Overview

A dedicated Virtual Machine that will host the "Offline Depot". Once the Virtual Machine is ready and configured, VCF instances should be configured to point to the "Offline Depot".

OBTU will provide:

Depot like directory structure
Bundle management mechanisms
Upgrade metadata management mechanism

Pre-installed:

Virtual machine with enough space
Web-server with SSL configured

Offline depot deploy and configure

Virtual machine configuration

Requirements:

OS: Linux or Windows (Linux CentOS will be used for the examples on this page)

HDD: Separate disks (at least 1TB) should be dedicated to the Offline depot.

SSL: SSL TLSv1.2 & TLSv1.3

Directory permissions: The user that will run the OBTU tool should have read/write privileges for the Offline Depot root directory. 

Web server

This section includes an illustrative example of configuring a basic web server which will be necessary to host the VCF upgrade artifacts.

NOTE: Please be aware that each customer is responsible for setting up the web server in accordance with their specific security requirements.

Install Apache Web Server - example

• Use yum to install the web server:

sudo yum install httpd

• If web server is already installed use yum to update:

sudo yum update httpd

By default, apache web server is running on port 443. If you want to change the port of the web server, we need to open a custom port first. For example, you will use port 8282.

iptables -I INPUT 1 -m state --state NEW -m tcp -p tcp --dport {ServerPort} -j ACCEPT

a) You can use the above command or can manually edit /etc/sysconfig/iptables and add the following line it it:

-A INPUT -p tcp -m state --state NEW -m tcp --dport {ServerPort} -j ACCEPT

b) Then you need to restart the iptables service:

systemctl restart iptables

c) Once you have opened the desired port, you need to configure the port in the web server config file located under /etc/httpd/conf.d/ssl.conf

Listen {ServerPort}

d) Once the above is completed, the server is ready to be started:

systemctl start httpd
systemctl enable httpd

Generate SSL certificate - example

vi openssl.cfg

The file above should contain:

[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = req_ext
prompt                 = no
 
[ req_distinguished_name ]
countryName            = { Country name e.g. US }
stateOrProvinceName    = { State or province name e.g. California }
localityName           = { Locality name e.g. Palo Alto }
organizationName       = { organization name e.g. VMware }
commonName             = {VM IP address}
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
IP.1   = {VM IP address}
DNS.1  = vcfdns.goat.org

{VM IP address} : Replace with the VM IP address. Certificate should rely on the offline depot hostname.

openssl genpkey -out pkey.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
 
openssl req -new -key pkey.key -out req.csr -config openssl.cfg
 
openssl x509 -req -in req.csr -signkey pkey.key -out cert.crt -extfile openssl.cfg -extensions req_ext
 
mv cert.crt /etc/pki/tls/certs
 
mv pkey.key /etc/pki/tls/private

Apply the generate certificate in /etc/httpd/conf.d/ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/cert.crt
 
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/pkey.key

Then reload httpd - systemctl reload httpd

Configure Basic Auth - Mandatory step

As an additional step, you can configure auth on our web server, so the credentials provided by the VCF will be validated. In the example below, Basic Auth is used as authentication.

a) Mandatory step: Create/Modify the /etc/httpd/conf.d/auth_basic.conf file and add the below content in it:

<Directory /var/www/PROD2/evo/vmw>
    # Basic Auth (VCF 4.x and 5.0)
    AuthType Basic
    AuthName "Basic Authentication"
    AuthUserFile /etc/httpd/conf/.htpasswd
    require valid-user
</Directory>
 
<Directory "/var/www/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json">
    # VxRail VVS Cookie Validation (VCF 5.0)
    <If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' ">
        Require all granted
    </If>
</Directory>
 
# This Alias is needed only for VCF 5.1.0.0. Used for getting last updated time of HCL file.
Alias /products/v1/bundles/lastupdatedtime /var/www/PROD2/vsan/hcl/lastupdatedtime.json
<Directory /var/www/PROD2/vsan/hcl>
    <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
        Require all granted
    </If>
</Directory>
 
# This Alias is needed only for VCF 5.1.0.0. Used for getting the HCL file.
Alias /products/v1/bundles/all /var/www/PROD2/vsan/hcl/all.json
<Directory /var/www/PROD2/vsan/hcl>
    <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
        Require all granted
    </If>
</Directory>

b) Create username used to authenticate to the web server (after the command execution you will be prompted to enter password for the provided username):

htpasswd -c /etc/httpd/conf/.htpasswd testUser

c) Restart the web server:

systemctl restart httpd

OBTU

a) Download the latest OBTU version from the customer connect platform. Every command can be scheduled and executed without interactions. 

