28 Jan How to Survive a Brutal VCF 9 DoD Deployment: Offline Depot UMDS Setup
In my previous post, The Depot Part 2, we ran a certificate script. That script allowed a trusted handshake with the Broadcom Depot. We successfully downloaded the binaries and metadata needed for deployment.
This post skips ahead a little bit to after you have VCF deployed and you’re ready to complete setup of Lifecycle Management in your environment. We will follow a similar process to set up UMDS, which is why I’ve put it here as opposed to placing it at the end.. The UMDS service allows you to download ESXi binaries and patches. You can find the official Broadcom documentation here. However, that guide contains several gaps.
This walkthrough helps you fill those missing details. We will ensure your secure environment handles ESX updates without a hitch.
Expanding the Offline Depot: UMDS Setup
Installing UMDS
Depending on your version of Photon OS, you may need to install PERL before you’ll be able to run the install script for UMDS. Run this command to install PERL:
tdnf install perl --assumeyesOnce PERL is installed change directories to your /vcf-download-tool/bin directory.
cd /root/vcf-download-tool/binNow we can run the command to install UMDS.
./vcf-download-tool umds installCorrecting the UMDS Depot URLs
Broadcom recently changed many VMware download paths. Because of this, the default URLs in the UMDS configuration are now wrong. You must update these links to ensure the tool works.
The correct URLs must also include your unique Download Token. You will need to have that ready before you begin.
This Broadcom KB explains how to edit the .xml file in detail. I will not repeat those steps here. However, this remains a vital task. If you skip this, UMDS will fail during the download process.
Unfortunately, the official documentation does not mention this step. It also fails to link to the relevant KB. Most users only discover this problem after the initial download attempt fails.
Creating the UMDS Directory
With UMDS installed and the Depot URLs updated we can now create the UMDS directory with this command.
mkdir -p /var/www/html/umds-patch-storeConfigure the UMDS Patch Store
The next thing we need to do is configure the patch store. This command tells the tool exactly how to handle your ESX downloads. It starts by pulling your saved token directly from the .txt file we created. Next, it defines the /var/www/html/umds-patch-store directory as the destination for all your files. Finally, the “enable host” flag tells the tool we want it to download ESX patches.
./vcf-download-tool umds run -S \
--add-entitlement-token $(cat /root/vcf-download-tool/bin/token.txt) \
--patch-store /var/www/html/umds-patch-store \
--enable-host
Now we need to target ONLY the version/s of ESX we need for our environment. In our case it’s ESX 9.x. First we need to run this command to clear the enable all setting.
/root/vcf-download-tool/bin/vcf-download-tool umds run -S --disable-hostNow we need to target on the version we need. You can edit this as needed for your environment.
/root/vcf-download-tool/bin/vcf-download-tool umds run -S \
-e embeddedEsx-9.0.1-INTL
Fix Java TrustStore for UMDS
This script is similar in function to the one we ran in the last post that allowed us to get out to the Broadcom Depot. That script was targeted a specific Java TrustStore whereas this script targets the system.
#!/bin/bash
# 1. Download the full certificate chain
echo "Downloading certificates from Broadcom/VMware..."
openssl s_client -showcerts -connect packages.vmware.com:443 </dev/null 2>/dev/null | \
sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > /tmp/fullchain.pem
# 2. Define the target file
TARGET_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt"
# 3. Create a backup of the original file
if [ -f "$TARGET_BUNDLE" ]; then
echo "Backing up existing bundle to $TARGET_BUNDLE.bak..."
cp "$TARGET_BUNDLE" "$TARGET_BUNDLE.bak"
else
echo "Error: Target bundle not found at $TARGET_BUNDLE"
exit 1
fi
# 4. Append the new certs to the bundle
if [ -s /tmp/fullchain.pem ]; then
echo "Injecting certificates into the OS bundle..."
cat /tmp/fullchain.pem >> "$TARGET_BUNDLE"
echo "DONE. Certificates added successfully."
else
echo "Error: Failed to capture certificates. Check your outbound connection."
exit 1
fiDownloading ESX Patches
Now that we have a clean trusted handshake we can run the command to download ESX patches and updates.
/root/vcf-download-tool/bin/vcf-download-tool umds run -DAs with the VCF downloads, after the download finishes we need to change ownership and permissions on the newly downloaded files.
chown -R apache:apache /var/www/html
find /var/www/html -type d -exec chmod 755
find /var/www/html -type f -exec chmod 644
At this point, if you have your Offline Depot attached to vCenter, when you navigate to Lifecycle Manager and click the Software Depot tab you will see the ESX versions and Vendor Addons you just downloaded.
As I mentioned earlier, this step skips ahead to the period after VCF deployment. I chose to include this now because the process closely mirrors the steps we took to set up the Offline Depot for the initial binaries and metadata. In our next post, we will return to our previous stopping point where we had the data downloaded into the Installer Appliance. After we entered the Workbook data and started the validation, we hit a snag with the NFS Datastore. I will walk you through how we handled that validation failure in the next post.
Join the Conversation
Have you struggled with the “missing links” in the official UMDS documentation? These certificate and URL hurdles can turn a quick task into a multi-day troubleshooting session.
I would love to hear if this walkthrough helped you clear those hurdles. Have you found other undocumented gaps in the VCF 9.x or UMDS workflow? Share your experience in the comments below or connect with me on LinkedIn. Let’s make these deployments easier for the next admin!
Continue the Journey
This post is part of a series dedicated to navigating the complexities of VMware Cloud Foundation 9.
No Comments