Skip to main content
Contact Us
Register
Pure Technical Services

Web Guide: Configuring Multiple Non-Linked vCenters with the FlashArray VASA Provider

  1. Last updated
  2. Save as PDF

Currently viewing public documentation. Please login to access the full scope of documentation.

With the release of Purity 5.3, the FlashArray's VASA provider will support being registered with multiple non-linked vCenter Servers. This KB covers the process of importing both CA and OpenSSL Signed Certificates to the FlashArray using the purecert CLI command and registering these storage providers.

Overview

Prior to Purity 5.3.0, the FlashArray had a limitation of only being able to provide the VASA Providers to be registered against a single SSO.  Which meant that a FlashArray would only be able to have Storage Providers registered with a single vCenter Server, with one exception:  vCenter Servers that were in Enhanced Linked Mode could all register, as they shared the same SSO.

With the release of Purity 5.3.0, the FlashArray will now support the ability to import certificates to the VASA Providers on each controller.  This means that by importing a certificate for both VASA providers, the FlashArray will allow multiple non-linked vCenters to register against that certificate and VASA provider.  Beyond that, this also provides the ability for end-users to generate Certificate Signing Requests for each VASA Provider and get a CA Signed certificate imported.

Please note that by importing certificates to the VASA providers, you will cause any existing storage providers that are registered to go out of sync and report as offline since the certificate has changed.  This will require the end-user to remove the old storage providers and re-register the storage providers once the new certificates are imported.  Each step of this process is covered below.

The FlashArray VASA version 1.1.0 is the first certified VASA version for Multi-vCenter Support.  This VASA version is only available in Purity 5.3.6 and higher.

All VASA version above 1.1.0 will also support Multi-vCenter configurations.

Generating and Importing the Certificate

VMware will not support Self Signed Certificates in ESXi 6.7 and higher, for use with registering Storage Providers.  Use of Multi-vCenter Support will require the use of a Signed Certificate being imported to VASA on the FlashArray.  So long as the CA's Root Cert is added to the vCenter's list of Trusted Root certs, then the VASA Provider can be registered to that vCenter. 

There are two main ways to get a Signed Certificate for VASA on the FlashArray.  The first is to use a CA (Certificate Authority) to sign a CSR generated from the FlashArray for VASA-CT0 and VASA-CT1.  The second method is to leverage OpenSSL to manually create a signed cert and private key pair.  Getting a CA to sign the CSR is the strongly recommended method.  OpenSSL method should really only be used in test environments.  

Enterprise CA Signed Certificate Process

The process of getting a CA-signed certificate imported for the VASA providers will be as follows:

  • Generate a CSR from the FlashArray CLI and copy down the request.
  • As the FlashArray does not allow setting Subject Alternate Names in generated CSRs, the CA will need to have the ability to set the SAN for the Certificate. 
    Make sure that the CA that is going to sign the certificates has that option.  
  • Provide the CSR's to the CA with the appropriate SAN entry.
  • Import the signed certificates to vasa-ct0 and vasa-ct1.

In the example below, a Microsoft Certificate Authority is used to sign the certificate through the Web service.  In order to set SAN entries, the option had to be enabled, as it is disabled by default.  Consult with your Security Team that manages the Certificate Authority and make sure that they know that a SAN entry for the IP address must be included.  See these two articles for more information:  Microsoft KB 1 and Microsoft KB 2.

As noted, by default the ability to set SAN entries in the Web Enrollment for the Microsoft CA is disabled.  While it can be enabled (you can search for articles about "EDITF_ATTRIBUTESUBJECTALTNAME2" to find the posts detailing how), Microsoft does not recommend doing so or leaving it enabled (see the second KB linked).  Currently, Pure Storage is working to add the ability to generate a CSR with SAN entries to the purecert command. Once that work is complete, then manually entering the SAN entry in the certificate request will not be required.

Creating a Certificate Signing Request (CSR) from the FlashArray

The first step is to create a CSR for vasa-ct0 and vasa-ct1 from the FlashArray CLI.  This can be done as any array admin user or as the local array admin user. The pureuser account is used in the example.

