Skip to main content
Pure Technical Services

How To: Change the IP Address of a FlashArray Controller when using vVols on the FlashArray

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png
One of the more overlooked aspects to using vVols with Pure Storage and the FlashArray is the VASA Certificates.  That could be viewed as a good thing though.  Since you aren't needing to spend much time managing the Certificates on the FlashArray then the automation behind the certificate creating and management is working correctly.  However, a crucial component to the the VASA Certificate is the FlashArray Controller IP.  This KB will cover what to do if the IP is changed and vVols is in use.

There are one or two processes that will need to be followed depending on which Purity Version the FlashArray is on.  Starting with Purity 5.3.0, management of the VASA certificates was moved to using the purecert command either with the API or CLI.  Prior to Purity 5.3.0, any changes to the VASA certificated need to involve Pure Support and a support case needs to be opened.  This KB will cover the process for both procedures.

Purity //FA 5.3.0 or Higher

With Purity //FA 5.3.0 and higher, the management of the VASA certificate is done with purecert in the CLI or API.  What does this mean?  It means that the end user does not require support or a support case to reset, update, or import certificate to the VASA Provider.  Now let's cover what to do in the event that the FlashArray controller's IP is changed.

First you need to know what kind of certificate you have on the FlashArray.  Is it the default certificate, is it the default VMCA Certificate, is it an imported self-signed certificate or is it an imported signed certificated?  In the event that you are using a imported self-signed certificated or imported signed certificate, you will need to generate a new certificate and import it again. 

Process if the VASA Certificate is an Imported Cert

Please follow this KB for the process of creating a self-signed or signed certificate and importing it

Here is a brief summary of the steps to follow:

  • Remove the current storage provider in the vCenter(s) for the controller you will be changing the IP
  • Change the IP Address for the controller
  • Follow the KB linked above to generate a new certificate
  • Import the updated certificate
  • Re-register the storage provider for that controller in the vCenter(s)

In some cases the vCenter's certificate service may not refresh the changes in storage provider certificates.  While vCenter is able to register the storage providers and they show active and online, ESXi hosts are unable to successfully establish connections to the VASA providers.  In these cases the ESXi hosts need to have their CA/CRL information refreshed to them.  Please see this KB Section for information on how to address this.

Process if the VASA Certificate is a VMCA Certificate

In the event that the default VMCA Certificate is in use, follow this KB for the process of resetting the certificate with the updated IP.

Here is a brief summary of the steps to follow:

  • Remove the current storage provider in the vCenter(s) for the Controller you will be changing the IP
  • Change the IP Address for the Controller
  • Follow the KB linked above to reset and create a new VASA certificate
  • Re-register the storage provider for that Controller in the vCenter(s)
  • Sometimes you may need to wait 15 minutes after resetting the certificate before registering the storage provider

In some cases the vCenter's certificate service may not refresh the changes in storage provider certificates.  While vCenter is able to register the storage providers and they show active and online, ESXi hosts are unable to successfully establish connections to the VASA providers.  In these cases the ESXi hosts need to have their CA/CRL information refreshed to them.  Please see this KB Section for information on how to address this.

Purity //FA 5.0 to 5.2

In the event that the FlashArray is running Purity/FA 5.0.x, 5.1.x or 5.2.x, then the storage providers will need to be removed and re-registered.  

If the re-register is failing, then you may need to open up a support case to have support reset the certificates on the VASA service for each controller.

Once the certificate is reset by Pure Support, then re-register the storage providers with the new IP addresses. 

Conclusions and Related Articles

Overall, updating the Management IP address on your FlashArray has been a simple process.  The tricky part has been the impact to the VASA Certificates until the release of Purity 5.3.  In general, re-registering the storage providers after changing the IP address should if the FlashArray is not on Purity 5.3 should work.  However, there have been cases where Pure Support was needed in order to manually reset the certificates for the end user.  This KB will help both the end user and Pure Support when changing the management IP addresses on the FlashArray when vVols is being used on that FlashArray.

See the KB that covers managing the FlashArray's VASA certificates with purecert for more information.