Skip to main content
Pure1 Support Portal

System Tab

The System tab is used to view and manage the attributes of an array as a whole. The System tab includes the following views:

  • System Health

  • Configuration

  • Connected Arrays

  • Connections

  • Users

  • Plugins

  • Apps

Click the name of the view to drill down to the details.

Figure 53. System Tab

System Tab

System Health View

The System Health view, also know as the Array Health view, graphically displays the status of the array hardware components. This view is a schematic representation of the array with colored indicators of each component's status.

Figure 54. System Health View - FlashArray//m Series

The following figure is a schematic representation of a FlashArray//m20 array with several component pop-ups displayed.

System Health View - FlashArray//m Series

Figure 55. System Health View - FlashArray FA-400 Series

The following figure is a schematic representation of an FlashArray FA-420 two-shelf array with several component pop-ups displayed.

System Health View - FlashArray FA-400 Series

The colored squares within each hardware component represent the component status:

  • Green: Healthy and functioning properly at full capacity.

  • Yellow: At risk, outside of normal operating range, or unrecognized.

  • Red: Failed, installed but not functioning, or not installed (but required).

  • Black: Not installed. With FlashArray//m, used for NVRAM bays and storage bays that are allowed to be empty.

  • Gray: Disconnected. Also used for components that are temporarily offline while undergoing a firmware update.

Hover the mouse over a hardware component to display its status and details. For example, hover over the Temperature component to display the following details: name of the shelf or controller that is being monitored, physical location of the temperature sensors, and current temperature readings.

Hardware components that can be actively managed from the Purity GUI include buttons that allow you to perform certain functions, such as turning ID lights on and off, and changing shelf ID numbers. For example, hover over the Shelf component to display its health status and shelf ID number. Click the Turn On ID Light button to turn on the LED light on the physical shelf for easy identification. Click the Change ID button to change the ID number that appears on the physical shelf.

Configuration View

The Configuration view enables you to view and manage array attributes. Click the Configuration view to display the following sub-views:

  • Array

  • Networking

  • Support Connectivity

  • Alerts

  • SNMP

  • System Time

  • Directory Service

  • Banner

  • UI

  • Syslog Server

  • SSL Certificate

  • SMI-S

Array Sub-View

The Array sub-view displays array and controller attributes.

Figure 56. Array Sub-View

Array Sub-View

The Array Summary section displays the array attributes, including array name, Purity revision number, and total usable space on the array.

The array name appears in audit and alert messages. The array name also represents the sending account name for Purity email alert messages. Purity does not register array names with the DNS, so if you change the array name, you must re-register the name before the array can be addressed by name in browser address bars, ICMP ping commands, and so on.

The Controller Summary section displays a list of controllers that are connected to the array and their attributes. Controller attributes include the following: controller mode, FlashArray model, Purity version, and controller status.

Controller mode is set to "primary", "secondary", "not present", or "offline". (The mode "offline" does not apply to FA-300 and FA-400 systems.)

Controller mode "not present" represents a controller that is not installed. With FA-400 arrays, "not present" also represents a controller that is installed but is not running Purity currently.

Controller mode "offline" represents a controller that is installed but is not running Purity at the current time (for instance, a controller is that is not powered on or that is undergoing a firmware upgrade).

If a controller is in an overall healthy state, it displays the status as "ready". A controller that is in the process of starting Purity displays the status as "not ready". The status "updating" is shown for a controller that is updating its firmware (does not apply to FA-300 and FA-400 systems). The status "unknown" is shown when the status cannot be determined, for instance when the primary controller cannot communicate with the secondary controller.

If the array has never been connected to a second controller, only a single, primary, controller mode (CT0) is displayed. Once a second controller (CT1) has been connected, both controller modes are always displayed. CT1 is initially displayed in secondary mode.

The Rapid Data Locking section displays the status of the Rapid Data Locking (RDL) feature as enabled or disabled. The RDL feature is a FlashArray option that adds external security tokens to enhance the data security of an array.

The RDL feature requires both hardware and software configuration and can only be enabled by a Purity CLI command. For more information about the RDL feature, refer to the FlashArray Rapid Data Locking (RDL) Guide in the Pure Storage Knowledge Base at .

Configuring the array name

To configure the array name:

  1. Select System > Configuration > Array.

  2. In the Array Summary section, hover over the array name and click the pencil icon. The Edit Array Name dialog box appears.

  3. In the Name field, type the new array name.

  4. Click Save.

Networking Sub-View

The Networking sub-view displays the network connection attributes of the array, DNS server addresses, and proxy configuration details.

Figure 57. Networking Sub-View

Networking Sub-View

The Network Configuration section manages the Ethernet (physical), virtual, bond, VLAN, and app interfaces used to connect the array to a network.

The Network Configuration section displays a list of interfaces on the array, along with the following network connection attributes: interface status (enabled or disabled), interface IP address, netmask and gateway IP addresses, maximum transmission unit (MTU), and network service (iSCSI, management, or replication) that is attached to the interface. VLAN ID numbers are displayed for subnets that are configured with VLAN tagging.

A check mark in the Enabled column indicates that an interface or subnet is enabled. If a bond interface is disabled, all of its slave interfaces are also disabled. If a subnet is disabled, all of its interfaces, including ones that are individually enabled, are also disabled. If a subnet is enabled, only the enabled interfaces in the subnet are reachable; its disabled interfaces remain unreachable.

The DNS section manages the DNS domains that are configured for the array. Each DNS domain can include up to three static DNS server IP addresses. DHCP mode is not supported.

The Proxy section manages the proxy hostname for https log transmission. The format for the proxy host name is http(s)://hostname:port, where hostname is the name of the proxy host, and port is the TCP/IP port number used by the proxy host.

Apps

The Apps platform extends array functionality by integrating add-on, VM-based services into the Purity operating system. Each app within the platform provides one or more services.

Installing an app automatically creates app interfaces. One app interface is created for each virtual interface that exists. For more information about the Apps platform, refer to the section called “Apps View”.

Subnets

Interfaces with common attributes can be organized into subnetworks, or subnets, to enhance the efficiency of data (iSCSI), management, and replication traffic.

In Purity, subnets can include physical, virtual, bond, and VLAN interfaces. Physical, virtual, and bond interfaces can belong to the same subnet. VLAN interfaces can only belong to subnets with other VLAN interfaces.

If the subnet is assigned a valid IP address, once it is created, all of its enabled interfaces are immediately available for connection. The subnet inherits the services from all of its interfaces. Likewise, the interfaces contained in the subnet inherit the netmask, gateway, MTU, and VLAN ID (if applicable) attributes from the subnet.

Physical, virtual, and bond interfaces in a subnet share common address, netmask, and MTU attributes. The subnet can contain a mix of physical, virtual, and bond interfaces, and the interface services can be of any type, such as iSCSI, management, or replication services.

Adding physical, virtual, and bond interfaces to a subnet involves the following steps:

  1. Create a subnet.

  2. Add the physical, virtual, and bond interfaces to the subnet.

A VLAN interface is a dedicated virtual network interface that is designed to be used with an organization’s virtual local area network (VLAN). Through VLAN interfaces, Purity employs VLAN tags to ensure the data passing between the array and VLANs is securely isolated and routed properly.

VLAN Tagging

VLAN tagging allows customers to isolate traffic through multiple virtual local area networks (VLANs), ensuring data routes to and from the appropriate networks. The array performs the work of tagging and untagging the data that passes between the VLAN and array.

VLAN is only supported for the iSCSI service type, so before creating a VLAN interface, verify the iSCSI service is configured on the physical interface.

Creating and adding VLAN interfaces to a subnet involves the following steps:

  1. Create a subnet, assigning a VLAN ID to the subnet.

  2. Add one VLAN interface to the subnet for each corresponding physical network interface to be associated with the VLAN. All of the VLAN interfaces within the subnet must be in the same VLAN.

In Purity, VLAN interfaces have the naming structure CTx.ETHy.z, where x denotes the controller (0 or 1), y denotes the interface (0 or 1), and z denotes the VLAN ID number. For example, ct0.eth1.500.

Figure 58. Networking - Creating a Subnet with VLAN Interfaces

In the following example, subnet 192.168.1.0/24 is being created. The subnet will be named ESXHost01 and assigned VLAN ID 1001. Physical interfaces ct0.eth4 and ct0.eth5 will then be added as VLAN interfaces to the subnet.

Networking - Creating a Subnet with VLAN Interfaces

The new subnet details appear in the Network Configuration section.