  1. SSH into the FlashArray as an Array Admin user. 
    $ ssh pureuser@10.21.88.116

pureuser@10.21.88.116's password:

Welcome pureuser. This is Purity Version 5.3.0 on FlashArray sn1-405-c12-21
http://www.purestorage.com/
pureuser@sn1-405-c12-21>
    Once logged into the FlashArray, CLI the FA Certificates can be viewed or checked using the purecert command. 
    pureuser@sn1-405-c12-21> purecert list
Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit  Email  Common Name
management  imported  4096      10.21.88.116  CA         2019-06-05 17:49:10 PDT  2021-06-04 17:49:10 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.116
vasa-ct0    imported  4096      10.21.88.117  CA         2019-06-05 17:41:47 PDT  2021-06-04 17:41:47 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.117
vasa-ct1    imported  4096      10.21.88.118  CA         2019-06-05 17:43:22 PDT  2021-06-04 17:43:22 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.118
  2. Generate a CSR for vasa-ct0 and copy down the CSR in notepad and/or paste it into a new .csr file. 
    pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.117 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct0
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwgYoxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n
aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExNzEXMBUGA1UECgwOUHVyZSBT
b2x1dGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXfefnc1t
QsSGKLhZpPS4oUU9Y7m/NH+MZ1GzuujA7pTbQvcnXKXcTUgAg6CEtcxslwfx2v/r
hwIA9Sp0/WzCMOGS2l1CloKaIjSVgmXma8BEpAxsNI9NIZ/qtfkP75N9Ai5yeSJb
40m8/4q5yRNbs4DdGjSXDu4p5kGfeLL0IZiUngQZZUdgVEkKmaWdkG4mjMsmx+ND
HclN0b+7gWaphOM4j3RUVBvk3H5qYYkRgGgnprCMucewG/RZqwDjQCTdYjYboqbw
GPJj2/Lu6c4uiOOtNHdlRp0GMjioMnw3J8GQ2thsWhpS8Aq6e30c3Z1Hyk8En3Y2
8S1OA/MIMsQvAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEARUxJUl4bqwQvIcNj
pmswd0VtgkmpKYzcQRXGSH1/T3fiIOkY3DAynY+nO4n/qi8AqHIjmoRHhg2VW23i
zAiwdqaEvqMcbMhUZF69Ouziz7pswaXP4W5U5ZJ3nqERHoWAtcxvOgKi6ww0u6OL
bBE0sWPZy/AaQVep39y7kXCIBfZJzlHBb4oIy9opfd9TqcqnIgkYCddSbxUKNL0/
0FPTuzii2Q7WTHphlTeJdd+rluWSc06GaB4F8+x9OXfn/cGXzX+XdK8tIZdtdV/y
AlEXepRtiX6JQsnji0DkJKBnY0i3dkwdkhdX5EM1cWQqWbHB9Bj6gHcbA55vgMRH
CFbZgA==
-----END CERTIFICATE REQUEST-----
  3. Repeat for vasa-ct1. 
    pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.118 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct1
-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwgYgxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n
aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExODEVMBMGA1UECgwMUHVyZSBT
dG9yYWdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6LwIcLg68qmn
jnMKBUanqrUAzCmySBME2qyMY86ZY+OAs3g6EwmLVE5DuQlXBTfonVgUGPCXm8k/
30rWwvQUgOXKk161VWCGGixI7rPQrXKeBNpCeaLvQSIqySdnUtv1BU1MTkQuN4Xr
76oMX4NWRtfRj/aUPZB+5vqBAAZTT7IVtx1WHEy13x0G4WUU3Mq3M33lXljEjDLc
JjCFTZB6pI0Fc5nVBe9MpAVTNTDs8Vs14VC7cBlIekFVIBnw/AitZeJ6lZUSKbDc
fasPiAS57jlwX8/dlTSqveAcndh3BZtIPOlEOAvr4G7/vYhhnnOVIs9P1V6RBAgU
0JaNQ+RXjQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAEs1s36poZ1hb1LvFg2J
6QTkdliQcasXu28Mcrut4us0QSQ4EzahGEYu33AhQYLhSarZtOhvMgFkYjvQMkPK
bg2mnr04/F35PzO4r0fehQLRcAFj25R/5djohlQg7w/9CJqPy81CwpCDNvoBwX0o
pO8vp9yXpTwpCau7BAm5VO9WgNQgEP9XZAnVpEFfnXz7VLUn6OeDdjIwCsMXVu65
qX83sjYGa6wTRbpI7jFxG8wM/D8FJxbhuySFH9nxt4BAAkp8wYOxBn32Mp/2CKbu
Y0HQLbwrmRMcYt76EMYSjm1pjQohEr14rrDvd8PqifUxpuq5kgjhr2Or6FhBYTgJ
ANQ=
-----END CERTIFICATE REQUEST-----

