Authenticated Download Configuration Update Script
search cancel

Authenticated Download Configuration Update Script

book

Article ID: 389276

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi VMware SDDC Manager VMware Cloud Foundation

Issue/Introduction

Affected products are no longer able to download from internet facing VMware public repositories. This article describes the process to update affected products with provided script.

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x
  • VMware vSphere ESXi 7.x
  • VMware vSphere ESXi 8.x
  • SDDC Manager 4.5.x
  • SDDC Manager 5.x
  • VVF 9.x

Cause

Public facing repository URLs and authentication mechanisms are changing. Download URLs are no longer common but unique for each customer therefore will require to be re-configured.

Resolution

The following outlines the affected components and resolution support by provided script. Unsupported if unspecified, manual steps may be available.

Depot Component Script Version(s)
VCF Depot SDDC Manager Yes 4.5.x, 5.x
Offline Bundle Transfer Utility (OBTU) No -
Async Patch Tool (AP Tool) No -
vApp Update (vCenter) vCenter Server Yes 7.x, 8.x, 9.x
Host Update (ESX) vSphere Lifecycle Manager (vLCM) and
VMware Update Manager (VUM)		 Yes 7.x, 8.x, 9.x
Update Manager Download Service (UMDS) No -
Auto Deploy / Image Builder No -
vSAN File Services vSAN No -

Disclaimer: Only Standalone Tools mentioned in the above table are not supported by the script.

Table of Contents

Pre-requisites

  1. PowerShell 7.2 or later (MacOS/Linux/Windows) - https://learn.microsoft.com/en-us/powershell/
  2. PowerCLI v13.3 or later - https://developer.broadcom.com/powercli
  3. Network connectivity to vCenter and/or SDDC Manager where the PowerShell script will be executed from.
  4. Outbound internet connectivity to dl.broadcom.com from vCenter and SDDC Manager (if applicable). 

Input Information Required

  1. Support entitlement token - Click for instructions to obtain
  2. VCF Deployment
    1. SDDC Manager FQDN
    2. SDDC Manager SSO username & password
    3. SDDC Manager root password
  3. Non-VCF deployed vCenter(s)
    1. vCenter(s) FQDN(s)
    2. vCenter SSO username & password

Before executing the script

  1. Ensure that there is backup and/or snapshot of SDDC Manager and vCenter Servers.
  2. If the SDDC Manager endpoint or vCenter is running default certificates or there is no SSL trust established with the system executing the script, consider disabling certificates checks.

    Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

  3. Enable multi-vCenter connection

    Set-PowerCLIConfiguration -DefaultVIServerMode Multiple

Script execution

There are 2 ways to execute the script, interactive (menu based) and non-interactive mode. 

  Interactive (menu driven) Non-interactive
Endpoint Input(s) Manual input(s)  Input file - JSON
Credential(s) Manual input(s) - obfuscated

Input file - JSON (optional)

*Obfuscated interactive input if credentials are not provided in JSON.
SDDC Manager (and associated managed vCenters) 1 endpoint maximum 1 endpoint maximum
vCenter - Non-SDDC Manager managed 1 or more endpoint(s) 1 or more endpoint(s)

 

Interactive mode

  1. Start the script in interactive menu mode

    Menu interface
    ./VMwareDepotChange.ps1

  2. Follow along interactive menu based options as instructed

    VMware Depot Update Menu.

     1. Choose deployment type and connect.
     2. Enter your download token.
     3. Check depot configurations.
     4. Update depot configurations.
     5. (Optional) Dry run (validate token).
     6. (Optional) Disconnect from endpoints.
     7. (Optional) Show Version.
     8. (Optional) (Advanced) Toggle SkipVcenter Updates Flag for VCF Environments.
     Q. Press Q to Quit

     (1-9 or Q):

    Note: Only choose option 8 for VCF environments for which vCenter cannot be allowed access to the Internet. Choosing this option will prevent the use of vLCM images unless an vCenter offline depot is configured. Please refer Installing, Setting Up, and Using Update Manager Download Service for more information on vCenter offline depot using UMDS.


Non-interactive mode

  1. Prepare JSON input file(s) for the intended target endpoint for connection. One JSON file for each endpoint type.
    • Note 1: Only the endpoint FQDN is required. Username and/or password values are not required and will be prompted in-line if not provided as an added security option to avoid storing credentials in plaintext.
    • Note 2: Only 1 SDDC Manager endpoint is supported. The associated SDDC Manager managed vCenter endpoint(s) do not need to be specified as the script will retrieve it from the SDDC Manager inventory. For additional SDDC Manager endpoints, create a separate JSON file.
    • Note 3: For non-VCF managed vCenter endpoints, 1 or more vCenter endpoints may be specified for connection.

