Skip to main content
Pure Technical Services

Web Guide: Configuring Multiple Non-Linked vCenters with the FlashArray VASA Provider

Currently viewing public documentation. Please login to access the full scope of documentation.

 

With the release of Purity 5.3, the FlashArray's VASA provider will support being registered with multiple non-linked vCenter Servers. This KB covers the process of importing both CA and OpenSSL Signed Certificates to the FlashArray using the purecert CLI command and registering these storage providers.

Overview

Prior to Purity 5.3.0, the FlashArray had a limitation of only being able to provide the VASA Providers to be registered against a single SSO.  Which meant that a FlashArray would only be able to have Storage Providers registered with a single vCenter Server, with one exception:  vCenter Servers that were in Enhanced Linked Mode could all register, as they shared the same SSO.

With the release of Purity 5.3.0, the FlashArray will now support the ability to import certificates to the VASA Providers on each controller.  This means that by importing a certificate for both VASA providers, the FlashArray will allow multiple non-linked vCenters to register against that certificate and VASA provider.  Beyond that, this also provides the ability for end-users to generate Certificate Signing Requests for each VASA Provider and get a CA Signed certificate to import.

One thing to keep in mind is that by importing certificates to the VASA providers, you will cause any existing storage providers that are registered to go out of sync and report as offline since the certificate has changed.  This will require the end-user to remove the old storage providers and re-register the storage providers once the new certificates are imported.  Each step of this process is covered below.

The FlashArray VASA version 1.1.0 is certified for Multi-vCenter Support.  This VASA version is only available in Purity 5.3.6 and higher.


Generating and Importing the Certificate

VMware will not support Self Signed Certifications in ESXi 6.7 and higher, for use with registering Storage Providers.  Use of Multi-vCenter Support will require the use of a Signed Certification being imported to VASA on the FlashArray.  So long as the the CA's Root Cert is added to the vCenter's list of Trusted Root certs, then the VASA Provider can be registered to that vCenter. 

There are two main ways to get a Signed Certification for VASA on the FlashArray.  The first is to use a CA (Certificate Authority) to sign a CSR generated from the FlashArray for VASA-CT0 and VASA-CT1.  The second method is to leverage OpenSSL to manually create a signed cert and private key pair.  Getting a CA to sign the CSR is the strongly recommended method.  OpenSSL method should really only be used in test environments.  

Enterprise CA Signed Certificate Process

The process of getting a CA-signed certificate imported for the VASA providers will be as follows:

  • Generate a CSR from the FlashArray CLI and copy down the request.
  • As the FlashArray does not allow setting Subject Alternate Names in generated CSRs, the CA will need to have the ability to set the SAN for the Certificate. 
    Make sure that the CA that is going to sign the certificates has that option.  
  • Provide the CSR's to the CA with the appropriate SAN entry.
  • Import the signed certificates to vasa-ct0 and vasa-ct1.

In the example below, a Microsoft Certificate Authority is used to sign the certificate through the Web service.  In order to set SAN entries, the option had to be enabled, as it is disabled by default.  Consult with your Security Team that manages the Certificate Authority and make sure that they know that a SAN entry for the IP address must be included.  See these two articles for more information:  Microsoft KB 1 and Microsoft KB 2.

As noted, by default the ability to set SAN entries in the Web Enrollment for the Microsoft CA is disabled.  While it can be enabled (you can search for articles about "EDITF_ATTRIBUTESUBJECTALTNAME2" to find the posts detailing how), Microsoft does not recommend doing so or leaving it enabled (see the second KB linked).  Currently, Pure Storage is working to add the ability to generate a CSR with SAN entries to the purecert command. Once that work is complete, then manually entering the SAN entry in the certificate request will not be required.

Creating a Certificate Signing Request (CSR) from the FlashArray

The first step is to create a CSR for vasa-ct0 and vasa-ct1 from the FlashArray CLI.  This can be done as any array admin user or as the local array admin user. The pureuser account is used in the example.