Now that the CSRs are generated and saved, the next step is getting a self-signed certificate or signed certificate.

Signing the CSR

The process of getting the Certificate Authority to sign the CSR will depend on what type of Certificate Authority your environment has.  Consult your security team or the team managing the certificates for the process to submit the certificate requests.  In the example below the CSR is signed by a Microsoft CA.

  1. Navigating to the CA websrv, the CSR and SAN are provided.
    Request a new certificate
    multi-vcenter-kb-05.png
    Then submit an advanced certificate request
    multi-vcenter-kb-06.png
    In the request the CSR is provided along with the SAN for the IP address of the controller
    multi-vcenter-kb-07.png
    Download the base 64 certificate once the certificate is generated
    multi-vcenter-kb-08.png
  2. Repeat the same steps for vasa-ct1.

  3. Once both certificates are issued, open both of them up in a text editor, such as notepad/notepad++, and copy down the certificates.

    multi-vcenter-kb-09.png

Both vasa-ct0 and vasa-ct1's certificates can now be imported as they are signed and saved.

Importing the Signed Certificate

Much like the self-signed certificate process, this must be done from the FlashArray CLI.  The difference is that the private key does not need to be provided.

  1. Use purecert to import the signed certificate, just as it was done with the self-signed method outlined previously in the KB.

    An Important Reminder.  Once the certificate is imported this will cause any existing storage providers that are registered with the VASA provider to go offline.  Due to the new certificate being imported and causing an authentication failure with the existing storage providers.

  2. Here is an example of that process. Please note that when you are setting the certificate and key attributes (using purecert setattr) or creating a certificate on the array (purecert create), you will need to press enter once after pasting the text for the certificate and key but before pressing control+D: 
    ## vasa-ct0 ##
pureuser@sn1-405-c12-21> purecert setattr --certificate vasa-ct0
Please enter certificate followed by ^D:

