The aim of this article is to facilitate a smoother transition for VCF+ customers from the current keyless cloud-connected model to a key-based disconnected subscription model.

Prerequisites:

• Please ensure you have the required SDDC infrastructure license keys before unsubscribing VCF+, Before procuring the product (vCenter, ESXi, vSAN ,NSX WCP(If Applicable)) license keys don't execute the following steps to unsubscribe the VCF+ environment else it will impact the functionality of the product.
• If vCenter is disconnected, no gateway changes are required.
• If vCenter is not subscribed, no vCenter changes are needed.
• Please take a snapshot of the vCenter Servers and SDDC manager.
• If the vCenter Server is part of ELM, take an offline snapshot of all the vCenter Servers and SDDC Manager that are part of the setup.
• This script once executed will license the VC and ESXi hosts with evaluation licenses valid for 60 days. However. Users should apply their licenses as soon as possible because if the temp license has expired, all hosts will disconnect from vCenter.
  

Note:

• The Keys will be available on the Broadcom Support Portal portal under "My Entitlements".
• Customers running on vCF 4.5 (vSphere 7.x) will need to downgrade their new licenses received as they are issued as version 8.x.
  
  
  Steps:

1. Download the attached vcf_plus_unsubscribe_bundle.tar.gz file from the attachments section of the iKB.

2. Power off the cloud gateway VM deployed in the management vCenter to decommission the cloud gateway appliance.

3. SSH to the SDDC Manager as a root user.

4. Copy the zipped downloaded vcf_plus_unsubscribe_bundle.tar.gz file in /home/vcf path

•  Unzip the bundle (tar -xvzf vcf_plus_unsubscribe_bundle.tar.gz), after unzipping, the folder with the name vcf_plus_unsubscribe_bundle will be present in /home/vcf path

•  Provide the required user access permissions to unsubscribe_vcf_plus directory and its sub-directories and files

• chmod -R 740 vcf_plus_unsubscribe_bundle/
• chown -R vcf:vcf vcf_plus_unsubscribe_bundle/

5. Follow the below-mentioned steps to execute the script unsubscribe_vcf.py

•  cd /home/vcf/vcf_plus_unsubscribe_bundle
•  root@sddc-manager [ /home/vcf/vcf_plus_unsubscribe_bundle ]# python3 unsubscribe_vcf.py
•  First it will prompt for SDDC Manager SSO Username and then it will prompt for SSO credentials, 

Example: 
root@sddc-manager [ /home/vcf/vcf_plus_unsubscribe_bundle ]# python3 unsubscribe_vcf.py
Enter SSO Username: [email protected]
Enter SSO Password:
Script execution will begin if the provided SSO credentials are valid.

Sample Output of Script Execution:

6. After executing the script successfully, login to management vCenter UI and confirm workload and management vCenters are unsubscribed and evaluation license has been applied for ESXi, WCP (If applicable), vSAN, and vCenter.

7. Add supported license keys (ESXi, WCP (If Applicable), vSAN, and vCenter) as per the BOM versions supported by vCenter from UI. After adding license keys, do the re-licensing of the components (ESXi, WCP (If Applicable), vSAN, and VC), refer below-mentioned VC documentation links for the re-licensing procedure as per the BOM version.

Refer to vSphere 7.0 License and Subscription Management documentation

Refer to vSphere 8.0 License and Subscription Management documentation

8. Before removing the NSX manager OEM license key procure the NSX manager license key, after removing the OEM license key, the procured license should be applied or else this will impact the NSX Manager functionality. NSX License keys should be available on the customer connect portal, in case you are unable to find the license, please file a licensing SR.

Login to all deployed NSX managers UI and remove the OEM license Key, generally OEM license key is masked (e.g: 114TH-XXXXX-XXXXX-XXXXX-443QP) and apply the provided NSX license key in the NSX manager UI.

Procedure:

           1. With admin privileges, log in to NSX Manager.
           2. Select System > Licenses > Add License.
           3. Enter a license key.

9. Login to SDDC-Manager UI and navigate to the License Management page and add supported license keys (ESXi, WCP(If Applicable), vSAN, NSX, and VC) as per the BOM versions supported by SDDC-Manager and verify the consumption of license usage of components (ESXi, WCP (If Applicable)and vSAN) from License manager UI.

Refer to VCF Add License Key Procedure

10. Delete the cloud gateway VM.

Workaround for script execution if the VCF version is 5.1.0 or later:

From Postgres 14.x onwards FIPS configuration disallows md5 encryption, hence change the password encryption setting from md5 to trust in /data/pgdata/pg_hba.conf file in sddc-manager,

1. SSH to SDDC_Mamager and take a backup of file /data/pgdata/pg_hba.conf

2. Change the first 2 occurrences of md5 to trust in file pg_hba.conf

# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust

Example:
root@sddc-manager [ /home/vcf/vcf_plus_unsubscribe_bundle ]# vi /data/pgdata/pg_hba.conf

• Refer to the below screenshot to change the highlighted lines from md5 to trust.

  After Change:

Restart the postgresql service

3. After successful execution of the script again revert the backup file taken in Step (1) of workaround section and restart the postgres service.

11. Script will only remove the subscription of the vCenter Server with the cloud portal. We will need to manually remove all the CloudGateway service accounts (with the prefix: CloudServicesGateway) from the vCenter Server.
•    Login to vCenter Server UI using administrator SSO credentials.
•    Navigate to Administration > Users and Groups > Select domain "local SSO".
•    Filter Users with CloudServicesGateway prefix and delete the user accounts.
 

Workaround:

In case of failure, follow the below steps,

1.  Power on the cloud gateway and validate that the VCs are in a connected state on the cloud portal.
2.  In case the VC goes down, power off the VCs and revert the snapshot of all the linked VCs, the SDDC manager power them back on and re-validate the connection.

To license vSAN Witness nodes, please follow the steps below:

With vSphere+, the witness nodes were recognized as ESXi hosts, and licenses were allocated to them accordingly. Therefore, after executing the script, the witness appliance is anticipated to have an evaluation license.

To resolve this issue, you will need to redeploy the witness node and re-add it to the vSAN cluster to ensure it receives the default embedded license.

Deploy Witness Node:

Deploy a new witness appliance by getting the desired Version via the following steps:

1.) Log into your Account: https://support.broadcom.com/contact-support.html
2.) On the left side select "My Downloads"
3.) Select "VMware Cloud Foundation" on the upper right corner (besides your Account Name)
4.) In the Product Selection, select "VMware vSAN"
5.) Select the desired Version
6.) Select the section "Drivers & Tools"
7.) Look for desired Version of "VMware vSAN Witness Appliance"
8.) Select the arrow on the right side to expand the entry
9.) Download the desired Version

Replace the witness node:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan-planning.doc/GUID-2775B2FD-7733-4921-BA04-B951F78C6BF9.html