Networking - Creating a Subnet with VLAN Interfaces

Changing the network interface attributes

You can change the IP address, netmask, gateway, and MTU attributes of physical, virtual, and bond interfaces. If the interface belongs to a subnet, you can only change the IP address. IPv4 and IPv6 addresses follow the addressing architecture set by the Internet Engineering Task Force.

To change the attributes of a physical, virtual, or bond interface:

  1. Select System > Configuration > Networking.

  2. In the Network Configuration section, click the menu icon next the interface name. Select Edit. The Edit Network Interface dialog box appears.

  3. Complete the following fields:

    • Address: IP address to be associated with the specified Ethernet interface.

      • For IPv4, enter the address in CIDR notation ddd.ddd.ddd.ddd/dd. For example, 10.20.20.210/24. Alternatively, specify the address ddd.ddd.ddd.ddd, and then specify the netmask in the Netmask field.

      • For IPv6, enter the address and prefix length in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx. For example, 2620:125:9014:3224:14:227:196:0/64. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::). Alternatively, specify the address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, and then specify the prefix length in the Netmask field.

    • Netmask: Range of IP addresses that make up a group of IP addresses on the same network.

      • For IPv4, if the address entered is not in CIDR notation, enter the subnet mask in the form ddd.ddd.ddd.ddd. For example, 255.255.255.0.

      • For IPv6, if the address entered did not include a prefix length, specify the prefix length. For example, 64.

    • Gateway: IP address of the gateway through which the specified interface is to communicate with the network.

      • For IPv4, specify the gateway IP address in the form ddd.ddd.ddd.ddd.

      • For IPv6, specify the gateway IP address in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

    • MTU: Maximum transmission unit (MTU) for the interface in bytes. If not specified, the MTU value defaults to 1500. If you are changing the MTU of a physical interface that is associated with a VLAN, verify the MTU of the physical interface is greater than or equal to (>=) the MTU of the VLAN interface. Note that the VLAN interface inherits the MTU value from its subnet.

    • MAC: Unique media access control (MAC) address assigned to the network interface. This field cannot be modified.

  4. Click Create. Purity restarts the GUI and signs you in using the self-signed certificate.

Enabling and disabling the network interface

To enable or disable a physical, virtual, or bond interface:

  1. Select System > Configuration > Networking.

  2. In the Network Configuration section, click the menu icon next the interface name.

  3. Select Enable or Disable. If you enabled the interface, a check mark appears in the Enabled column.

  4. Click Save.

  5. Verify that the banner message appears in the Purity GUI login pane and via SSH after login.

Creating a subnet

Creating the subnet involves setting the subnet attributes, and then adding the interfaces to the subnet.

A subnet can contain physical, virtual, and bond interfaces (for non-VLAN tagging purposes) or VLAN interfaces (for VLAN tagging purposes).

  1. If you are creating a VLAN interface, verify that the iSCSI service is configured on each of the corresponding physical interfaces. If the iSCSI service is not configured, contact Pure Storage Support.

  2. Click the menu icon and select Create Subnet. The Create Subnet dialog box appears.

  3. Complete the following fields:

    • Name: Name of the subnet.

    • Enabled: Indicates if the subnet is enabled (selected) or disabled (unselected).

    • Prefix: IP address of the subnet prefix and prefix length (defaults to 24).

      • For IPv4, specify the prefix in the form ddd.ddd.ddd.ddd/dd.

      • For IPv6, specify the prefix in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

    • MTU: Maximum transmission unit (MTU) of the subnet. If not specified, the MTU value defaults to 1500. Interfaces inherit their MTU values from the subnet. Note that the MTU of a VLAN interface cannot exceed the MTU of the corresponding physical interface.

    • Gateway: IP address of the gateway through which the specified interface is to communicate with the network.

      • For IPv4, specify the gateway IP address in the form ddd.ddd.ddd.ddd.

      • For IPv6, specify the gateway IP address in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

    • VLAN: For VLAN tagging, specify the VLAN ID, between 1 and 4094, to which the subnet is associated. If you specify the VLAN ID number, Purity filters out all available physical interfaces to only those set to iSCSI services. The physical interface name with the appended VLAN ID number becomes the VLAN interface name.

      If the interface is not part of a VLAN, leave this field blank.

  4. In the Available section, click the interfaces you want to add to the subnet.

    For interfaces that are not part of a VLAN, select the physical interfaces you want to include in the subnet.

    For VLAN tagging, select the virtual interfaces you want include in the subnet. All of the VLAN interface names in the subnet must be appended with the same VLAN ID.

    The selected interfaces appear in the Members section.

  5. Click Confirm. The new subnet, along with its interfaces, appears in the list of network configurations. If the subnet and its interfaces are enabled, they are immediately available for connection.

Adding an interface to a subnet

A subnet can contain physical, virtual, or bond interfaces (for non-VLAN tagging purposes) or VLAN interfaces (for VLAN tagging purposes).

To add an interface to an existing subnet:

  1. Select System > Configuration > Networking.

  2. Click the menu icon for the subnet to which you want to add the interfaces and select Edit. The Edit Subnet dialog box appears.

  3. In the Available section, click the interfaces you want to add to the subnet. For VLAN interfaces, you can only add interfaces that are set to iSCSI service.

    The selected interfaces appear in the Members section.

  4. Click Confirm. The interfaces appear in the subnet. If the subnet and added interfaces are enabled, they are immediately available for connection.

Removing an interface from a subnet

Removing an interface disconnects all current connections through the subnet for the specified interface. All other interfaces in the subnet are unaffected.

To remove an interface from a subnet:

  1. Select System > Configuration > Networking.

  2. Click the menu icon for the subnet from which you want to remove the interface and select Edit. The Edit Subnet dialog box appears.

  3. In the Members section, click the interfaces you want to remove from the subnet.

  4. Click Confirm. The Configure Interfaces dialog box appears notifying you that removing the interface disconnects all current connections through the subnet for the specified interface. All other interfaces in the subnet are unaffected.

  5. Click Confirm again to acknowledge the removal.

Deleting a subnet

Deleting a subnet automatically removes all of the interfaces for the subnet and deletes the subnet. Any current connections through the subnet are disconnected.

To delete a subnet:

  1. Select System > Configuration > Networking.

  2. Click the menu icon for the subnet you want to delete and select Delete. The Delete Subnet dialog box appears.

  3. Click Confirm. The Delete Subnet dialog box appears notifying you that all interfaces in the subnet will be removed and the subnet will be deleted. When Purity removes the interfaces, any current connections through the subnet will be disconnected.

Configuring the domain name system (DNS) server IP addresses

To configure the DNS server IP addresses:

  1. Select System > Configuration > Networking.

  2. In the DNS section, hover over the domain name and click the pencil icon. The Edit DNS dialog box appears.

  3. Complete the following fields:

    • Domain: Specify the domain suffix to be appended by the array when doing DNS lookups.

    • DNS#: Specify up to three DNS server IP addresses for Purity to use to resolve hostnames to IP addresses. Enter one IP address in each DNS # field.

  4. Click Save.

Configuring the proxy host

To configure the proxy host for HTTPS communication for phone home and log transmission:

  1. Select System > Configuration > Networking.

  2. In the Proxy section, hover over the proxy name and click the pencil icon. The Edit Proxy dialog box appears.

  3. In the Proxy field, enter the proxy host, including hostname and port number in the following format, where hostname is the name of the proxy host and port is the TCP/IP port number used by the proxy host: https://<hostname>:<port>

  4. Click Save.

Support Connectivity Sub-View

Figure 59. Support Connectivity Sub-View

Support Connectivity Sub-View

The Support Connectivity sub-view allows you to view and manage the Purity remote assist, phone home, and log features.

The Remote Assist section displays the remote assist status as "Connected" or "Disconnected". By default, remote assist is disconnected. A connected remote assist status means that a remote assist session has been opened, allowing Pure Storage Support to connect to the array. Disconnect the remote assist session to close the session.

The Phone Home section manages the phone home facility. The phone home facility provides a secure direct link between the array and the Pure Storage Technical Support web site. The link is used to transmit log contents and alert messages to the Pure Storage Support team so that when diagnosis or remedial action is required, complete recent history about array performance and significant events is available.

By default, the phone home facility is enabled. If the phone home facility is enabled to send information automatically, Purity transmits log and alert information directly to Pure Storage Support via a secure network connection. Log contents are transmitted hourly and stored at the support web site, enabling detection of array performance and error rate trends. Alerts are reported immediately when they occur so that timely action can be taken.

Phone home logs can also be sent to Pure Storage Technical support on demand, with options including Today's Logs, Yesterday's Logs, or All Log History.

View the phone home log transmission status and cancel phone home log transmissions through the Purity CLI (purearray command).

