[VCF 9.0] How to Set Up a HTTPS VCF Offline Depot

I'm deploying a new Holodeck 9.0.2 for a personal lab; and the first task to perform to set up the environment is to download the following components (as shown in the official page):

As an offline depot, we'll download, deploy, and use the OVA already present in the link above (3). We'll configure the appliance's NGINX service with a new self-signed certificate to accept HTTPS requests.

Some circumstances may require using the offline method. In this post, I'll explain exactly how to implement it. I've created a bash script to automate these settings (available at the bottom of the page). Let's see how:

Download the Offline Depot OVA
Deploy the OVA "vcf-offline-depot-appliance-0.1.3.ova" (detailed steps on how to distribute an OVA are beyond the scope here).
Start the appliance ...
Download the VCF Offline Depot metadata from the Broadcom Portal.
Once the appliance is up and running, copy the previous metadata file to the appliance under the /tmp directory. Use the "admin" user.
In my case, scp ./Downloads/vcf-9.0.2.0-offline-depot-metadata.zip admin@192.168.1.96:/tmp
SSH on the appliance using "admin" user ... and then become "root" typing sudo -i
Move the "vcf-9.0.2.0-offline-depot-metadata.zip" file under the root folder ... mv /tmp/vcf-9.0.2.0-offline-depot-metadata.zip .
Note: later on, if the *.metadata.zip file is present into the root directory the script "configure-https-nginx.sh" will use it to create the structure.
Create a new bash script "configure-https-nginx.sh". In my case ....
vi configure-https-nginx.sh
Copy and paste the script at the bottom of the page into that file ...
Edit the file settings/variables according to your needs (as shown in the photo below) ... specifically customize SERVER_NAME (This variable will also be used in the "nginx.conf" configuration file) ...
... do the same thing for the values to be inserted in the certificate generation request file, modifying the req_distinguished_name, alt_names parameters as desired (from line 42 to 59)...
When you think you've made the changes to your liking, save the file and grant it execute permission.
Run the script ... ./configure-https-nginx.sh
Check the service's reachability via web browser by connecting to the server in HTTPS (in my case https://192.168.1.96) ...
... check the certificate ...

... points to the right URL, in my case https://192.168.1.96/PROD/, and login with one of the two previously created default users, "admin" or "admin-depot" (the default password for both is VMware123!)
Next, download all required VCF binaries.
After downloading the files, create the following directory structure and move the appliance files into their respective folders.

Once this is completed, your local depot structure will be ready.
Your Offline Depot is ready to use

Below is the "configure-https-nginx.sh" bash script ...

#!/bin/bash
# configure-https-nginx.sh
# Create new Self-signed Certificate
# Enable Https on NGINX
# Create .htpassword access file
# Create the metadata structure
# Lorenzo Moglie
#
SERVER_NAME="vcf-depot.vcf.lab"
DIR_NGINX="/etc/nginx"
NGINX_CONF_ORIG="${DIR_NGINX}/nginx.conf.orig"
VCF_METADATA="vcf-9.0.2.0-offline-depot-metadata.zip"

# ----
# Back up the original nginx.conf file, if not already present
if [ -f "$NGINX_CONF_ORIG" ]; then
    echo "0. Backup file $NGINX_CONF_ORIG present."
else
    echo "0. Backup file $NGINX_CONF_ORIG created."
    cp ${DIR_NGINX}/nginx.conf ${NGINX_CONF_ORIG}
fi

# ----
# Create the folder and new certificates based on the provided cert-req.cfg file
DIR_SSL="${DIR_NGINX}/ssl"
if [ -d "$DIR_SSL" ]; then
    echo "1. Direcroty $DIR_SSL present."
else
    mkdir -p $DIR_SSL
    echo "1. Directory $DIR_SSL created."
fi

# Create the cert-req.cfg file
CONFIG_FILE="${DIR_SSL}/cert-req.cfg"
echo "2. Creating the $CONFIG_FILE configuration file..."
cat <<EOF > $CONFIG_FILE
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C = IT
ST = Rome
L = Rome
O = LorenzoMoglie
OU = vcf.lab
CN = $SERVER_NAME