-----BEGIN CERTIFICATE-----
MIIGmTCCBIGgAwIBAgITWgAAADlTEezzts+dsAAAAAAAOTANBgkqhkiG9w0BAQsF
ADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLcHVyZXN0
b3JhZ2UxFDASBgoJkiaJk/IsZAEZFgRhbGV4MQswCQYDVQQDEwJDQTAeFw0xOTA5
MDQxNDIwNDBaFw0yMTA5MDMxNDIwNDBaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEXMBUGA1UEChMO
UHVyZSBTb2x1dGlvbnMxHjAcBgNVBAsTFVNvbHV0aW9ucyBFbmdpbmVlcmluZzEV
MBMGA1UEAxMMMTAuMjEuODguMTE3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAw133n53NbULEhii4WaT0uKFFPWO5vzR/jGdRs7rowO6U20L3J1yl3E1I
AIOghLXMbJcH8dr/64cCAPUqdP1swjDhktpdQpaCmiI0lYJl5mvARKQMbDSPTSGf
6rX5D++TfQIucnkiW+NJvP+KuckTW7OA3Ro0lw7uKeZBn3iy9CGYlJ4EGWVHYFRJ
CpmlnZBuJozLJsfjQx3JTdG/u4FmqYTjOI90VFQb5Nx+amGJEYBoJ6awjLnHsBv0
WasA40Ak3WI2G6Km8BjyY9vy7unOLojjrTR3ZUadBjI4qDJ8NyfBkNrYbFoaUvAK
unt9HN2dR8pPBJ92NvEtTgPzCDLELwIDAQABo4ICKjCCAiYwHQYDVR0OBBYEFGTu
WzCRkojxS9V6+5RtPUJhvrV8MB8GA1UdIwQYMBaAFNmnOKgXQprmuaGuPpQqgEa4
WABoMIHHBgNVHR8Egb8wgbwwgbmggbaggbOGgbBsZGFwOi8vL0NOPUNBLENOPUNB
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWFsZXgsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludDCBwAYIKwYBBQUHAQEEgbMwgbAwga0GCCsGAQUFBzAChoGg
bGRhcDovLy9DTj1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hbGV4LERDPXB1cmVzdG9y
YWdlLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
aWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYA
ZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHREE
CDAGhwQKFVh1MA0GCSqGSIb3DQEBCwUAA4ICAQBgt3hywrL1tZcdluVOC8HXmQIC
kOUF8q45t2LIDsCGZHvzhf4UHI2ussZTqZh3fW37sZmLvI1ueL9HHGPmgcvGuM4Y
mbG6cwY58Wgz/2UZbI3g3QgZ8s7O61kGTBh42K5uk36sxe6Mo4eAYpldM8WsAD9I
V4qPRCeJQWGqTFU+l3vUwyrpQrO2XgsH9bF53mmupimzBlL0F9BMwYKgEPa6FyOq
qLKwS6cVW+RK6j9KLMHfAFYmDkm/Fp79f63o1xBJ4oR2tTuyOU2dTg25hLg8sVXs
0UdCKd9trNv4soTKmj8ddsXw7poyBC22Nk42XCsMM6R7+9IC1ARa3b+RwLiVC/nH
LoGqcSYevypVfUBgkYUjVGESS84HYYRomSmTriad5bDFGQJfWFYd+We4ysqgG6VG
FZD8Zvn0E4pIAVgTYyE44cH41/j5moYghTovRTpHIdNTvIFVkbZA2jYQbV09640A
D3o6CfiUAlRPoKqHjkR7S15rA2LX+2F8HAkPXH9s2tA7vc1H57aqxHrz3Kh+z+Ra
T/Q1WjrUT2umfC5Pjbu1j0TjKJs1SdvyaG8Geoc3w2gSALhMefvr+tfJ6jtjj3Iw
FCI1bs14/Jv8Bo5U5pe9Ayay2JD/IjLM2seztoRBKUoPRZJZXYWr0oxP8z67htLP
nqc/GczJkyi12qoKAw==
-----END CERTIFICATE-----

Name      Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit    Email  Common Name
vasa-ct0  imported  2048      10.21.88.117  CA         2019-09-04 07:20:40 PDT  2021-09-03 07:28:44 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -      10.21.88.117