The Support Logs section allows you to download the Purity log contents of the specified controller to the current administrative workstation. Purity continuously logs a variety of array activities, including performance summaries, hardware and operating status reports, and administrative actions.

Opening and closing a remote assist session

Opening and closing a remote assist session does not affect the current administrative session.

To open or close a remote assist session:

  1. Select System > Configuration > Support Connectivity.

  2. In the Remote Assist section, click Connect to open a remote assist session. The port ID details appear. Provide the port ID to the Pure Storage Support team so they can connect to the array and perform diagnostic functions.

  3. After the Pure Storage Support team has performed all of the necessary diagnostic functions, click Disconnect to end the remote assist session.

Enabling and disabling the phone home facility

Enable the phone home facility to automatically transmit log files on an hourly basis to Pure Storage Support via the phone home channel.

Note: If a proxy host is required by https, configure the proxy host via System > Configuration > Networking.

To enable or disable the phone home facility:

  1. Select System > Configuration > Support Connectivity.

  2. In the Phone Home section, click Enable to enable the phone home facility. Click Disable to disable the phone home facility.

Manually send the phone home logs to Pure Storage Support

Note: If a proxy host is required by https, configure the proxy host via System > Configuration > Networking.

To manually send array log files to Pure Storage Support via the phone home channel:

  1. Select System > Configuration > Support Connectivity.

  2. In the Phone Home section, select one of the following options in the Manual Phone Home drop-down list:

    • Today's Logs: Sends log information from the current day (in the array’s time zone)

    • Yesterday's Logs: Sends log information from the previous day (in the array’s time zone)

    • All Log History: Sends log information from the previous day (in the array’s time zone)

  3. Click Send Now to send the log files to Pure Storage Support.

Downloading the phone home logs

To download the phone home logs:

  1. Select System > Configuration > Support Connectivity.

  2. In the Support Logs section, specify the date range of the log files you want to download.

  3. Click Download from CT# to download the log files from the respective array.

Alerts Sub-View

The Alerts sub-view is used to manage the list of addresses to which Purity delivers alert notifications, and the attributes of alert message delivery.

Figure 60. Alerts Sub-View

Alerts Sub-View

The Alert Recipients section displays a list of email addresses that are designated to receive Purity alert messages. Up to 20 alert recipients can be designated. The list includes the built-in flasharray-alerts@purestorage.com address, which cannot be deleted.

The Relay Host section displays the hostname or IP address of an SMTP relay host, if one is configured for the array. If you specify a relay host, Purity routes the email messages via the relay (mail forwarding) address rather than sending them directly to the alert recipient addresses.

In the Sender Domain section, the sender domain determines how Purity logs are parsed and treated by Pure Storage Support and Escalations. By default, the sender domain is set to the domain name please-configure.me.

It is crucial that you set the sender domain to the correct domain name. If the array is not a Pure Storage test array, set the sender domain to the actual customer domain name. For example, mycompany.com.

The email address that Purity uses to send alert messages includes the sender domain name and is comprised of the following components:

<Array_Name>-<Controller_Name>@<Sender_Domain_Name>.com

For example, purearray-ct0@mycompany.com.

The array name is configured in the System > Array sub-view. The controller name cannot be changed.

Adding an alert recipient

You can designate up to 19 alert recipients.

To add an alert recipient:

  1. Select System > Configuration > Alerts.

  2. In the Alert Recipients section, click the menu icon and select Add Alert Recipient. The Create Alert User dialog box appears.

  3. In the email field, enter the email address of the alert recipient.

  4. Click Save.

Enabling and disabling email alerts

You cannot disable built-in alert recipient flasharray-alerts@purestorage.com.

To enable or disable email alerts:

  1. Select System > Configuration > Alerts.

  2. In the Alert Recipients section, click the menu icon for the email address of the alert recipient you want to disable.

  3. Select Enable to send alert messages to the alert recipient. Select Disable to not send alert messages to the alert recipient.

Deleting email alert recipients

You cannot delete built-in alert recipient flasharray-alerts@purestorage.com.

To delete an email alert recipient:

  1. Select System > Configuration > Alerts.

  2. In the Alert Recipients section, click the menu icon for the email address of the alert recipient you want to delete.

  3. Select Delete to delete the email address from the Alert Recipient list.

Specifying a SMTP relay host

To specify a relay host:

  1. Select System > Configuration > Alerts.

  2. In the Relay Host section, hover over the relay host name and click the pencil icon. The Edit Relay Host dialog box appears.

  3. In the Relay Host field, enter fully-qualified domain name or IP address of the SMTP relay host. If specifying an IP address, enter the IPv4 or IPv6 address.

    For IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits. If a port number is also specified, append it to the end of the address in the format ddd.ddd.ddd.ddd:PORT, where PORT represents the port number.

    For IPv6, specify the IP address in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, where xxxx is a hexadecimal number representing a group of 16 bits. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::). If a port number is also specified, enclose the entire address in square brackets ([]) and append the port number to the end of the address. For example, [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:PORT, where PORT represents the port number.

  4. Click Save.

Specifying a non-standard SMTP relay host

To set up a non-standard SMTP relay host:

  1. Select System > Configuration > Alerts.

  2. In the Relay Host section, hover over the relay host name and click the pencil icon. The Edit Relay Host dialog box appears.

  3. In the Relay Host field, enter fake.relay.purestorage.com:26. If not specified, the port number defaults to 25.

  4. Click Save.

  5. To test the non-standard SMTP relay host, run the Purity CLI command purealert test example@purestorage.com and verify that the output matches the following:

    $ purealert test example@purestorage.com
    Name                     Accepted  Error
    example@purestorage.com  True      -
                    

Changing the sender domain

To change the sender domain:

  1. Select System > Configuration > Alerts.

  2. In the Sender Domain section, hover over the domain name and click the pencil icon. The Edit Sender Domain dialog box appears.

  3. In the Sender Domain field, enter the company domain name. Purity uses the sender domain name to determine how Purity logs are handled. The domain name is also appended to alert email messages.

    The default domain name is please-configure.me. If this is not a Pure Storage test array, set the sender domain to the actual customer domain name. For example, mycompany.com.

    Important Note: The sender domain determines how Purity logs are parsed and treated by Pure Storage Support and Escalations, so it is crucial that you set the sender domain to the correct domain name.

  4. Click Save.

SNMP Sub-View

The SNMP sub-view displays the list of SNMP managers with which the array communicates. The SNMP sub-view is also used to configure SNMP managers and download the array’s MIB file to the administrative workstation.

Purity supports SNMP versions v2c and v3. SNMPv3 supports secure user authorization and message transmission.

Figure 61. SNMP Sub-View

SNMP Sub-View

FlashArrays can integrate with SNMP-based data center management frameworks in two ways: via a built-in SNMP agent or through the use of SNMP traps.

The SNMP Agent section displays the built-in localhost SNMP agent that responds to SNMP information retrieval requests made by SNMP managers in the same SNMP community as the FlashArray. The localhost agent cannot be deleted or renamed.

You can download the array's management information base (MIB) file to the administrative workstation.

The SNMP Trap Managers section displays a list of SNMP managers that are designated to receive SNMP trap messages from Purity. For each alert it generates, Purity sends a SNMP trap message to the designated SNMP manager systems.

You can configure the array to send alert messages to an SNMP manager.

If you specify SNMPv3, also specify the authorization protocol and privacy protocol options. If the manager encrypts SNMP messages, also enter the manager's privacy passphrase.

Downloading the management information base (MIB) file

To download the management information base (MIB) file:

  1. Select System > Configuration > SNMP.

  2. Click the menu icon and select Download MIB to download the MIB file to your local machine. The default filename is PURESTORAGE-MIB.

Specifying the SNMP community string (applies to SNMPv2c only)

Specifying the community string adds the array to the SNMP community. You must specify the SNMP community string if Purity support the SNMPv2c protocol.

To specify the SNMP community string:

  1. Select System > Configuration > SNMP.

  2. In the Community field, enter the manager community ID under which Purity is to communicate with the managers.

  3. Click Save.

Adding a SNMP trap manager

To add a SNMP trap manager:

  1. Select System > Configuration > SNMP.

  2. Click the menu icon and select Add SNMP Trap Manager. The Add SNMP Trap Manager dialog box appears.

  3. Complete the following fields:

    • Name: Name of the SNMP trap manager.

    • Host: DNS hostname or IP address of a computer that hosts an SNMP manager to which Purity is to send trap messages when it generates alerts. If specifying an IP address, enter the IPv4 or IPv6 address.

      For IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits. If a port number is also specified, append it to the end of the address in the format ddd.ddd.ddd.ddd:PORT, where PORT represents the port number.