Following additional OBTU cli parameters will be added for supporting the offline depot:

• --setUpOfflineDepot (mandatory) - Sets up an offline depot for VSRN. If an optional downloadPartnerBundle argument is provided than VXRAIL bundles are also downloaded;

• --offlineDepotRootDir (mandatory) - Contains a mandatory argument that defines the root directory that will be used to host the offline depot;

• --offlineDepotUrl (mandatory) - Contains a mandatory argument that defines the URL that will be used for the web server;

• --depotUser (mandatory) - Contains a mandatory argument that defines the user that will be used to connect to VMware depot;

• --depotUserPasswordFile (mandatory) - contains a mandatory argument that provides a file path containing the password for VMware depot users;

• --sourceVersion (optional)(default value: 4.1.0.0) - contains a mandatory argument that defines the source version for the bundles that will be downloaded;

• --ceip (optional) - Allows a users to enrol in CEIP;

• --ariaBundles (optional) - Allows users to download Aria bundles;

• --asyncPatches (optional) - Allows users to download async patch bundles. If an optional downloadPartnerBundle argument is provided, then VXRAIL async patch bundles will be downloaded (for now this is not supported);

• --partnerDepotUser (optional) - Contains a mandatory argument that defines the user that will be used to connect to Dell depot;

• --partnerDepotUserPasswordFile (optional) - Contains a mandatory argument that provides a file path containing the password for Dell depot users;

Examples of the CLI commands:

• To download the VSRN bundles use: 

  ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0

• To download the VSRN bundles with VCF Aria bundles (VRA, VROPS, VRLI, VRSLCM and WSA) and enrol to CEIP use: 

  ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --ceip --ariaBundles --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0

• To download the VSRN and VXRAIL bundles use: 

  ./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.0.0 --partnerDepotUser partner-user --partnerDepotUserPasswordFile /some/directory/partner-depot-password.file

• To download the VSRN bundles and async patch bundles use: 

  NOTE: VxRail async patch bundles are currently not supported and customer needs to follow standard VxRail AP process.

  ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --asyncPatches --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0

• To clean up bundles below, the given source version can be used: 

  ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 4.5.2.0 --offlineDepotRootDir '/apache/www'./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 4.5.2.0 --offlineDepotRootDir '/apache/www'

• To clean up bundles below the given source version along with AsyncPatch bundles can be used: 

  ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 5.0.0.0 --offlineDepotRootDir '/apache/www' --asyncPatches

Connect SDDC Manager to offline depot

VCF instance 5.1.1 and above

• Upload generated SSL certificate

Navigate to Developer center and upload the generated trusted certificate using the v1/sddc-manager/trusted-certifcates

Example body:
 

{
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIJALBdtFYXfBGSMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQTGFvIEFsdG8x\nDzANBgNVBAoMBlZNd2FyZTEWMBQGA1UEAwwNMTAuMjA2LjIxMC45OTAeFw0yMzA4\nMjIxMjU5NDNaFw0yMzA5MjExMjU5NDNaMF8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQTGFvIEFsdG8xDzANBgNVBAoMBlZNd2Fy\nZTEWMBQGA1UEAwwNMTAuMjA2LjIxMC45OTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAO4vbbDwpv1AvcvF3/5E8bv3F+irjeHdxjErZcbJs7rxxAPYIGNU\nvoFBEf4UganlImnU0/+su/Pf5+O8KOpO7m1Mwc5px3e/qPq/vZFGv/M8bKLrukze\nLWVbit7O0M3lVj4qxRAtlIwWKxw6ixnoTTYF+IBE7Z8yTzQ+NrOq6uDwjZgfc6ty\nQCSeDqi2ojd2CJk2NTUYRlT5eZRvzteeJRgULdT5AtP4KdZYNHqrN14YwcgbnGu8\nVteiJhnp8VUIFJXSvzAuW7uXcTmIIdJj44GzRTNo+ftWFgVUbx9GObTJr1+6mm6m\nBNIWx5REVYxhnUYK3nBBsGzEIpIKLTFdRocCAwEAAaMqMCgwJgYDVR0RBB8wHYcE\nCgAA+ocECs7SY4IPdmNmZG5zLmdvYXQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQA1\nwhz1HCbc/+zBSX9qjpGmd//jJF9tjkgtHAKLeYIjtc5iCJnyMh3FsA0zyKYq0cYZ\ndaWYgregoaBbheitNqEdvs2IE+Km1w110noNjYWIDieRveYzJfN7Skx1rqoBfc0E\n8O6PTJ6DfeObZITPC2mMuOcnojzm6VEqVBPuo3oQ0vk2UU1BTuceSCrCXkPgK++r\nD9PCjPhsOVKZ0nh9EKWjOz5AaE1q++BCOPHN9QhxS0vRrb943x1DmrqrNcGprAUx\npOXkKC5ilCjCxUhT0CNbXhLipyHGW9+Ve0lwHcZ0eaSDvl+gX/V9S/9N51rYqXyz\nORedTmOJ5u7A7vPswAf4\n-----END CERTIFICATE-----",
    "certificateUsageType": "TRUSTED_FOR_OUTBOUND"
}

Configure offline depot

1. Navigate to "Lifecycle Management"→ Depot Settings.

2. Set up an Offline Depot.

3. Enter offline depot hostname, port, username and password.

VCF instance 5.1.0 and below

1. Upload the SSL certificate to the SDDC Manager

2. In the OBTU package can be found a script that must be executed in order to change the depot mode from online to offline.

python depot_config.py --depotMode offline --depotUrl {offline_depot_url}

3. Navigate to "Online Depot" and authenticate with the offline depot credentials.