  1. SSH into the FlashArray as an Array Admin user.
    $ ssh pureuser@10.21.88.116
    
    pureuser@10.21.88.116's password:
    
    Welcome pureuser. This is Purity Version 5.3.0 on FlashArray sn1-405-c12-21
    http://www.purestorage.com/
    pureuser@sn1-405-c12-21>
    
    Once logged into the FlashArray, CLI the FA Certificates can be viewed or checked using the purecert command.
    pureuser@sn1-405-c12-21> purecert list
    Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit  Email  Common Name
    management  imported  4096      10.21.88.116  CA         2019-06-05 17:49:10 PDT  2021-06-04 17:49:10 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.116
    vasa-ct0    imported  4096      10.21.88.117  CA         2019-06-05 17:41:47 PDT  2021-06-04 17:41:47 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.117
    vasa-ct1    imported  4096      10.21.88.118  CA         2019-06-05 17:43:22 PDT  2021-06-04 17:43:22 PDT  US       California      Mountain View  Pure Solutions  Solutions            -      10.21.88.118
    
  2. Generate a CSR for vasa-ct0 and copy down the CSR in notepad and/or pasted it into a new .csr file.
    pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.117 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct0
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC0DCCAbgCAQAwgYoxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT
    AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n
    aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExNzEXMBUGA1UECgwOUHVyZSBT
    b2x1dGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXfefnc1t
    QsSGKLhZpPS4oUU9Y7m/NH+MZ1GzuujA7pTbQvcnXKXcTUgAg6CEtcxslwfx2v/r
    hwIA9Sp0/WzCMOGS2l1CloKaIjSVgmXma8BEpAxsNI9NIZ/qtfkP75N9Ai5yeSJb
    40m8/4q5yRNbs4DdGjSXDu4p5kGfeLL0IZiUngQZZUdgVEkKmaWdkG4mjMsmx+ND
    HclN0b+7gWaphOM4j3RUVBvk3H5qYYkRgGgnprCMucewG/RZqwDjQCTdYjYboqbw
    GPJj2/Lu6c4uiOOtNHdlRp0GMjioMnw3J8GQ2thsWhpS8Aq6e30c3Z1Hyk8En3Y2
    8S1OA/MIMsQvAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEARUxJUl4bqwQvIcNj
    pmswd0VtgkmpKYzcQRXGSH1/T3fiIOkY3DAynY+nO4n/qi8AqHIjmoRHhg2VW23i
    zAiwdqaEvqMcbMhUZF69Ouziz7pswaXP4W5U5ZJ3nqERHoWAtcxvOgKi6ww0u6OL
    bBE0sWPZy/AaQVep39y7kXCIBfZJzlHBb4oIy9opfd9TqcqnIgkYCddSbxUKNL0/
    0FPTuzii2Q7WTHphlTeJdd+rluWSc06GaB4F8+x9OXfn/cGXzX+XdK8tIZdtdV/y
    AlEXepRtiX6JQsnji0DkJKBnY0i3dkwdkhdX5EM1cWQqWbHB9Bj6gHcbA55vgMRH
    CFbZgA==
    -----END CERTIFICATE REQUEST-----
    
  3. Repeat for vasa-ct1.
    pureuser@sn1-405-c12-21> purecert construct --certificate-signing-request --common-name 10.21.88.118 --country US --state California --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Solutions Engineering' vasa-ct1
    -----BEGIN CERTIFICATE REQUEST-----
    MIICzjCCAbYCAQAwgYgxFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxCzAJBgNVBAYT
    AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR4wHAYDVQQLDBVTb2x1dGlvbnMgRW5n
    aW5lZXJpbmcxFTATBgNVBAMMDDEwLjIxLjg4LjExODEVMBMGA1UECgwMUHVyZSBT
    dG9yYWdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6LwIcLg68qmn
    jnMKBUanqrUAzCmySBME2qyMY86ZY+OAs3g6EwmLVE5DuQlXBTfonVgUGPCXm8k/
    30rWwvQUgOXKk161VWCGGixI7rPQrXKeBNpCeaLvQSIqySdnUtv1BU1MTkQuN4Xr
    76oMX4NWRtfRj/aUPZB+5vqBAAZTT7IVtx1WHEy13x0G4WUU3Mq3M33lXljEjDLc
    JjCFTZB6pI0Fc5nVBe9MpAVTNTDs8Vs14VC7cBlIekFVIBnw/AitZeJ6lZUSKbDc
    fasPiAS57jlwX8/dlTSqveAcndh3BZtIPOlEOAvr4G7/vYhhnnOVIs9P1V6RBAgU
    0JaNQ+RXjQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAEs1s36poZ1hb1LvFg2J
    6QTkdliQcasXu28Mcrut4us0QSQ4EzahGEYu33AhQYLhSarZtOhvMgFkYjvQMkPK
    bg2mnr04/F35PzO4r0fehQLRcAFj25R/5djohlQg7w/9CJqPy81CwpCDNvoBwX0o
    pO8vp9yXpTwpCau7BAm5VO9WgNQgEP9XZAnVpEFfnXz7VLUn6OeDdjIwCsMXVu65
    qX83sjYGa6wTRbpI7jFxG8wM/D8FJxbhuySFH9nxt4BAAkp8wYOxBn32Mp/2CKbu
    Y0HQLbwrmRMcYt76EMYSjm1pjQohEr14rrDvd8PqifUxpuq5kgjhr2Or6FhBYTgJ
    ANQ=
    -----END CERTIFICATE REQUEST-----
    