      For IPv6, specify the IP address in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, where xxxx is a hexadecimal number representing a group of 16 bits. Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::). If a port number is also specified, enclose the entire address in square brackets ([]) and append the port number to the end of the address. For example, [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:PORT, where PORT represents the port number.

    • SNMP Version: Version of the SNMP protocol to be used by Purity in communications with the specified managers. Valid values are v2c (default) and v3.

    • Community: SNMPv2c only. SNMP manager community ID under which Purity is to communicate with the specified managers.

    • User: User ID recognized by the specified SNMP managers that Purity is to use in communications with them.

    • Auth Protocol: SNMPv3 only. Hash algorithm used to validate the authentication passphrase. Valid values are MD5, SHA, or None.

    • Auth Passphrase: SNMPv3 only. Passphrase used by Purity to authenticate the array with the specified managers. Required if the Auth Protocol option is set to MD5 or SHA.

    • Privacy Protocol: SNMPv3 only. Encryption protocol for SNMP messages. Valid values are AES, DES, or None.

    • Privacy Passphrase: SNMPv3 only. Passphrase used to encrypt SNMP messages. The passphrase must be between 8 and 63 non-spaced ASCII characters.

  4. Click Save.

Configuring the SNMP trap manager

To configure the SNMP trap manager:

  1. Select System > Configuration > SNMP.

  2. In the SNMP Trap Managers section, click the menu icon for the the SNMP trap manager name and select Edit. The Edit SNMP Manager dialog box appears.

  3. Modify the following fields:

    • Name: Name of the SNMP trap manager.

    • Host: DNS hostname or IP address of a computer that hosts an SNMP manager to which Purity is to send trap messages when it generates alerts.

    • SNMP Version: Version of the SNMP protocol to be used by Purity in communications with the specified managers. Valid values are v2c (default) and v3.

    • Community: SNMPv2c only. SNMP manager community ID under which Purity is to communicate with the specified managers.

    • User: User ID recognized by the specified SNMP managers that Purity is to use in communications with them.

    • Auth Protocol: SNMPv3 only. Hash algorithm used to validate the authentication passphrase. Valid values are MD5, SHA, or None.

    • Auth Passphrase: SNMPv3 only. Passphrase used by Purity to authenticate the array with the specified managers. Required if the Auth Protocol option is set to MD5 or SHA.

    • Privacy Protocol: SNMPv3 only. Encryption protocol for SNMP messages. Valid values are AES, DES, or None.

    • Privacy Passphrase: SNMPv3 only. Passphrase used to encrypt SNMP messages. The passphrase must be between 8 and 63 non-spaced ASCII characters.

  4. Click Save.

Deleting a SNMP trap manager

To delete a SNMP trap manager:

  1. Select System > Configuration > SNMP.

  2. In the SNMP Trap Managers section, click the menu icon for the SNMP trap manager name and select Delete.

Sending a test SNMP trap to a manager

To send a test SNMP trap to a manager:

  1. Select System > Configuration > SNMP.

  2. In the SNMP Trap Managers section, click the menu icon for the SNMP trap manager name and select Send Test Trap.

System Time Sub-View

The System Time sub-view, also known as the Array Time sub-view, displays the array’s current time, and the IP address or fully qualified hostname of a Network Time Protocol (NTP) server with which array time is synchronized (if one is configured).

Pure Storage technicians set the array time zone during installation. By default, the array time is synchronized to an NTP server operated by Pure Storage. To designate an alternate NTP server, enter the NTP Server IP address or hostname and click the check mark to confirm the change.

Figure 62. System Time Sub-View

System Time Sub-View

Designating an alternate NTP server

To designate an alternate NTP server:

  1. Select System > Configuration > System Time.

  2. In the NTP Server field, enter the hostname or IP address of the NTP server used by the array to maintain reference time. You can add up to four NTP servers. Enter multiple NTP server names in comma-separated format.

    If specifying an IP address, for IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits. For IPv6, specify the IP address in the form xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, where xxxx is a hexadecimal number representing a group of 16 bits. When specifying an IPv6 address, consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

  3. Click the check mark to confirm the change.

Directory Service Sub-View

The Directory Service sub-view manages the integration of FlashArrays with an existing directory service. When the Directory Service sub-view is configured and enabled, the FlashArray leverages a directory service to perform user account and permission level searches.

Figure 63. Directory Service Sub-View

Directory Service Sub-View

The FlashArray is delivered with a single local user, named pureuser, with array-wide (Array Admin) permissions.

To support multiple FlashArray users, integrate the array with a directory service, such as Microsoft Active Directory or OpenLDAP.

Role-based access control is achieved by configuring groups in the directory that correspond to the following permission groups (roles) on the array:

  • Read Only Group. Read Only users have read-only privileges to run commands that convey the state of the array. Read Only users cannot alter the state of the array.

  • Storage Admin Group. Storage Admin users have all the privileges of Read Only users, plus the ability to run commands related to storage operations, such as administering volumes, hosts, and host groups. Storage Admin users cannot perform operations that deal with global and system configurations.

  • Array Admin Group. Array Admin users have all the privileges of Storage Admin users, plus the ability to perform array-wide changes. In other words, Array Admin users can perform all FlashArray operations.

When a user connects to the FlashArray with a username other than pureuser, the array confirms the user's identity from the directory service. The response from the directory service includes the user's group, which Purity maps to a role on the array, granting access accordingly.

For security purposes, a user belonging to more than one FlashArray group will inherit the permissions of the most restrictive group. For example, a user who belongs to both the Storage Admin and Read Only groups will inherit the privileges of the more restrictive Read Only group.

For directory service-enabled accounts, user passwords to the FlashArray are managed through the directory service while public keys are configured through Purity.

After you configure the directory service settings, test the configuration to:

  • Verify the Uniform Resource Identifiers (URIs) can be resolved and that the FlashArray can bind and query the tree using the bind user credentials.

  • Verify the FlashArray can find all the configured groups to ensure the common names (CNs) and group base are correctly configured. For each configured group, the FlashArray binds and queries the directory service to find the configured group. If Check Peer is enabled, the initial bind and query test is repeated while enforcing server authenticity using the CA certificate.

Figure 64. Directory Service Test Results

The following LDAP Test Results pop-up window displays a directory service connection that has not been configured successfully, as indicated by the red-colored square associated with the Storage Admin Group CN=puretypo group, which the LDAP test cannot find.

Directory Service Test Results

When you configure the FlashArray to integrate with a directory service, consider the following:

  • If the directory service contains multiple groups, each group must have a common name (CN).

  • All uniform resource identifiers (URIs) must be in the same, single domain.

Configuring the directory service settings

To configure the directory service settings:

  1. Select System > Configuration > Directory Service.

  2. Configure the Directory Service fields:

    Enabled:

    Select the check box to leverage the directory service to perform user account and permission level searches.

    URI:

    Enter the comma-separated list of up to 30 URIs of the directory servers.

    Each URI must include the scheme ldap:// or ldaps:// (for LDAP over SSL), a hostname, and a domain name or IP address. For example, ldap://ad.company.com configures the directory service with the hostname "ad" in the domain "company.com" while specifying the unencrypted LDAP protocol.

    If specifying a domain name, it should be resolvable by the configured DNS servers.

    If specifying an IP address, for IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits.

    For IPv6, specify the IP address in the form [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx], where xxxx is a hexadecimal number representing a group of 16 bits. Enclose the entire address in square brackets ([]). Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

    If the scheme of the URIs is ldaps://, SSL is enabled. SSL is either enabled or disabled globally, so the scheme of all supplied URIs must be the same. They must also all have the same domain.

    If base DN is not configured and a URI is provided, the base DN will automatically default to the domain components of the URIs.

    Optionally specify a port. Append the port number after the end of the entire address. Default ports are 389 for ldap, and 636 for ldaps. Non-standard ports can be specified in the URI if they are in use.

    Base DN:

    Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com”

    Bind User:

    Username used to bind to and query the directory.

    For Active Directory, enter the username - often referred to as the user login name - of the account that is used to perform directory lookups. The username cannot contain the characters " [ ] : ; | = + * ? < > / \, and cannot exceed 20 characters in length.

    For OpenLDAP, enter the full DN of the user. For example, "CN=John,OU=Users,DC=example,DC=com".

    Bind Password:

    Enter the password for the bind user account.

    Group Base:

    Enter the organizational unit (OU) to the configured groups in the directory tree. The Group Base consists of OUs that, when combined with the base DN attribute and the configured group CNs, complete the full Distinguished Name of each groups. The group base should specify "OU=" for each OU and multiple OUs should be separated by commas. The order of OUs should get larger in scope from left to right. In the following example, SANManagers contains the sub-organizational unit PureGroups: "OU=PureGroups,OU=SANManagers".

