VCFDT since it does all of this for you?
Thank you, I will use the VCFDT.
What's the use case for not using basic auth?
Not every organization has a need to authenticate once behind their corporate firewall to apply patch or install package. Just think about Windows or Linux, you can just apply update … this can certainly help with development or PoC, it’s totally customer choice
Just a heads up:
If you are using HTTPS, you will need to generate a cert. The VCF 9.1 installer must trust the certificate, so you'll import that cert chain into the VCF Installer appliance and proceed with the initial install or upgrade.
Once 9.1 is deployed, the installer will try to import the same certificate and software depot configuration into the newly deployed software depot service within the fleet. This part will FAIL if you do not include a proper SANs field including the FQDN and IP address in the SANs field!!!
I've noticed it's very similar to this KB article regarding Operations for Networks: https://knowledge.broadcom.com/external/article?articleId=424807
You'll see this error surface with errors syncing the LCM software depot after the initial deployment when you go to deploy add-on components.
I noticed the python script on this page (at the time i'm writing this) didn't have the IP address listed in the SANs field. I started that route and the performance of the python https service was causing errors so I personally switched to apache, but again my apache cert was generated by claude's quick scripting help and it didn't generate an IP address in the SANs field.
Also... you may find yourself troubleshooting this cert after the original deployment completes and you go to deploy logs or network or whatever, and you'll edit the offline software depot and it'll ask you to trust the cert. So you'll trust it, it'll validate, and then next time you try again and it'll ask you to trust the cert again, over and over. this is an indication that the cert validation is also not checking for the missing SANs field.
Regenerate a cert with an IP address and FQDN in the SANs field for your offline depot, then go import the cert in fleet management software depot, and you'll be off to the races.