Now that the CSRs are generated and saved, the next step is getting a self-signed certificate or signed certificate.

Signing the CSR

The process of getting the Certificate Authority to sign the CSR will depend on what type of Certificate Authority your environment has.  Consult your security team or the team managing the certificates for the process to submit the certificate requests.  In the example below the CSR is signed by a Microsoft CA.

  1. Navigating to the CA websrv, the CSR and SAN are provided.
    Request a new certificate
    multi-vcenter-kb-05.png
    Then submit an advanced certificate request
    multi-vcenter-kb-06.png
    In the request the CSR is provided along with the SAN for the IP address of the controller
    multi-vcenter-kb-07.png
    Download the base 64 certificate once the certificate is generated
    multi-vcenter-kb-08.png
  2. Repeat the same steps for vasa-ct1.
  3. Once both certificates are issued, open both of them up in a text editor, such as notepad/notepad++, and copy down the certificates.

    multi-vcenter-kb-09.png

Both vasa-ct0 and vasa-ct1's certificates can now be imported as they are signed and saved.

Importing the Signed Certificate

Much like the self-signed certificate process, this must be done from the FlashArray CLI.  The difference is that the private key does not need to be provided.

  1. Use purecert to import the signed certificate, just as it was done with the self-signed method outlined previously in the KB.

    An Important Reminder.  Once the certificate is imported this will cause any existing storage providers that are registered with the VASA provider to go offline.  Due to the new certificate being imported and causing an authentication failure with the existing storage providers.

  2. Here is an example of that process. Please note that when you are setting the certificate and key attributes (using purecert setattr) or creating a certificate on the array (purecert create), you will need to press enter once after pasting the text for the certificate and key but before pressing control+D:
    ## vasa-ct0 ##
    pureuser@sn1-405-c12-21> purecert setattr --certificate vasa-ct0
    Please enter certificate followed by ^D:
    