    Array Admin Group:

    Common Name (CN) of the directory service group containing administrators with full privileges to manage the FlashArray. Array Admin Group administrators have the same privileges as pureuser. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "pureadmins,OU=PureStorage", where pureadmins is the common name of the directory service group.

    Storage Admin Group:

    Common Name (CN) of the configured directory service group containing administrators with storage related privileges on the FlashArray. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "pureusers,OU=PureStorage", where pureusers is the common name of the directory service group.

    Read Only Group:

    Common Name (CN) of the configured directory service group containing users with read-only privileges on the FlashArray. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "purereadonly,OU=PureStorage", where purereadonly is the common name of the directory service group.

    Check Peer:

    Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate.

    CA Certificate:

    Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates.

    The certificate must be PEM formatted (Base64 encoded) and include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. The certificate cannot exceed 3000 characters in total length.

  3. Click Save.

  4. Click Test to test the configuration settings. The LDAP Test Results pop-up window appears. Green squares represent successful checks. Red squares represent failed checks.

  5. Correct any failed checks and test the configuration settings until the LDAP test passes.

Banner Sub-View

The Banner sub-view enables you to create a common "message of the day" (MOTD) that is sent to all Purity users. The banner message is displayed in the login pane of the Purity GUI and via SSH after users log in.

Figure 65. Banner Sub-View

Banner Sub-View

Creating a banner message

To create a banner message for all Purity users to see:

  1. Select System > Configuration > Banner.

  2. Click Edit.

  3. Type the banner message. The message can be up to 2000 characters long and accepts ASCII characters.

  4. Click Save.

  5. Verify that the banner message appears in the Purity GUI login pane and via SSH after login.

UI Sub-View

The UI sub-view allows you to configure UI settings, such as idle timeout. The Idle Timeout feature displays the length of time, measured in minutes, that Purity is idle before the user is logged out of the Purity GUI or SSH session.

The default idle time is 30 minutes.

Figure 66. UI Sub-View

UI Sub-View

Setting the idle timeout value

To set the idle timeout value:

  1. Select System > Configuration > UI.

  2. In the Idle Timeout field, enter the amount of time in minutes that a Purity session can be idle before the user is logged out. The idle time can be any length between 5 and 180 minutes.

  3. Click the check mark to confirm the change.

  4. Log off Purity. The idle timeout setting takes effect when you log back in to Purity.

Disabling the idle timeout setting

To disable the idle timeout setting:

  1. Select System > Configuration > UI.

  2. In the Idle Timeout field, enter 0.

  3. Click the check mark to confirm the change.

  4. Log off Purity. The idle timeout setting is disabled the next time you log back in to Purity.

Syslog Server Sub-View

The Syslog Server feature enables you to configure Purity to forward syslog messages to remote servers.

Figure 67. Syslog Server Sub-View

Syslog Server Sub-View

The Purity syslog logging facility generates messages of major events within the FlashArray and forwards the messages to remote servers. Purity generates syslog messages for three types of events:

  • Alerts (purity.alert)

  • Audit Trails (purity.audit)

  • Tests (purity.test)

Alerts

Purity generates alerts when there is a change to the array or to one of the Purity hardware or software components. There are three alert severity levels:

  • INFO: Informational messages that are generated due to a change in state. INFO messages can be used for reporting and analysis purposes. No action is required.

  • WARNING: Important messages that warn of an impending error if action is not taken.

  • CRITICAL: Urgent messages that require immediate attention.

Syslog alerts are broken down into the following format:

<Event Timestamp> <Array IP Address> purity.alert <Alert Severity> <Alert Details>

In the following example, Purity generated a WARNING alert because space consumption on the array exceeded 90%:

Figure 68. Syslog Server - Alerts

Syslog Server - Alerts


Alerts are also sent via the phone home facility to the Pure Storage Support team. If configured, alerts can also be sent to designated email recipients and SNMP trap managers.

You can also view alerts through the Purity GUI (Messages > Alerts) and Purity CLI (puremessage list command).

Audit Trails

An audit trail represents a chronological history of the Purity GUI, CLI, or REST API operations that a user has performed to modify the configuration of the array. Each message within an audit trail includes the name of the Purity user who performed the operation and the Purity operation that was performed.

Syslog audit trail messages are broken down into the following format:

<Event Timestamp> <Array IP Address> <purity.audit> <Purity Username> <Purity Command> <Audit Trail Message Details>

In the following example, “pureuser” performed various Purity GUI, CLI, or REST API operations:

Figure 69. Syslog Server - Audit Trails

Syslog Server - Audit Trails


You can also view audit messages through the Purity GUI (Messages > Audit Trail) and Purity CLI (puremessage list --audit command).

Tests

Test messages represent a history of all tests generated by users to verify that the array can send messages to email recipients. The message does not indicate whether or not the test message successfully reached the recipients.

Syslog test messages are broken down into the following format:

<Event Timestamp> <Array IP Address> <purity.test> <Purity Username> <Test Message Details>

In the following example, “pureuser” performed a test to determine if the array could send messages to email addresses:

Figure 70. Syslog Server - Tests

Syslog Server - Tests


Setting the syslog server output location

To set the syslog server output location:

  1. Select System > Configuration > Syslog Server. The Syslog Server pane appears.

  2. In the Syslog Server field, enter the URI of the remote syslog server. For example, tcp://MyHost.com.

    Specify the URI in the format PROTOCOL://HOSTNAME:PORT.

    PROTOCOL is "tcp", "tls", or "udp".

    HOSTNAME is the syslog server hostname or IP address. If specifying an IP address, for IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits.

    For IPv6, specify the IP address in the form [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx], where xxxx is a hexadecimal number representing a group of 16 bits. Enclose the entire address in square brackets ([]). Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

    PORT is the port at which the server is listening. Append the port number after the end of the entire address. If the port is not specified, it defaults to 514.

  3. Click the check mark to save the setting.

  4. Optionally, click Test to test the setting. If the test is successful, a test message appears in the syslog server output.

SSL Certificate Sub-View

Purity creates a self-signed certificate and private key when you start the system for the first time. The SSL Certificate sub-view allows you to view and change certificate attributes, create a new self-signed certificate, construct certificate signing requests, import certificates and private keys, and export certificates.

Figure 71. SSL Certificate Sub-View

SSL Certificate Sub-View

Self-Signed Certificate

Creating a self-signed certificate replaces the current certificate. When you create a self-signed certificate, include any attribute changes, specify the validity period of the new certificate, and optionally generate a new private key.

Figure 72. SSL Certificate - Create Self-Signed Certificate

SSL Certificate - Create Self-Signed Certificate

When you create the self-signed certificate, you can generate a private key and specify a different key size. If you do not generate a private key, the new certificate uses the existing key.

You can change the validity period of the new self-signed certificate. By default, self-signed certificates are valid for 3650 days.

CA-Signed Certificate

Certificate authorities (CA) are third party entities outside the organization that issue certificates.

To obtain a CA certificate, you must first construct a certificate signing request (CSR) on the array.

Figure 73. SSL Certificate - Construct Certificate Signing Request

SSL Certificate - Construct Certificate Signing Request

The CSR represents a block of encrypted data specific to your organization. You can change the certificate attributes when you construct the CSR; otherwise, Purity will reuse the attributes of the current certificate (self-signed or imported) to construct the new one. Note that the certificate attribute changes will only be visible after you import the signed certificate from the CA.

Send the CSR to a certificate authority for signing. The certificate authority returns the SSL certificate for you to import. Verify that the signed certificate is PEM formatted (Base64 encoded), includes the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines, and does not exceed 3000 characters in total length. When you import the certificate, also import the intermediate certificate if it is not bundled with the CA certificate.

Figure 74. SSL Certificate - Import CA Certificate

SSL Certificate - Import CA Certificate


If the certificate is signed with the CSR that was constructed on the current array and you did not change the private key, you do not need to import the key. However, if the CSR was not constructed on the current array or if the private key has changed since you constructed the CSR, you must import the private key. If the private key is encrypted, also specify the passphrase.

Certificate Administration

The attributes of a self-signed certificate can only be changed by creating a new certificate. Certificate attributes include organization-specific information, such as country, state, locality, organization, organizational unit, common name, and email address.

The export feature allows you to view and export the certificate and intermediate certificates for backup purposes.

Creating or Changing the Attributes of a Self-Signed Certificate

Note: When you change the certificate attributes, Purity replaces the existing certificate with the new certificate and its specified attributes.