    ## vasa-ct1 ##
pureuser@sn1-405-c12-21> purecert setattr --certificate vasa-ct1
Please enter certificate followed by ^D:

-----BEGIN CERTIFICATE-----
MIIGlzCCBH+gAwIBAgITWgAAADqWwSQe/KWTqQAAAAAAOjANBgkqhkiG9w0BAQsF
ADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLcHVyZXN0
b3JhZ2UxFDASBgoJkiaJk/IsZAEZFgRhbGV4MQswCQYDVQQDEwJDQTAeFw0xOTA5
MDQxNDIxNDhaFw0yMTA5MDMxNDIxNDhaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMM
UHVyZSBTdG9yYWdlMR4wHAYDVQQLExVTb2x1dGlvbnMgRW5naW5lZXJpbmcxFTAT
BgNVBAMTDDEwLjIxLjg4LjExODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAOi8CHC4OvKpp45zCgVGp6q1AMwpskgTBNqsjGPOmWPjgLN4OhMJi1ROQ7kJ
VwU36J1YFBjwl5vJP99K1sL0FIDlypNetVVghhosSO6z0K1yngTaQnmi70EiKskn
Z1Lb9QVNTE5ELjeF6++qDF+DVkbX0Y/2lD2Qfub6gQAGU0+yFbcdVhxMtd8dBuFl
FNzKtzN95V5YxIwy3CYwhU2QeqSNBXOZ1QXvTKQFUzUw7PFbNeFQu3AZSHpBVSAZ
8PwIrWXiepWVEimw3H2rD4gEue45cF/P3ZU0qr3gHJ3YdwWbSDzpRDgL6+Bu/72I
YZ5zlSLPT9VekQQIFNCWjUPkV40CAwEAAaOCAiowggImMB0GA1UdDgQWBBQGfkY3
dC+CAuDDQ31sEJItjr3EfTAfBgNVHSMEGDAWgBTZpzioF0Ka5rmhrj6UKoBGuFgA
aDCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwbGRhcDovLy9DTj1DQSxDTj1DQSxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1hbGV4LERDPXB1cmVzdG9yYWdlLERDPWNvbT9jZXJ0
aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnQwgcAGCCsGAQUFBwEBBIGzMIGwMIGtBggrBgEFBQcwAoaBoGxk
YXA6Ly8vQ049Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWxleCxEQz1wdXJlc3RvcmFn
ZSxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj
YXRpb25BdXRob3JpdHkwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUA
cjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw
BocEChVYdjANBgkqhkiG9w0BAQsFAAOCAgEAMJuhBKUqZ3lILRYPgHk0XuhvMkpl
8PXbBTNj5lrJIOctNPnDMnB7EYCy3l4qismNtLHQzgmtaytw9+JU9GJBGJxGnTu5
IAeUrn6Ln2o0ykpidB09fqtVm5EjWuxM97j0TSf/tT0Dyug7TZbUf/JB/3Eqangd
1lAKy1nI/0fSwc/GBZYHyZYg28h5OjzqECZTrsXchvHbH5Ow/gE0E6havtlEF5l+
cAFmqdzAP2SXGcRlAYkOb299vop6+32NmHOJREkkocdDjxOAIHD9dO/3HtqZvRQW
heQY4nJylSkmhlS6/1Y54yCKOQml3MOmdnA40iI2Gk5eMKyOIddjbRwUtw/6IX+U
5VgFaNi4e6G4MpCuGqjyAwYqkTExTV4JzY0L5kseM4LdV8kejMdcnirXMvaM/wwa
0Z9lnzIDuJt3ib20HlsrM3v6m2OVzSFp29SohhvdyzkRSjvHUQ2oJXIrHAL3zvO6
Moy3i3ATTXT8Lc+YUn8v6Ewlj9nRUkA57F5GEe80cAsA1/vZBpPK3AZ1YQCb6BZ4
pDZ+bCwx60w17Oy9nS7uRSpOmVaXR6l/H7hjE9fYlNVgpT1AOGiG/pdy7eaRx4Ui
Lxl4CydnKcnLwXI+jzvXI5NMgWcGTpNVE5iE0ms9JnFKQ+KZmT/aT1xiZdBefMxQ
qGAzmViaWxwO9+8=
-----END CERTIFICATE-----

Name      Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email  Common Name
vasa-ct1  imported  2048      10.21.88.118  CA         2019-09-04 07:21:48 PDT  2021-09-03 07:21:48 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -      10.21.88.118

    ## purecert list output ##
pureuser@sn1-405-c12-21> purecert list
Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit    Email  Common Name
management  imported  2048      10.21.88.116  CA         2019-08-02 08:44:43 PDT  2021-08-01 08:44:43 PDT  US       California      Mountain View  Pure Solutions  Solutions              -      10.21.88.116
vasa-ct0    imported  2048      10.21.88.117  CA         2019-09-04 07:20:40 PDT  2021-09-03 07:28:44 PDT  US       California      Mountain View  Pure Storage    Solutions Engineering  -      10.21.88.117
vasa-ct1    imported  2048      10.21.88.118  CA         2019-09-04 07:21:48 PDT  2021-09-03 07:21:48 PDT  US       California      Mountain View  Pure Storage    Solutions Engineering  -      10.21.88.118

Now there are signed certificates imported for both CT0 and CT1.