    -----BEGIN CERTIFICATE-----
    MIIGmTCCBIGgAwIBAgITWgAAADlTEezzts+dsAAAAAAAOTANBgkqhkiG9w0BAQsF
    ADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLcHVyZXN0
    b3JhZ2UxFDASBgoJkiaJk/IsZAEZFgRhbGV4MQswCQYDVQQDEwJDQTAeFw0xOTA5
    MDQxNDIwNDBaFw0yMTA5MDMxNDIwNDBaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UE
    CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEXMBUGA1UEChMO
    UHVyZSBTb2x1dGlvbnMxHjAcBgNVBAsTFVNvbHV0aW9ucyBFbmdpbmVlcmluZzEV
    MBMGA1UEAxMMMTAuMjEuODguMTE3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEAw133n53NbULEhii4WaT0uKFFPWO5vzR/jGdRs7rowO6U20L3J1yl3E1I
    AIOghLXMbJcH8dr/64cCAPUqdP1swjDhktpdQpaCmiI0lYJl5mvARKQMbDSPTSGf
    6rX5D++TfQIucnkiW+NJvP+KuckTW7OA3Ro0lw7uKeZBn3iy9CGYlJ4EGWVHYFRJ
    CpmlnZBuJozLJsfjQx3JTdG/u4FmqYTjOI90VFQb5Nx+amGJEYBoJ6awjLnHsBv0
    WasA40Ak3WI2G6Km8BjyY9vy7unOLojjrTR3ZUadBjI4qDJ8NyfBkNrYbFoaUvAK
    unt9HN2dR8pPBJ92NvEtTgPzCDLELwIDAQABo4ICKjCCAiYwHQYDVR0OBBYEFGTu
    WzCRkojxS9V6+5RtPUJhvrV8MB8GA1UdIwQYMBaAFNmnOKgXQprmuaGuPpQqgEa4
    WABoMIHHBgNVHR8Egb8wgbwwgbmggbaggbOGgbBsZGFwOi8vL0NOPUNBLENOPUNB
    LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
    Tj1Db25maWd1cmF0aW9uLERDPWFsZXgsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nl
    cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
    cmlidXRpb25Qb2ludDCBwAYIKwYBBQUHAQEEgbMwgbAwga0GCCsGAQUFBzAChoGg
    bGRhcDovLy9DTj1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
    Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hbGV4LERDPXB1cmVzdG9y
    YWdlLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
    aWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYA
    ZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHREE
    CDAGhwQKFVh1MA0GCSqGSIb3DQEBCwUAA4ICAQBgt3hywrL1tZcdluVOC8HXmQIC
    kOUF8q45t2LIDsCGZHvzhf4UHI2ussZTqZh3fW37sZmLvI1ueL9HHGPmgcvGuM4Y
    mbG6cwY58Wgz/2UZbI3g3QgZ8s7O61kGTBh42K5uk36sxe6Mo4eAYpldM8WsAD9I
    V4qPRCeJQWGqTFU+l3vUwyrpQrO2XgsH9bF53mmupimzBlL0F9BMwYKgEPa6FyOq
    qLKwS6cVW+RK6j9KLMHfAFYmDkm/Fp79f63o1xBJ4oR2tTuyOU2dTg25hLg8sVXs
    0UdCKd9trNv4soTKmj8ddsXw7poyBC22Nk42XCsMM6R7+9IC1ARa3b+RwLiVC/nH
    LoGqcSYevypVfUBgkYUjVGESS84HYYRomSmTriad5bDFGQJfWFYd+We4ysqgG6VG
    FZD8Zvn0E4pIAVgTYyE44cH41/j5moYghTovRTpHIdNTvIFVkbZA2jYQbV09640A
    D3o6CfiUAlRPoKqHjkR7S15rA2LX+2F8HAkPXH9s2tA7vc1H57aqxHrz3Kh+z+Ra
    T/Q1WjrUT2umfC5Pjbu1j0TjKJs1SdvyaG8Geoc3w2gSALhMefvr+tfJ6jtjj3Iw
    FCI1bs14/Jv8Bo5U5pe9Ayay2JD/IjLM2seztoRBKUoPRZJZXYWr0oxP8z67htLP
    nqc/GczJkyi12qoKAw==
    -----END CERTIFICATE-----
    
    Name      Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit    Email  Common Name
    vasa-ct0  imported  2048      10.21.88.117  CA         2019-09-04 07:20:40 PDT  2021-09-03 07:28:44 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -      10.21.88.117
    
    ## vasa-ct1 ##
    pureuser@sn1-405-c12-21> purecert setattr --certificate vasa-ct1
    Please enter certificate followed by ^D:
    