  1. Select System > Configuration > SSL Certificate

  2. Click the menu icon and select Create Self-Signed Certificate. The Create Self-Signed Certificate pop-up window appears.

  3. Complete or modify the following fields:

    • Generate new key: Select the check box to generate a new private key with the self-signed certificate. If you do not generate a new key, the certificate uses the existing key.

    • Key Size: If you generate a new private key, specify the key size. The default key size is 2048 bits. A key size smaller than 2048 is considered insecure.

    • Country: Enter the two-letter ISO code for the country where your organization is located.

    • State: Enter the full name of the state or province where your organization is located.

    • Locality: Enter the full name of the city where your organization is located.

    • Organization: Enter the full and exact legal name of your organization. The organization name should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

    • Organizational Unit: Enter the department within your organization that is managing the certificate.

    • Common Name: Enter the fully qualified domain name (FQDN) of the current array. For example, the common name for https://purearray.example.com is purearray.example.com, or *.example.com for a wildcard certificate. The common name can also be the management IP address of the array or the short name of the current array. Common names cannot have more than 64 characters.

    • Email: Enter the email address used to contact your organization.

    • Days: Specify the number of valid days for the self-signed certificate being generated. If not specified, the self-signed certificate expires after 3650 days.

  4. Click Create. Purity restarts the GUI and signs you in using the self-signed certificate.

Constructing a Certificate Signing Request to Obtain a CA Certificate

Note: When you change the certificate attributes, Purity replaces the existing certificate with the new certificate and its specified attributes.

  1. Select System > Configuration > SSL Certificate

  2. Click the menu icon and select Construct Certificate Signing Request. The Construct Certificate Signing Request pop-up window appears.

  3. Complete or modify the following fields:

    • Country: Enter the two-letter ISO code for the country where your organization is located.

    • State: Enter the full name of the state or province where your organization is located.

    • Locality: Enter the full name of the city where your organization is located.

    • Organization: Enter the full and exact legal name of your organization. The organization name should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

    • Organizational Unit: Enter the department within your organization that is managing the certificate.

    • Common Name: Enter the fully qualified domain name (FQDN) of the current array. For example, the common name for https://purearray.example.com is purearray.example.com, or *.example.com for a wildcard certificate. The common name can also be the management IP address of the array or the short name of the current array. Common names cannot have more than 64 characters.

    • Email: Enter the email address used to contact your organization.

  4. Click Create to construct the CSR. The CSR pop-up window appears, displaying the CSR as a block of encrypted data.

  5. Click Download to download the CSR, which you can send to a certificate authority (CA) for signing.

Importing a CA Certificate

After you receive the signed certificate from the CA, you are ready to import it to replace the existing certificate.

  1. Verify that the signed certificate is PEM formatted (Base64 encoded), includes the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines, and does not exceed 3000 characters in length.

  2. Select System > Configuration > SSL Certificate.

  3. Click the menu icon and select Import Certificate. The Import pop-up window appears.

  4. Complete or modify the following fields:

    • Certificate - Click Choose File and select the signed certificate you received from the CA.

    • Intermediate Certificate - If you also received an intermediate certificate from the CA, click Choose File and select the intermediate certificate.

    • Key - If the CSR was not constructed on the current array or the private key has changed since you constructed the CSR, click Choose File and select the private key.

    • Passphrase - If the private key is encrypted with a passphrase, enter the passphrase.

  5. Click Import.

Viewing and Exporting Certificate Details

  1. Select System > Configuration > SSL Certificate

  2. Click the menu icon and select Export Certificate or Export Intermediate Certificate. The Export pop-up window appears.

  3. Click Download to view the certificate details.

  4. Click Download again to export the file.

SMI-S Sub-View

The SMI-S sub-view manages the Pure Storage Storage Management Initiative Specification (SMI-S) provider.

Enable the SMI-S provider to administer the array through an SMI-S client. The SMI-S provider is optional and must be enabled before its first use.

For more information about the SMI-S provider, refer to the Pure Storage SMI-S Provider Guide in the Pure Storage Knowledge Base at .

Connected Arrays View

A connection must be established between two arrays in order for data transfer to occur. For example, arrays must be connected to replicate data from one array to another. When two arrays are connected, the array where data is being transferred from is called the local (source) array, and the array where data is being transferred to is called the remote (target) array.

Arrays are connected using a connection key, which is supplied from one array and entered into the other array. After two arrays are connected, the target array must allow the connection from the source array to accept the data being transferred.

The Connected Arrays view displays a list of remote FlashArrays that are connected to the current array and the attributes associated with each connection. The Connected Arrays view also allows you to create array connections and edit network bandwidth throttling.

Figure 75. Connected Arrays View

Connected Arrays View

The colored squares in the Connected column represent the connectivity status between the current array and each remote array.

  • Green: Current array is connected to the remote array.

  • Gray: Current array cannot establish a connection to the remote array due to network connection or firewall issues.

Network Bandwidth Throttling

The Network bandwidth throttling feature regulates when and how much data should be transferred between the arrays. Once two arrays are connected, optionally configure network bandwidth throttling to set maximum threshold values for outbound traffic.

In the Connected Arrays view, a check mark in the Throttled column indicates that network bandwidth throttling has been configured.

Two different network bandwidth limits can be set:

  • Set a default maximum network bandwidth threshold for outbound traffic.

and/or

  • Set a range (window) of time in which the maximum network bandwidth threshold is in effect.

If both thresholds are set, the “window” limit overrides the “default” limit.

The limit represents an average data rate, so actual data transfer rates can fluctuate slightly above the configured limit.

To completely stop the data transfer process, either by default or during a window of time, set the threshold to "0". During this time, all in-progress and scheduled data transfer processes are aborted.

In the following example, the current array has been configured to throttle whenever the rate of data being transferred to array vm-rep exceeds 4 GB/s, except between 10:00am and 3:00pm, when throttling will occur whenever the data transfer rate exceeds 2 GB/s.

Figure 76. Connected Arrays - Network Bandwidth Throttling

Connected Arrays - Network Bandwidth Throttling

Connecting Two Arrays

Connecting two arrays involves: 1) getting the connection key from the remote array, and 2) creating the connection from the current array to the remote array.

Getting a Connection Key from the Remote Array

The connection key is used to establish a connection between two arrays. Use the connection key from one array to create the connection on the other array.

To get the connection key:

  1. Log in to the array.

  2. Select System > Connected Arrays.

  3. Click the menu icon and select Get Connection Key. The Connection Key pop-up window appears.

  4. Copy the connection key string.

Connecting to a Remote Array

After you obtain the connection key from the remote array, log in to your array to create the connection.

To connect your array to a remote array:

  1. Log in to the array.

  2. Select System > Connected Arrays.

  3. Click the menu icon and select Connect Array. The Connect pop-up window appears.

  4. Set the following connection details:

    • In the Management Address field, enter the virtual (vir0) IP address or FQDN of the remote (target) array.

    • In the Replication Address field, enter the IP address or FQDN of the replication bond (replbond) interface on the remote array.

    • Leave the default Type as Replication.

    • In the Connection Key field, enter the connection key of the remote array.

  5. Click Connect.

Disconnecting Two Arrays

Disconnecting two arrays suspends any in-progress data transfer processes. The process resumes when the arrays are reconnected.

If two arrays are connected for replication purposes, disconnecting the arrays does not delete data from the replication target array. However, after the two arrays have been disconnected, removing a target array from a protection group immediately deletes all of the data on the target array that was sent from its source array. As a result, replicating data again from the source array to the target array would cause another baseline transfer.

To disconnect two arrays:

  1. Log in to the array from where the initial connection was established.

  2. Select System > Connected Arrays.

  3. Click the menu icon for the remote array name and select Disconnect.

  4. Copy the connection key string.

Configuring Network Bandwidth Throttling

Once two arrays are connected, optionally configure network bandwidth throttling to set maximum threshold values for outbound traffic.

To configure network bandwidth throttling:

  1. Log in to the array in which you want to set threshold values for outbound traffic.

  2. Select System > Connected Arrays.

  3. In the Connected Arrays view, verify that the array is connected to the remote array to which network bandwidth throttling applies.

  4. Click the menu icon for the remote array name and select Edit Bandwidth Throttling. The Edit Bandwidth Throttling dialog box appears.

  5. Configure the following options:

    • To specify a default bandwidth limit, select the Set default network bandwidth limit… check box and specify a bandwidth limit for the amount of data transferred to the remote array per second. The bandwidth limit must be between 1 MB/s and 4 GB/s. To completely stop the data transfer process, set the limit to 0.

    and/or

    • To specify a window of time during which network bandwidth throttling takes effect, select the Between… check box, select the start and end times, and specify a bandwidth limit for the amount of data transferred to the remote array during the time range. The bandwidth limit must be between 1 MB/s and 4 GB/s. To completely stop the data transfer process during the specified window of time, set the limit to 0.