      Sample JSON for VCF endpoint with password:


      [
        {
          "SddcManagerFqdn" : "<sddc_fqdn>",
          "SddcManagerUserName" : "[email protected]",
          "SddcManagerPassword" : "<password>",
          "SddcManagerRootPassword" : "<password>"
        }
      ]

      Sample JSON for VCF endpoint without credentials:

      [
        {
          "SddcManagerFqdn" : "<sddc_fqdn>"
        }
      ]

      Sample JSON for vCenter endpoint(s) with credentials:

      [
        {
          "VcenterFqdn" : "<vcenter_1_fqdn>",
          "VcenterUsername" : "[email protected]",
          "VcenterPassword" : "<password>"
        },
        {
          "VcenterFqdn" : "<vcenter_2_fqdn>",
          "VcenterUsername" : "[email protected]",
          "VcenterPassword" : "<password>"
        }
      ]

      Sample JSON for vCenter endpoint(s) without credentials:
      [
        {
          "VcenterFqdn" : "<vcenter_1_fqdn>"
        },
        {
          "VcenterFqdn" : "<vcenter_2_fqdn>"
        }
      ]

  2. Connect to endpoint

    VCF: ./VMwareDepotChange.ps1 -Connect -Endpoint Vcf -JsonInput <path to JSON file>

    vCenter: ./VMwareDepotChange.ps1 -Connect -Endpoint vCenter -JsonInput <path to JSON file>

  3. Execute one of the following actions

    Check Depot
    ./VMwareDepotChange.ps1 -Check

    Update Depot
    ./VMwareDepotChange.ps1 -Update -DownloadToken <32 character token>

  4. Other optional actions

    DryRun
    ./VMwareDepotChange.ps1 -DryRun -DownloadToken <32 character token>

    SkipVcenter
    ./VMwareDepotChange.ps1 -SkipVcenter <Enable|Disable>

    Version
    ./VMwareDepotChange.ps1 -Version

    Help
    ./VMwareDepotChange.ps1 -Help

    Note: Only use SkipVcenter switch for VCF environments for which vCenter cannot be allowed access to the Internet. Choosing this option will prevent the use of vLCM images unless an vCenter offline depot is configured. Please refer Installing, Setting Up, and Using Update Manager Download Service for more information on vCenter offline depot using UMDS.

  5. Disconnect from all currently connected endpoints

    Disconnect
    ./VMwareDepotChange.ps1 -Disconnect

Troubleshooting

  • Where can you locate the logs generated by the script?
    • <script path>\logs
  • You are getting erroneous errors that do not make sense.
    • Close the PowerShell session and re-run the script in a fresh new session.
  • The SSL connection could not be established, see inner exception.
    • See pre-requisites. Ensure you have set the PowerCLI to ignore invalid certificates or have established SSL trust.
      Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
  • How do you troubleshoot "vCenter... timed out when attempting to configure depot..."?
    • Check that vCenter may access dl.broadcom.net through your firewall, either directly or through a proxy.
    • One way to verify that vCenter can connect to dl.broadcom.com is to SSH into the vCenter appliance, and run curl https://dl.broadcom.com
    • To configure proxy on vCenter Server, refer KB How to configure Proxy Settings for vCenter Server.
  • You need more help troubleshooting issues running this script
    • File a support request with support and include the following information
      • Issue summary
      • Steps to reproduce
      • Script logs from <script path>\logs
      • Intended endpoint target version (SDDC Manager and/or vCenter)
      • vCenter / VCF SOS Bundle (if you suspect it is a product issue)

FAQ

  • What would happen if the connection is interrupted or unreachable during the update process?
    • The script will fail and ignore only the unreachable endpoint but proceed with the rest. You may safely re-run the script against the same list of endpoints once the connectivity is restored. Updates will only be performed if a change is required.
  • If you have more than one SDDC Manager (VCF Instance) to update, what do you need to do?
    • Disconnect and repeat the update process against the subsequent SDDC Manager(s).
  • Do you have to enter details of all vCenter(s) managed by an SDDC Manager instance?
    • No, you only need to enter details of the managing SDDC Manager. The script will update all vCenter(s) managed by the specified SDDC Manager.
  • Will this change persist through upgrades?
    • No. There are additional properties added that do not persist through upgrades for SDDC Manager versions less than 9.0. Please re-run the script to reconfigure post upgrade / patch.
  • If your download token has changed / expired, what do you need to do?
    • You will need to re-run this script to reconfigure with the new token.
  • If you made a mistake in the input(s), what can you do?
    • You can revert to the out of the box default settings or simply just run the update again to override with the correct inputs.
  • Do you need to run this script to update if you do not need to download updates directly from the internet? I.E. Air-gapped environment
    • No you do not. Continue applying updates and patches in an offline manner.
  • Your organization does not allow unsigned PowerShell scripts to be run, do you provide scripts written in another language?
    • No. You may inspect the plaintext script to port to another language or consider manual reconfiguration steps.

Additional Information

SHA256 Checksum of attachment:

VMwareDepotChange-1.0.0.0.53.zip - 83aee7399e594579d55b7f19aa2c7021a5ba837cb611147d64cdfd7ad81413e3 

Change log:

  • 1.0.0.0.53 - Fixed issue with VCF.PowerCLI 9 support & VCF 9 detection
  • 1.0.0.0.52 - Support for VCF.PowerCLI 9 & added -SkipVcenter Feature
  • 1.0.0.0.51 - Bugfix for error "Cannot validate argument on parameter 'NewDepotFqdn'"
  • 1.0.0.0.50
    • Added "-DryRun" option to check download token validity and depot reachability from script execution system.
    • Added helpful error message for when script execution system does not trust SDDC manager's SSL certificate.
    • Bug fix for authentication against isolated domains and SDDCm versions prior to 5.2.
    • Bug fix for listing custom depots using check command.
    • Removed "-Restore" option.
  • 1.0.0.0.49 - Added fixes for minor errors (e.g. message type prefaced with dash for INFO).
  • 1.0.0.0.48 - Support automation of proxy server validation configuration (KB392212).

Attachments

VMwareDepotChange-1.0.0.0.53.zip get_app
Powered by Wolken Software