VCF - How to use the Broadcom Download Token

Introduction

Broadcom is currently changing the access to their public repo. This affects many products. Affected are vCenter, ESXi Updates, vSAN File Services and of course VCF. The changes are far-reaching. The repo URL has changed and also the way it can be accessed. With the username and password of the Broadcom account, access will no longer work from April 23, 2025. Time to take a look at the whole thing.

What is changing in detail?

First of all, the URL, this will be dl.broadcom.com for all the components mentioned above. this means that depot.vmware.com, hostupdate.vmware.com and app-updates.vmware.com will disappear and can therefore also be removed from your proxies if you use proxy and whitelistening. The second change concerns authentication. Access will no longer be possible with your username and password. A download token must be created via the support portal. If you have multiple Site IDs, you must issue the token for the SiteID where you also have your contracts for the products you want to update. After customizing the products, the user name and password are ignored.

As of today, there are unfortunately no patches that already support the new repo.

Customize SDDC Manager - the manual way

To change the whole thing now, a specific file must be adapted. Like many things, you can change the application-prod.properties in the SDDC manager. This can be found in the following path:

/opt/vmware/vcf/lcm/lcm-app/conf/application-prod.properties

To customize the file you have to log in to the SDDC Manager via VCF user using ssh and then get root rights using su.

The settings can be found under LCM DEPOT PROPERTIES. The following marked lines must be adjusted:

################### LCM DEPOT PROPERTIES ########################
lcm.depot.adapter.host=depot.vmware.com <---change me
lcm.depot.adapter.port=443
lcm.depot.adapter.remote.rootDir=/PROD2 <---change me
lcm.depot.adapter.remote.repoDir=/evo/vmw <---change me
lcm.depot.adapter.local.baseDir=/nfs/vmware/vcf/nfs-mount/bundle/depot/local
lcm.depot.adapter.enableBundleSignatureValidation=true
lcm.depot.adapter.certificateCheckEnabled=true
lcm.depot.adapter.remote.index.filename=index.v3
lcm.depot.adapter.softwareCompatibilitySetsFile=softwareCompatibilitySets.json
lcm.depot.adapter.partnerBundleMetadata.updated.filename=vxrailPartnerBundleMetadata.json
lcm.depot.credential.file.path=/opt/vmware/vcf/etc/depot.cred
lcm.depot.bundleElement.patchFile.checksumValidation=true
lcm.depot.adapter.lcmManifestFile=lcmManifest.json
lcm.depot.adapter.remote.lcmManifestDir=/evo/vmw/lcm/manifest <---change me
lcm.depot.adapter.remote.lcmProductVersionCatalogDir=/COMP/SDDC_MANAGER_VCF/lcm/productVersionCatalog <---add me

The following values must be set:

lcm.depot.adapter.host=dl.broadcom.com
lcm.depot.adapter.remote.rootDir=/<downloadToken>/PROD
lcm.depot.adapter.remote.repoDir=/COMP/SDDC_MANAGER_VCF
lcm.depot.adapter.remote.lcmManifestDir=/COMP/SDDC_MANAGER_VCF/lcm/manifest
lcm.depot.adapter.remote.lcmProductVersionCatalogDir=/COMP/SDDC_MANAGER_VCF/lcm/productVersionCatalog

After we have changed all the values, we only need to restart the lcm service.

systemctl restart lcm

Validation SDDC Manager

The easiest way to test it is of course to download a bundle. However, if there is no bundle available for download at the moment because everything has already been loaded, you can also check the debug log of the lcm. Since the SDDC searches cyclically for new bundles, calls to the new repo should be in the log. The log can be found under /var/log/vmware/vcf/lcm/lcm-debug.log

Getting file size for /COMP/SDDC_MANAGER_VCF/manifests/bundle-14555.manifest.sig from URL https://dl.broadcom.com:443/<token>/PROD/COMP/SDDC_MANAGER_VCF/manifests/bundle-14555.manifest.sig

Update vCenter

The vCenter is very easy to setup. To do this, you must log in to vCenter Server Management (via port 5480) and log in with root. Under Update and then Settings you can enter a custom repo URL. Username and Password can be left empty as they are not needed.

The following URL must be entered:

https://dl.broadcom.com/<downloadToken>/PROD/COMP/VCENTER/vmw/8d167796-34d5-4899-be0a-6daade4005a3/8.0.3.00400

KB Article

Here is a summary KB article that links to all other KB articles for the other products. For some products, there is currently no scripted method. Broadcom KB

Conclusion

The manual way is relatively simple and quick if you do not want to execute the Powershell script from Broadcom for certain reasons. I have tested both variants and the Powershell script has the advantage that entries are validated. However, the execution policy must be changed to unrestricted for the Powershell script from Broadcom and there are customers who do not allow this. The manual method may then be preferable.