    If you set both limits, the “window” limit overrides the “default” limit.

  6. Click Save. Bandwidth limit changes take effect immediately. The check mark in the Throttled column of the Connected Arrays view indicates that network bandwidth limits have been set.

Connections View

The Connections view displays connectivity details between the Purity hosts and the array ports.

The Host Connections sub-view displays a list of hosts, the connectivity status of each host, and the number of initiator ports associated with each host.

Figure 77. Host Connections Sub-View

Host Connections Sub-View

The Paths column displays the connectivity status between the host and controllers in a highly available environment, where the colored value indicates one of the following connection health statuses:

  • Green: Fully redundant and highly available. No issues detected.

  • Yellow: Not fully redundant. Issues detected that may impact high availability.

  • Red: Single controller connectivity only.

  • Gray: No connectivity.

Possible connection statuses include:

Redundant

All paths between the host and each of the controllers in a highly available array are connected.

Uneven

The number of paths between the host and each controller is uneven. This may impact high availability. Make sure that there are the same number of paths from the host to each controller.

Unused Port

The host has unused initiators. This may impact high availability. Make sure that all of the initiators have at least one path to the array.

Single Controller

The host has paths to only one of the controllers. No paths exist to the other controller. This impacts high availability. Make sure that there are redundant paths from the host to both controllers.

Single Controller - Failover

The host has paths to one controller, but one or more of those paths has failed over.

None

The host is not connected to any of the controllers.

Select the check boxes along the top of the Host Connections list to filter the hosts by connection status.

The Target Ports sub-view displays the connection mappings between each array port and initiator port. Each array port includes the following connectivity details: associated Fibre Channel Worldwide Name (WWN) or iSCSI Qualified Name (IQN) address, failover status, and communication speed. A check mark in the Failover column indicates that the port has failed over to the corresponding port pair on the primary controller.

Figure 78. Target Ports Sub-View

Target Ports Sub-View

Users View

The Users view displays a list of Purity user accounts and their attributes.

Purity is released with one pureuser administrative account, which is installed with the FlashArray. All other Purity users are enabled and managed through a directory service.

The pureuser account is password-protected (default password is "pureuser") and can alternatively be accessed using a public-private key pair. All other user passwords are managed in the directory service.

The pureuser account cannot be renamed or deleted.

Figure 79. Users View (defaults to Me Sub-View)

Users View (defaults to Me Sub-View)

Me Sub-View

The Me sub-view displays the name of the user that is currently logged into Purity. If a public key has been created for the user, it appears masked in the Public Key column. Likewise, if an API token has been created for the user, it appears masked in the API Token column.

Click the menu icon for the username to change the user password and manage the public key and API token.

The pureuser password can be changed through Purity. All other Purity user passwords are managed in the directory service.

All users can manage their own public keys and API tokens, but only array administrators can manage the public keys associated with other users. Array administrators cannot view the API tokens associated with other users.

Changing the login password

To change the Purity login password:

  1. Select System > Users > Me.

  2. Click the menu icon for the username.

  3. Select Set Password.

  4. In the Current Password field, type your current password.

  5. In the New Password field, type the new password. The password must be between one and 32 characters in length, and can include any character that can be entered from a US keyboard.

  6. In the Confirm New Password field, type the new password again.

  7. Click Save. The next time you log in to Purity, you must enter the new password.

Local Users Sub-View

The Local Users sub-view displays a list of all users that were created in Purity, along with the public keys or API tokens created for them. The public keys and API tokens appear in masked format.

Click the menu icon for the username to change the user password and manage the public key and API token.

The current Purity release supports the single local pureuser administrative account. All other Purity users are enabled through a directory service and do not appear in the Local Users sub-view.

Changing the login password

To change the pureuser login password:

  1. Select System > Users > Local Users.

  2. Click the menu icon for the pureuser username.

  3. Select Set Password.

  4. In the Current Password field, type your current password.

  5. In the New Password field, type the new password. The password must be between one and 32 characters in length, and can include any character that can be entered from a US keyboard.

  6. In the Confirm New Password field, type the new password again.

  7. Click Save. The next time you log in to Purity, you must enter the new password.

Public Keys Sub-View

The Public Keys sub-view displays a list of all users with public keys.

All users can manage their own public keys, but only array administrators can manage the public keys associated with other users.

Figure 80. Public Keys Sub-View

Public Keys Sub-View


Adding the public key

To add the public key:

  1. Select System > Users > Public Keys.

  2. Click + Key in the upper-right corner of the Public Keys pane. The Set Public Key pop-up window appears.

  3. In the Name field, enter the name of the Purity user.

  4. In the Public Key field, enter the public key.

  5. Click Save.

  6. Verify that username and public key, which appear as four asterisk-masked characters, are displayed in the Public Keys pane.

Updating the public key

To update the public key:

  1. Select System > Users > Public Keys.

  2. Click the menu icon for the username.

  3. Select Update Public Key. The Set Public Key pop-up window appears.

  4. In the Public Key field, add the new public key.

  5. Click Save. The updated public key appears as four asterisk-masked characters in the Public Key column.

Deleting the public key

To delete the public key:

  1. Select System > Users > Public Keys.

  2. Click the menu icon for the username.

  3. Select Remove Public Key.

  4. Verify that the user does not appear in the Public Keys pane.

API Tokens Sub-View

The API Tokens sub-view displays a list of all users with API tokens and the dates in which the API tokens were created.

Figure 81. API Tokens Sub-View

API Tokens Sub-View

API Tokens

API tokens are used to securely create REST API sessions. After creating an API token, users can create REST API sessions and start sending requests. REST API service sessions are completely separate from Purity GUI sessions, so REST requests cannot be accessed through the Purity GUI. For more information about the Pure Storage REST API, refer to the REST API Guide.

An API token is unique to the Purity user for whom it was created.

All users can manage and expose their own API token, but not the API tokens associated with other users. Once created, an API token is valid until it is deleted or recreated.

API token management does not affect Purity usernames and passwords. For example, deleting an API token does not invalidate the Purity username or password that was used to create the token. Likewise, changing the Purity username or password does not affect the API token.

Creating the API token

To create the API token:

  1. Select System > Users > API Tokens.

  2. Click + Token in the upper-right corner of the API Tokens pane. The Create API Token pop-up window appears.

  3. In the Name field, enter the name of the Purity user.

  4. Click Create.

    The API token appears in the API Token pane.

Recreating the API token

To recreate the API token:

  1. Select System > Users > API Tokens.

  2. Click the menu icon for the username.

  3. Select Recreate API Token.

  4. The new API token appears in the API Token pane.

Deleting the API token

To delete the API token:

  1. Select System > Users > API Tokens.

  2. Click the menu icon for the username.

  3. Select Remove API Token.

  4. Verify that the user does not appear in the API Tokens pane.

Exposing the API token

To unmask the API token so that it is exposed:

  1. Select System > Users > API Tokens.

  2. Click the menu icon for the username.

  3. Select Show API Token. The unmasked API token appears in the API Token pane.

Plugins View

The Plugins view contains a list of plugins on the array that you can install on the target host.

Figure 82. Plugins View

Plugins View

The Plugins sub-view displays the details for the selected plugin, including the available plugin version.

After you connect to the target host, you can view, install, update, or uninstall the plugin. To upgrade the plugin version from the installed version to the available version, perform an update.

Verifying the installed plugin version

To verify the plugin version that is installed on the target host:

  1. Select System > Plugins.

  2. In the Host Name field, enter the name of the target host on which to install the plugin.

  3. In the Administrator User field, enter the name of the user who will be logging in to the target host. The administrator user must be able to write to the target host.

  4. In the Administrator Password field, enter the password for the administrator who will be logging in to the target host.

  5. Click Connect. The Available Version field displays the plugin version that is on the array. The Installed Version displays the plugin version that is currently installed on the target host. If the plugin is not installed on the target host, the Installed Version field displays a dash mark.

Installing the plugin

To install the plugin that is on the array to the target host:

  1. Select System > Plugins.

  2. In the Host Name field, enter the name of the target host on which to install the plugin.

  3. In the Administrator User field, enter the name of the user who will be logging in to the target host. The administrator user must be able to write to the target host.

  4. In the Administrator Password field, enter the password for the administrator who will be logging in to the target host.

