Linux
Setting Up an Offline Depot for VMware Cloud Foundation 9.x Using Apache on Ubuntu
October 15, 2025

Setting Up an Offline Depot for VMware Cloud Foundation 9.x Using Apache on Ubuntu

VMware Cloud Foundation 9 introduces a more comprehensive and flexible architecture, making it easier to design and deploy modern infrastructure stacks. One of the key improvements is the streamlined deployment of core components like vCenter, ESXi, NSX, and Aria Operations. Compared to previous versions—especially vSphere 8 and Aria Suite 8—VCF 9 simplifies lifecycle management and reduces manual steps. For example, VCF 9 decouples many Day 2 operations from SDDC Manager, allowing more flexibility in managing network pools, workload domains, and host commissioning. The integration of Aria Operations 9.0 also brings improved observability and fleet management, replacing the older Aria Suite Lifecycle appliance with a more unified experience.

I’m currently testing VCF 9 to explore the best deployment scenarios for customer environments. If your SDDC Manager has access to the online repository, there’s no need to set up an offline depot. But in air-gapped environments or labs without internet access, this guide will help you build a secure offline depot to keep your bundles in sync.

VMware recommends using Photon OS for the offline depot in production, but if you’re building a lab or a lightweight environment, this guide walks you through a simpler setup using Ubuntu and Apache with a self-signed certificate.

Prerequisites

First, download the required bundle files from the Broadcom VMware portal. This includes:

  • vCenter 9.x
  • VCF bundles (automation, operations, identity broker, etc.)
  • vcf-9.0.1.0-offline-depot-metadata.zip (mandatory)

Then deploy the SDDC Manager OVA in your vSphere environment. Make sure DNS and NTP are properly configured and that all relevant records resolve correctly.

Next, create a Linux VM to serve as your depot. I used Ubuntu 24.04 and attached a 100 GB disk, but depending on the number of bundles, you may need 500 GB to 1 TB or more. Copy all downloaded files into /var/www/html.

On the Depot Server (Ubuntu)

In this example, the depot server IP is 10.10.10.5.

Install Apache and tools

bash

sudo apt update
sudo apt install apache2 openssl apache2-utils unzip

Create a certificate config file

bash

nano ~/vcf-openssl.cnf

Paste the following:

ini

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_req

[ dn ]
C = US
ST = CA
L = LA
O = TS
OU = IT
CN = depot.test.local
emailAddress = a@b.c

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = depot.test.local
IP.1 = 10.10.10.5

Replace the values with your organization’s details.

Generate the certificate

bash

openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/apache2/ssl/vcf.key \
  -out /etc/apache2/ssl/vcf.crt \
  -config ~/vcf-openssl.cnf

Create a basic auth user

bash

htpasswd -c /etc/apache2/.htpasswd vcfadmin

Configure Apache

bash

sudo nano /etc/apache2/sites-available/default-ssl.conf

Paste the following:

apache

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/vcf.crt
    SSLCertificateKeyFile /etc/apache2/ssl/vcf.key
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    RequestHeader unset Proxy early

    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        AuthType Basic
        AuthName "VCF Depot"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

Enable modules and restart Apache

bash

sudo a2enmod ssl headers
sudo a2ensite default-ssl
sudo systemctl restart apache2

Extract the metadata ZIP

bash

cd /var/www/html
unzip -o vcf-9.0.1.0-offline-depot-metadata.zip

Make sure this file exists:

bash

ls /var/www/html/PROD/metadata/productVersionCatalog/v1/productVersionCatalog.json

On SDDC Manager (e.g., 10.10.10.31)

First connect to SDDC Manager via SSH:

Copy the certificate

You can use FileZilla or the command line:

bash

scp root@10.10.10.5:/etc/apache2/ssl/vcf.crt /tmp/vcf.crt

Import the certificate into the Java truststore

bash

sudo keytool -delete -alias vcfDepotCert \
  -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts \
  -storepass changeit

sudo keytool -import -trustcacerts -alias vcfDepotCert \
  -file /tmp/vcf.crt \
  -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts \
  -storepass changeit

Confirm the import

bash

sudo keytool -list -keystore /usr/lib/jvm/openjdk-java17-headless.x86_64/lib/security/cacerts \
  -storepass changeit | grep vcfDepotCert

Reboot SDDC Manager

bash

sudo reboot

Final Step: Configure in the UI

In the SDDC Manager UI, go to Repository Settings → Offline Depot and enter:

If everything is in place, the connection will succeed and bundles will be available for deploy and sync.

I’d love to hear your thoughts—feel free to reach out or share feedback if this guide helped you.

Post Views: 22
Fardad Milani
0
Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *

vExpert Badge

Categories

Archives

Recent Comments