[req_ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = 172.16.10.98
IP.2 = 10.1.10.251
IP.3 = 192.168.1.96
DNS.1 = $SERVER_NAME
DNS.2 = $SERVER_NAME
DNS.3 = $SERVER_NAME
EOF


echo "3. Generating the Private Key and CSR...."
openssl req -new -nodes -out ${DIR_SSL}/vcf-depot.csr -newkey rsa:2048 -keyout ${DIR_SSL}/vcf-depot.key -config $CONFIG_FILE
if [ $? -eq 0 ]; then
    echo "   [OK] CSR and Key generated successfully."
else
    echo "   [ERROR] CSR generation failed."
    exit 1
fi

echo "4. Generating a Self-Signed Certificate (valid for 10 years)..."
openssl x509 -req -days 3650 -in ${DIR_SSL}/vcf-depot.csr -signkey ${DIR_SSL}/vcf-depot.key -out ${DIR_SSL}/vcf-depot.crt -extensions req_ext -extfile $CONFIG_FILE
if [ $? -eq 0 ]; then
    echo "   [OK] vcf-depot.crt certificate successfully created."
else
    echo "   [ERROR] Certificate creation failed."
    exit 1
fi

echo "------------------------------------------------------"
echo "Certificate generation completed. Generated files in the current folder:"
ls -l ${DIR_SSL}/vcf-depot.*
echo "------------------------------------------------------"


# ----
# Create the a new nginx.conf file
NGINX_CONF="${DIR_NGINX}/nginx.conf"
echo "5. Creating a new ${NGINX_CONF} file ... "
cat <<EOF > $NGINX_CONF
events {
    worker_connections  1024;
}

http {
  server {
    listen 80;
    server_name $SERVER_NAME;

    root /var/www;  

    # default
    location = / { return 200 "OK\n"; add_header Content-Type text/plain; }

    location /www/ {
        alias /var/www/;
        autoindex on;
    }
  }

  # --------------------------
  # HTTPS for VCF Offline Depot
  # --------------------------
  server {
    listen 443 ssl;
    server_name $SERVER_NAME;

    # Path
    root /var/www;

    # Bundle's path
    location /PROD/ {
            alias /var/www/build/PROD/;
            autoindex on;
            auth_basic "Restricted";
            auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # Certificato self-signed
    ssl_certificate     /etc/nginx/ssl/vcf-depot.crt;
    ssl_certificate_key /etc/nginx/ssl/vcf-depot.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    access_log /var/log/nginx/vcf_repo_ssl_access.log;
    error_log  /var/log/nginx/vcf_repo_ssl_error.log;
  }
}
EOF

echo "6. Check ${NGINX_CONF} consistency configuration...."
nginx -t
if [ $? -eq 1 ]; then
    echo "   [ERROR] ${NGINX_CONF} not properly configured "
    exit 1
fi


HTP="${DIR_NGINX}/.htpasswd" 
echo "7. Creating ${HTP} file .... with the following users:"
echo "   [Default user]: admin / VMware123! "
echo "   [Default user]: admin-depot / VMware123! "
cat <<EOF > $HTP
admin-depot:\$6\$PlYrZXU7oL2SOF/d\$yrRCifrKhsSL8KB18SXnoQ.EgkRMhV5ocdkDXaeefXg1ZkTAYj3IVijfhc4Rvsz1/O7CSda8iOavaRB0tce9s.
admin:\$6\$n8HWw9EPBJus5PJw\$ncuE7HIQjGo4c1PDupxm5znRegK8N8CESesedQia3x5Ocypy8ISF5TNQLTZBdaNE1B5zemVvpTXmQZtp6KcP4.
EOF
chown nginx $HTP

#Restart NGINX
echo "8. Restart NGINX service."
systemctl restart nginx.service

echo "9. Enabling IPTABLES to accept request on port 443."
iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables-save > /etc/systemd/scripts/ip4save
if [ $? -eq 0 ]; then
    echo "   [OK] IPTABLES configuration properly saved "
else    
    echo "   [FAIL] IPTABLES configuration not saved "
fi

echo "10. Creating the new PROD folder "
#echo "   [unzip the metadata file ${VCF_METADATA} under the folder --> /var/www/build/PROD]"
mkdir -p /var/www/build/PROD
chown nginx /var/www/build/PROD

echo "11. Metadata file ... "
if [ -f "$VCF_METADATA" ]; then
    echo "   [OK] unziping metadata file ${VCF_METADATA} under the folder --> /var/www/build/PROD"
    unzip ${VCF_METADATA} -d /var/www/build/
else
    echo "   [FAILED] Metadata file not present. DOwnload and manually unzip the file under the folder --> /var/www/build/PROD"
fi

That's it.

Lorenzo Moglie - Notes

Pagine

lunedì 16 marzo 2026

[VCF 9.0] How to Set Up a HTTPS VCF Offline Depot

Nessun commento:

Posta un commento