    -----BEGIN CERTIFICATE-----
    MIIGlzCCBH+gAwIBAgITWgAAADqWwSQe/KWTqQAAAAAAOjANBgkqhkiG9w0BAQsF
    ADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLcHVyZXN0
    b3JhZ2UxFDASBgoJkiaJk/IsZAEZFgRhbGV4MQswCQYDVQQDEwJDQTAeFw0xOTA5
    MDQxNDIxNDhaFw0yMTA5MDMxNDIxNDhaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UE
    CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMM
    UHVyZSBTdG9yYWdlMR4wHAYDVQQLExVTb2x1dGlvbnMgRW5naW5lZXJpbmcxFTAT
    BgNVBAMTDDEwLjIxLjg4LjExODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBAOi8CHC4OvKpp45zCgVGp6q1AMwpskgTBNqsjGPOmWPjgLN4OhMJi1ROQ7kJ
    VwU36J1YFBjwl5vJP99K1sL0FIDlypNetVVghhosSO6z0K1yngTaQnmi70EiKskn
    Z1Lb9QVNTE5ELjeF6++qDF+DVkbX0Y/2lD2Qfub6gQAGU0+yFbcdVhxMtd8dBuFl
    FNzKtzN95V5YxIwy3CYwhU2QeqSNBXOZ1QXvTKQFUzUw7PFbNeFQu3AZSHpBVSAZ
    8PwIrWXiepWVEimw3H2rD4gEue45cF/P3ZU0qr3gHJ3YdwWbSDzpRDgL6+Bu/72I
    YZ5zlSLPT9VekQQIFNCWjUPkV40CAwEAAaOCAiowggImMB0GA1UdDgQWBBQGfkY3
    dC+CAuDDQ31sEJItjr3EfTAfBgNVHSMEGDAWgBTZpzioF0Ka5rmhrj6UKoBGuFgA
    aDCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwbGRhcDovLy9DTj1DQSxDTj1DQSxD
    Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
    Q29uZmlndXJhdGlvbixEQz1hbGV4LERDPXB1cmVzdG9yYWdlLERDPWNvbT9jZXJ0
    aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
    YnV0aW9uUG9pbnQwgcAGCCsGAQUFBwEBBIGzMIGwMIGtBggrBgEFBQcwAoaBoGxk
    YXA6Ly8vQ049Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
    PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWxleCxEQz1wdXJlc3RvcmFn
    ZSxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj
    YXRpb25BdXRob3JpdHkwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUA
    cjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw
    BocEChVYdjANBgkqhkiG9w0BAQsFAAOCAgEAMJuhBKUqZ3lILRYPgHk0XuhvMkpl
    8PXbBTNj5lrJIOctNPnDMnB7EYCy3l4qismNtLHQzgmtaytw9+JU9GJBGJxGnTu5
    IAeUrn6Ln2o0ykpidB09fqtVm5EjWuxM97j0TSf/tT0Dyug7TZbUf/JB/3Eqangd
    1lAKy1nI/0fSwc/GBZYHyZYg28h5OjzqECZTrsXchvHbH5Ow/gE0E6havtlEF5l+
    cAFmqdzAP2SXGcRlAYkOb299vop6+32NmHOJREkkocdDjxOAIHD9dO/3HtqZvRQW
    heQY4nJylSkmhlS6/1Y54yCKOQml3MOmdnA40iI2Gk5eMKyOIddjbRwUtw/6IX+U
    5VgFaNi4e6G4MpCuGqjyAwYqkTExTV4JzY0L5kseM4LdV8kejMdcnirXMvaM/wwa
    0Z9lnzIDuJt3ib20HlsrM3v6m2OVzSFp29SohhvdyzkRSjvHUQ2oJXIrHAL3zvO6
    Moy3i3ATTXT8Lc+YUn8v6Ewlj9nRUkA57F5GEe80cAsA1/vZBpPK3AZ1YQCb6BZ4
    pDZ+bCwx60w17Oy9nS7uRSpOmVaXR6l/H7hjE9fYlNVgpT1AOGiG/pdy7eaRx4Ui
    Lxl4CydnKcnLwXI+jzvXI5NMgWcGTpNVE5iE0ms9JnFKQ+KZmT/aT1xiZdBefMxQ
    qGAzmViaWxwO9+8=
    -----END CERTIFICATE-----
    
    Name      Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email  Common Name
    vasa-ct1  imported  2048      10.21.88.118  CA         2019-09-04 07:21:48 PDT  2021-09-03 07:21:48 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -      10.21.88.118
    
    ## purecert list output ##
    pureuser@sn1-405-c12-21> purecert list
    Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization    Organizational Unit    Email  Common Name
    management  imported  2048      10.21.88.116  CA         2019-08-02 08:44:43 PDT  2021-08-01 08:44:43 PDT  US       California      Mountain View  Pure Solutions  Solutions              -      10.21.88.116
    vasa-ct0    imported  2048      10.21.88.117  CA         2019-09-04 07:20:40 PDT  2021-09-03 07:28:44 PDT  US       California      Mountain View  Pure Storage    Solutions Engineering  -      10.21.88.117
    vasa-ct1    imported  2048      10.21.88.118  CA         2019-09-04 07:21:48 PDT  2021-09-03 07:21:48 PDT  US       California      Mountain View  Pure Storage    Solutions Engineering  -      10.21.88.118
    
    

Now there are signed certificates imported for both CT0 and CT1.