  5. Click Connect.

  6. Verify that the Installed Version field contains a dash mark. The dash mark indicates that the plugin is not installed. If the plugin is already installed, cancel the installation and update the plugin.

  7. Click Install to install the plugin.

  8. After the installation is complete, verify that the available plugin version matches the installed version.

Updating the plugin

To update the plugin on the target host to the version that is on the array:

  1. Select System > Plugins.

  2. In the Host Name field, enter the name of the target host on which to install the plugin.

  3. In the Administrator User field, enter the name of the user who will be logging in to the target host. The administrator user must be able to write to the target host.

  4. In the Administrator Password field, enter the password for the administrator who will be logging in to the target host.

  5. Click Connect.

  6. Verify that the available and installed versions do not match.

  7. Click Update to overwrite the plugin version on the target host with the version on the array.

  8. After the update is complete, verify that the available plugin version matches the installed version.

Uninstalling the plugin

To uninstall the plugin that is on the target host:

  1. Select System > Plugins.

  2. In the Host Name field, enter the name of the target host on which to install the plugin.

  3. In the Administrator User field, enter the name of the user who will be logging in to the target host. The administrator user must be able to write to the target host.

  4. In the Administrator Password field, enter the password for the administrator who will be logging in to the target host.

  5. Click Connect.

  6. Verify that the available and installed versions do not match.

  7. Click Update to overwrite the plugin version on the target host with the version on the array.

  8. After the update is complete, verify that the available plugin version matches the installed version.

Apps View

The Apps platform extends array functionality by integrating add-on, VM-based services into the Purity operating system. Each app within the platform provides one or more services.

Figure 83. Apps View

In the following example, an app named linux has been installed on the array. The linux app represents an Ubuntu Linux distribution with Docker pre-installed, giving pureuser the ability to run Docker-based containers on the array.

Apps View

The Apps view displays a list of apps that are installed on the array, along with the following attributes for each app:

  • Name: App name. The app name is pre-assigned and cannot be changed.

  • Version: App version that is currently installed on the array.

  • Status: App status. A green-colored square means that the app is running. A red-colored square means that the app is not running. If the app status is red, contact Pure Storage Support.

  • Description: Description of the app.

Note that if an app migrates between controllers, it briefly stops and restarts.

Apps require CPU, memory, network, and storage resources. For this reason, no apps are installed by default. The Apps installation process is managed by Pure Storage Support and is typically performed during a Purity installation or upgrade.

App Volumes

Each app has a boot volume and a data volume. These volumes are known as app volumes.

Select Storage > Volumes to see a list of volumes, including app volumes.

App volume names begin with a distinctive @ symbol. The naming convention for app volumes is @APP_boot for the boot volume and @APP_data for the data volume, where APP denotes the app name.

The following example displays, among other volumes, the boot and data volumes for the linux app.

apps-volumes.png

App volumes are connected to their associated app host. For example, the linux boot and data volumes are connected to the linux app host. From the list of volumes, click an app volume to see its associated app host.

The boot volume represents a copy of the boot drive of the app. Do not modify or save data to the boot volume. When an app is upgraded, the boot volume is overwritten, completely destroying its contents including any other data that is saved to it. The data volume is used by the app to store data.

The following example shows that the drives were correctly mounted inside the linux app.

pureuser@linux:~$ df
Filesystem       1K-blocks    Used   Available Use%  Mounted on
udev               8198768       0     8198768   0%  /dev
tmpfs              1643272    8756     1634516   1%  /run
/dev/sda1         15348720 1721392    12824616  12%  /
/dev/sdb       17177782208   33608 17177748600   1%  /data

Disk device /dev/sdb, which corresponds to the app data volume, is mounted on /data, meaning the data will be saved to the data volume (and not the boot volume), and disk device /dev/sda1, which corresponds to the app boot volume, is mounted on /.

App Hosts

Each app has a dedicated host, known as an app host. The app host is connected to the associated boot and data volumes. The app host is also used to connect FlashArray volumes to the app.

Unlike regular FlashArray hosts, app hosts cannot be deleted, renamed, or modified in any way. Furthermore, app hosts cannot be added to host groups or protection groups.

App host names begin with a distinctive @ symbol. The naming convention for app hosts is @APP, where APP denotes the app name. The following example displays one app host named @linux and its associated boot and data volumes.

apps-host.png

Connecting FlashArray Volumes to an App

FlashArray volumes are connected to apps via the app host. The volumes are connected to the app hosts in the same way that they are connected to regular FlashArray hosts.

In the following example, five FlashArray volumes, each with its own unique LUN, are connected to the @linux app host.

apps-host-volumes.png

A FlashArray volume can only be connected to one app host at a time. Furthermore, the FlashArray volume cannot be connected to other hosts or host groups while it is connected to an app host.

After a FlashArray volume has been connected to an app host, rescan the SCSI bus to ensure the newly-connected volumes are visible from inside the app.

The following example displays the five FlashArray volumes (and their target LUNs) as SCSI devices from inside the linux app, ready to be mounted.

pureuser@linux:~$ cat /proc/scsi/scsi
Attached devices:
Host: scsi2 Channel: 00 Id: 01 Lun: 03
  Vendor: PURE     Model: FlashArray       Rev: 9999
  Type:   Direct-Access                    ANSI  SCSI revision: 06
Host: scsi2 Channel: 00 Id: 01 Lun: 04
  Vendor: PURE     Model: FlashArray       Rev: 9999
  Type:   Direct-Access                    ANSI  SCSI revision: 06
Host: scsi2 Channel: 00 Id: 01 Lun: 05
  Vendor: PURE     Model: FlashArray       Rev: 9999
  Type:   Direct-Access                    ANSI  SCSI revision: 06
Host: scsi2 Channel: 00 Id: 01 Lun: 06
  Vendor: PURE     Model: FlashArray       Rev: 9999
  Type:   Direct-Access                    ANSI  SCSI revision: 06
Host: scsi2 Channel: 00 Id: 01 Lun: 07
  Vendor: PURE     Model: FlashArray       Rev: 9999
  Type:   Direct-Access                    ANSI  SCSI revision: 06
    

App Interfaces

For each app that is installed by Pure Storage Support, one app management interface is created per array management interface. An app data interface may also be created for high-speed data transfers.

The naming convention for app interfaces is APP.datay for the app data interface, and APP.mgmty for the app management interface, where APP denotes the app name, and y denotes the interface.

In the following example, for the linux app, two app management interfaces, one named linux.mgmt0 and another named linux.mgmt1, have been created to correspond to each of the array management interfaces. An app data interface named linux.data0 has also been created.

apps-interfaces.png

Configure an app interface to give pureuser the ability to log into the app or transfer data through through a separate interface. Configuring an app interface involves assigning an IP address to the interface and then enabling the interface.

Optionally set the gateway. Note that only one of the app interfaces of a particular app can have a gateway set.

Before you configure an app interface, make sure the corresponding external interface is physically connected.

Configure one or more of the following app interfaces:

  • App Management Interface

    Configure the app management interface to give pureuser the ability to log into the app with the same Purity login credentials. If a public key has been created for the user, it can be used to log into the app. Purity password changes are automatically applied to the app.

    To configure the app management interface, assign an IP address to one of the app management interfaces, and then enable the interface.

  • App Data Interface

    Configure the app data interface to use a separate interface for high-speed data transfers.

    To configure the app data interface, assign an IP address to the app data interface, and then enable the interface.

In the following example, app management interface linux.mgmt0 has been enabled and IP address 10.8.102.96 has been assigned to the interface, giving pureuser the ability to log directly into the linux app with the same Purity login credentials.

apps-interfaces-configured.png

App Installation

The app installation process is managed by Pure Storage Support and is typically performed during a Purity installation or upgrade. To install apps, contact a member of the Pure Storage account team or email Pure Storage Support.

Establishing connections between FlashArray volumes and apps

FlashArray volumes are connected to apps via the app host. To connect a FlashArray volume to an app:

  1. Select the Storage tab.

  2. In the Hosts section of the navigation pane, click the app host associated with the app to which you want to connect the volumes.

  3. Click the menu icon and select Connect Volumes. The Connect Volumes to Host dialog box appears.

    The volumes in the Existing Volumes column represent the volumes that are eligible to be connected to the app host, and thereby, the app.

  4. Click an existing volume in the left column to add it to the Selected Volumes column. If the volume does not exist, click Create New Volume to create a new volume and connect it to the app host.

  5. Click Confirm.

  6. Rescan the SCSI bus to ensure that all newly-added FlashArray volumes are visible from inside the app.

    After the SCSI bus rescan, the FlashArray volumes (and their target LUNs) are visible as SCSI devices from inside the app, ready to be mounted.