When trying to import by pasting in the certificates, it may say "Error: Certificate requires a private key"

Try using the following if the customer has both cert and private key available. 

purecert setattr --certificate --key vasa-ct0
purecert setattr --certificate --key vasa-ct1

OpenSSL Signed Certificate

An alternative to using a CA to sign a CSR is to use OpenSSL to sign the certificate request.  

Creating the Signed Certificate

The OpenSSL creation steps should never be performed on a FlashArray and should only be taken on an OpenSSL deployment in your environment.

 

Here are the steps for creating a signed certificate with OpenSSL.

  1. It is a good idea to first create a directory for the certificates.  For example: 
    ## Create a Directory for the Certificates ##
mkdir ~/VASA-Certs

## Create a directory for each FlashArray controller ##
mkdir ~/VASA-Certs/sn1-405-c12-21-ct0
mkdir ~/VASA-Certs/sn1-405-c12-21-ct1
  2. Next, create a v3.ext file for vasa-ct0 and vasa-ct1.  The important part here is to make sure the correct Subject Alternate Name (SAN) in the v3.ext file.  
    ## Using vim (or any text editor) create a v3.ext file with the following ##
[req]
default_bits = 2048
prompt = no
default_md = sha256
[v3_ca]
subjectAltName = IP:<IP address of controller>

## So for example ##
vim ~/VASA-Certs/sn1-405-c12-21-ct0/v3.ext

[req]
default_bits = 2048
prompt = no
default_md = sha256
[v3_ca]
subjectAltName = IP:10.21.88.117

vim ~/VASA-Certs/sn1-405-c12-21-ct1/v3.ext

[req]
default_bits = 2048
prompt = no
default_md = sha256
[v3_ca]
subjectAltName = IP:10.21.88.118
  3. A root certificate will need to be created with OpenSSL. 
    openssl genrsa -passout pass:test -des3 -out rootCA.key 4096
openssl req -x509 -new -passin pass:test -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/O=Pure Storage/OU=Solutions Engineering/CN=Pure Storage"
  4. After the Root Cert is created, generate a private key and generate the CSR for VASA-CT0 and VASA-CT1.  Make sure that the Common Name of the CSR matches the IP address from the subject alternate name. 
    ##Creating Private Keys##
openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.key 2048
openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.key 2048

##Creating CSRs##
openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct0/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.csr
openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct1/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.csr
    Make sure that the O and OU for the CSR is not Pure Storage for both entries.  The email address and password can both be skipped as well by pressing enter.
  5. Create the signed certificates by signing the CSR with the Root Cert that was created. 
    cd ~/VASA-Certs/sn1-405-c12-21-ct0/
openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729

cd ~/VASA-Certs/sn1-405-c12-21-ct1/
openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729
  6. Either copy the RootCA that was created to vCenter (with scp, etc) or create a .pem file the cert.  This will be needed to make sure that the trusted root cert is in vCenter in the following step.

Importing the OpenSSL signed Certificate on the FlashArray

  1. Copy down the private key and certificate for both vasa-ct0 and vasa-ct1. 
    cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.key

cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.crt
  2. Import the key and certificate for vasa-ct0.
    Once the certificate is imported, it will cause any existing storage providers that are registered with the VASA provider to go offline due to the new certificate being imported. This will cause an authentication failure with the existing storage providers.
    		 
    purecert setattr --certificate --key vasa-ct0
  3. Import the key and certificate for vasa-ct1. 
    purecert setattr --certificate --key vasa-ct1
  4. Check the certificates with purecert list. 
    purecert list

Now that both certificates are imported, you will want to make sure the CA Root Cert that was created has been imported to the vCenters trusted root certs and then register the storage providers.

Checking that the CA Root Cert is trusted on the vCenter Server

Be sure to check that the CA Root certificate is trusted on each vCenter Server that the VASA providers will be getting registered with.

