Obtaining HCX Activation Licenses for VCPP

Similar to most of us, I tend to follow official documentation to get things done, however sometimes documentation fails miserably and this we end up banging our head to the vWall %).

My last HCX engagement was with a service provider (VCD backed) around the mid of 2020 and the activation of both the cloud and enterprise instances required NSX-DC Enterprise Plus license keys. The process was simple, if the service provider didn’t have the keys, then the service provider would order the keys and once the request is fulfilled the keys would show in MyVMware and we’d be done with it.

Fast forward, today I started another deployment for a service provider (something which I design previously, but the deployment was delayed due to supportability with VCD) and I played it smart last week where I ordered the keys from the VMware Commerce Portal (VCP) [after double checking the documentation and confirming that things are still as is] and made sure the keys were there upfront.

Today after deploying the HCX appliance in the cloud side, next..next…copy…paste!! NARFFF!!! SQUEEK!! EYES TWITCHING!! It didn’t work %). I went back and quadruple checked, licensing requirements, internet connectivity, and still the installation didn’t accept the key *sniff*.

I reached out to my buddy Eiad Al-Aqqad whom pointed me to a valuable piece of information that made me get around this issue successfully! Thank you brother!! Thank you!

So it turns out now that the activation of HCX licenses has a new shiny process and I created a flow (for Cloud Providers) for it before getting into the details:

[1][Establish Session]
POST https://connect.hcx.vmware.com/msp/api/sessions

- Headers: Content-Type -> application/json
- Body: 
{
 "username": "<My VMware account that was used in the whitelisting process>",
 "password": "<My VMware account password but in base64 format, lots of converters online to encode it and paste here>"
 }
- Now the output of this will get you the authorization token and it can be found in the response headers under the name of "x-hm-authorization", this needs to be copied as it is needed in the next API calls.

[2] [List Accounts]
GET https://connect.hcx.vmware.com/msp/api/accounts

- Headers: x-hm-authorization -> the previously retrieved token.
- The output here will list the account(s) that are whitelisted and available, copy the accountId as it is needed in the next API call.

[3] [Listing Offers]
GET https://connect.hcx.vmware.com/msp/api/accounts/<accountId>/offers

- Headers: x-hm-authorization -> the previously retrieved token.
- The output here will list the available offers which will be tied to a created subscription.
- Take note of the offer name as it is needed in the next API call.

[4][Create a Subscription]
POST https://connect.hcx.vmware.com/msp/api/subscriptions

- Headers: x-hm-authorization -> the previously retrieved token.
- Headers: Content-Type -> application/json
- Body:
{
 "accountId": "<The accountId from step 2>",
 "endCustomer": "<The end customer name who's this subscription is created for>",
 "offer": "<From the offer listing in step 3>"
 }
- The output will generate a subscriptionName, copy it as it will be needed in the next API call.

[5][Generate Activation Key(s)]
POST https://connect.hcx.vmware.com/msp/api/subscriptions/<subscriptionName>?action=generateActivationKeys

- Headers: x-hm-authorization -> the previously retrieved token.
- Headers: Content-Type -> application/json
- Body:
{
 "activationKeyCount": "<number of keys needed>",
 "systemType": "hcx-cloud" / "hcx-enterprise"
 }
- For the number of keys, for example you'll need at least 1 for each cloud site and for enterprise this should be bound to the end customer subscription for consistency.
- The output of this API call will provide you with the list of keys that can be used during the appliance initial configuration.

[6][List Activation Key(s)]
POST https://connect.hcx.vmware.com/msp/api/subscriptions/<subscriptionName>?action=getActivationKeys

- Headers: x-hm-authorization -> the previously retrieved token.
- Headers: Content-Type -> application/json
- Body -> N/A keep it empty.
- This will provide you with the list of available keys in that specific subscription and also will provide you with the key's status if its AVAILABLE (no used), CONSUMED (activated), DEACTIVATED (removed from an appliance) or DELETED (existed before and was deleted and can no longer be used).

This might be a known process to some, or it may not be known, or it might be something that can be found within the Service Provider partner portal, this was new to me end-to-end :).