While you can use either the vCenter UI or vCenter CLI to check the trusted root certs for the Root CA's cert, the CLI is going to offer more consistent results. 
In the event that it's not there, you can use the vCenter CLI or vCenter UI to import the trusted root cert.  

Here is an example of using the vCenter CLI to import a Root Cert to the Trusted Root Store:

## The root cert can either be SCP'd to the vCenter Server or you can just create a .pem file with the root cert ##

root@prod-vcsa [ ~ ]# vim /root/custom-root-cert.pem
root@prod-vcsa [ ~ ]# cat /root/custom-root-cert.pem
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIQfmGy6GutxYJCdMy6lXxqZjANBgkqhkiG9w0BAQsFADBE
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZjc2d2ZGkx
EzARBgNVBAMTCkNBLUZBQ0xPVUQwHhcNMTkwNjE0MTk1MTI3WhcNMjkwNjE0MjAw
MTI3WjBEMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZj
c2d2ZGkxEzARBgNVBAMTCkNBLUZBQ0xPVUQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC518foxRwdfN39fX0zXy0ELkEjh//8iS5U8zgvYknA0Ip9aCYw
zB4Vgn/zXFAHvXb6AzljL6jcUFlLUNwWCBkiNBCNoAv5P6fNVhedsCF+q2RdNLkD
jW9w8Xs71nMf3HpasF2m7PNvtT/BRC8r9sVijV+8D5pcrMpM57FkIgUizTQB4HCi
KEzG/wrwU8YPOxB2EBgyhhjWa+HqdBao16hK5wtKMCgBZCfVMTr7lvT73qU/qcDZ
GdyvddslqS598dd6fO94R7A8TrlcVHe14PjOSmn2GgGHwwDvVyhoZmDjpNFV5CAI
yuo1ISCO5TebNpDnbXd2+Bge9gLn1X3DE+CVAgMBAAGjgZEwgY4wEwYJKwYBBAGC
NxQCBAYeBABDAEEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFLUWvEe1Vs8+Zh9TWAVfYriidnTsMBIGCSsGAQQBgjcVAQQFAgMBAAEw
IwYJKwYBBAGCNxUCBBYEFH3NWbj+o48SD2H9JZcXRYegpf/bMA0GCSqGSIb3DQEB
CwUAA4IBAQCVooEUPOTGaXSFWiNc6ZMkp5oM6he80EsHCUPy4o7sS3uHzZ/DptnG
iwlnvzBwyNW0HqpZwjeLRYvNU5pkwRtxxtNeLoNUaUJ1kiEe6hEqOOIEca6htUuv
X0unZv5k8+Z1O1kBrvYFldkAG7VXZFZ08FIw/TKAW9aXeLa7+parv6zl03/XgstC
QcFfOwLT1Ebm+xPwgP3CCwcEUpH6GAM9jPSd23/iAy6mFFN3i0ToOi1GNtb0X7UM
HRkCpatFEMt+dLvd73dO/n7bUVSi7AhznlOaxmnimOU4KEVSIAgif8hGzDcip1tl
0ftrgaug1yLEKq+sJKSpCljIPd1dQOa3
-----END CERTIFICATE-----

root@prod-vcsa [ ~ ]#

## Then use the dir-cli tool to publish this root cert ##

root@prod-vcsa [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/custom-root-cert.pem
Enter password for administrator@sso.alex.purestorage.com:
Certificate pubished successfully
root@prod-vcsa [ ~ ]#

## The VMCA service should be started as well to ensure that the most consistant results are found ##

At this time Pure does not recommend using the vCenter Server GUI to import and manage the certificates in the trusted root store.  The main reason behind that is that the GUI is still inconsistent in making sure that the certificate is imported correctly.  Additionally the vmca service is not restarted when importing via the GUI.  Which can lead to delays in getting the certs pushed to the ESXi hosts in that vCenter.  Rather Pure recommends to manage these certificates via the CLI for the vCenter Server.

Process to Refresh ESXi Hosts CA/CRL via vCenter

If the Root CA cert is being imported for the first time, you will want to make sure that the vCenter Trusted Root certs are getting published to the ESXi hosts in the vCenter. This can be done manually for each host, however, PowerCLI and PowerShell can also do this. 

Leverage the following workflow:


## Connect to the vCenter Server ##
Connect-VIServer -server vcenter-server
  
  
## Get the ESXi hosts and set it to a variable ##
$hosts = get-vmhost
  
  
## Start the Service Instance ##
$si = Get-View ServiceInstance
  
  
## Start the certificate Manager view ##
$certMgr = Get-View -Id $si.Content.CertificateManager
  
  
## Using the Cert Manager, refresh the ESXi hosts Certs ##
## This pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host. ##
$certMgr.CertMgrRefreshCACertificatesAndCRLs($Hosts.ExtensionData.MoRef)
  
  
## Now in vCenter the vvol datastore should be accessible for each of those hosts.  No need to do the ssl_reset and restart on VVold ##

Here is an example of this workflow:

PS C:\> Connect-VIServer -Server dev-vcsa

Name                           Port  User                          
----                           ----  ----                          
dev-vcsa                       443   ALEX\Carver                   

PS C:\> Get-Cluster -Name "Dev Cluster"

Name                           HAEnabled  HAFailover DrsEnabled DrsAutomationLevel  
                                          Level                                     
----                           ---------  ---------- ---------- ------------------  
Dev Cluster                    True       1          True       FullyAutomated      

PS C:\> $ESXi_Cluster = Get-Cluster -Name "Dev Cluster"

PS C:\> $ESXi_Cluster | Get-VMHost

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
esxi-7.alex.pures... Connected       PoweredOn      16         151       38304          14.586         255.897   6.7.0
esxi-6.alex.pures... Connected       PoweredOn      20         141       43880          16.166         255.892   6.7.0
esxi-4.alex.pures... Connected       PoweredOn      20          94       43880           8.945         255.892   6.7.0

PS C:\> $hosts = $ESXi_Cluster | Get-VMHost

PS C:\> $hosts

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
esxi-7.alex.pures... Connected       PoweredOn      16         151       38304          14.586         255.897   6.7.0
esxi-6.alex.pures... Connected       PoweredOn      20         141       43880          16.166         255.892   6.7.0
esxi-4.alex.pures... Connected       PoweredOn      20          94       43880           8.945         255.892   6.7.0

PS C:\> $si = Get-View ServiceInstance

PS C:\> $certMgr = Get-View -Id $si.Content.CertificateManager

PS C:\> $certMgr.CertMgrRefreshCACertificatesAndCRLs($Hosts.ExtensionData.MoRef)

PS C:\>

Once this is all completed, you can register the storage providers.

Registering Storage Providers

With the OpenSSL or CA signed certificate, be sure double check that the CA Root Certificate is already added to the vCenters trusted root certs.  If not, this will need to be done prior to registering the storage providers.  Be sure that the trusted root cert has propagated to each of the ESXi hosts as well.  A method is provided in the previous section that will ensure that each ESXi host has the trusted root certs propagated to the ESXi hosts. 

  1. Check if the FlashArray's VASA providers are already registered for the given vCenter. Should they be, remove the offline storage providers.
    multi-vcenter-kb-01.png
  2. Use the Pure Storage vSphere Plugin to register the storage providers by following this section of the vVol Implementation Guide if you have the plugin installed; if you are unable to use the vSphere Plugin, please follow this section instead

Repeat for as many vCenter Servers as needed.

Closing Thoughts

Overall the process is fairly straightforward.  However, when creating either a self-signed or signed certificate, you must make sure the SAN entry for the IP Address matches the Common Name (this would be the IP address for either ETH0 or ETH1).  There is some additional testing being done for both IPv6 and FQDNs being used as the common name and SAN, however, at this time we still recommend using IPv4 for the Common Name and SAN attribute.  Keep in mind that any request to the VASA Provider will fail between the time that the certificates are imported and when the storage providers are re-registered.  This is expected as the storage providers would be marked as offline since the certificates changed.  Take this into account when planning to import a signed certificate.

If you have any questions, concerns, or feedback on the process either leave feedback on the KB or open a support case.