OpenSSL Signed Certificate

Creating the Signed Certificate

Here are the steps for creating a signed certificate with OpenSSL:

  1. I would recommend to first create a directory for the certificates.  For example:
    ## Create a Directory for the Certificates ##
    mkdir ~/VASA-Certs
    
    ## Create a directory for each FlashArray controller ##
    mkdir ~/VASA-Certs/sn1-405-c12-21-ct0
    mkdir ~/VASA-Certs/sn1-405-c12-21-ct1
    
  2. Next, create a v3.ext file for vasa-ct0 and vasa-ct1.  The important part here is to make sure the correct Subject Alternate Name (SAN) in the v3.ext file 
    ## Using vim (or any text editor) create a v3.ext file with the following ##
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:<IP address of controller>
    
    ## So for example ##
    vim ~/VASA-Certs/sn1-405-c12-21-ct0/v3.ext
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:10.21.88.117
    
    vim ~/VASA-Certs/sn1-405-c12-21-ct1/v3.ext
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:10.21.88.118
    
  3. A root certificate will need to be created with OpenSSL
    openssl genrsa -passout pass:test -des3 -out rootCA.key 4096
    openssl req -x509 -new -passin pass:test -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/O=Pure Storage/OU=Solutions Engineering/CN=Pure Storage"
    
  4. After the Root Cert is created, generate a private key and generate the CSR for VASA-CT0 and VASA-CT1.  Make sure that the Common Name of the CSR matches the IP address from the subject alternate name.
    ##Creating Private Keys##
    openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.key 2048
    openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.key 2048
    
    ##Creating CSRs##
    openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct0/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.csr
    openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct1/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.csr
    
    Make sure that the O and OU for the CSR is not Pure Storage for both entries.  The email address and password can both be skipped as well by pressing enter.
  5. Create the signed certificates by signing the CSR with the Root Cert that was created
    cd ~/VASA-Certs/sn1-405-c12-21-ct0/
    openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729
    
    cd ~/VASA-Certs/sn1-405-c12-21-ct1/
    openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729
    
  6. Either copy the RootCA that was created to vCenter (with scp, etc) or create a .pem file the cert.  This will be needed to make sure that the trusted root cert is in vCenter in a following step.

Importing the OpenSSL signed Certificate

  1. Copy down the private key and certificate for both vasa-ct0 and vasa-ct1.
    cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.key
    
    cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.crt
    
  2. Import the key and certificate for vasa-ct0.
    An Important Reminder.  Once the certificate is imported this will cause any existing storage providers that are registered with the VASA provider to go offline.  Due to the new certificate being imported and causing an authentication failure with the existing storage providers.
    purecert setattr --certificate --key vasa-ct0
    
  3. Import the key and certificate for vasa-ct1.
    purecert setattr --certificate --key vasa-ct1
    
  4. Check the certificates with purecert list.
    purecert list
    

Now that both certificates are imported you will want to make sure the CA Root Cert that was created has been imported to the vCenters trusted root certs and then register the storage providers.

Checking that the CA Root Cert is trusted on the vCenter Server

Be sure to check that the CA Root certificate is trusted on each vCenter Server that the VASA providers will be getting registered with.

Either from the vCenter UI or vCenter CLI, check the trusted root certs for the Root CA's cert. In the event that it's not there, you can use the vCenter CLI or vCenter UI to import the trusted root cert.  

Here is an example of using the vCenter CLI to import a Root Cert:

## The root cert can either be SCP'd to the vCenter Server or you can just create a .pem file with the root cert ##

root@prod-vcsa [ ~ ]# vim /root/custom-root-cert.pem
root@prod-vcsa [ ~ ]# cat /root/custom-root-cert.pem
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIQfmGy6GutxYJCdMy6lXxqZjANBgkqhkiG9w0BAQsFADBE
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZjc2d2ZGkx
EzARBgNVBAMTCkNBLUZBQ0xPVUQwHhcNMTkwNjE0MTk1MTI3WhcNMjkwNjE0MjAw
MTI3WjBEMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZj
c2d2ZGkxEzARBgNVBAMTCkNBLUZBQ0xPVUQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC518foxRwdfN39fX0zXy0ELkEjh//8iS5U8zgvYknA0Ip9aCYw
zB4Vgn/zXFAHvXb6AzljL6jcUFlLUNwWCBkiNBCNoAv5P6fNVhedsCF+q2RdNLkD
jW9w8Xs71nMf3HpasF2m7PNvtT/BRC8r9sVijV+8D5pcrMpM57FkIgUizTQB4HCi
KEzG/wrwU8YPOxB2EBgyhhjWa+HqdBao16hK5wtKMCgBZCfVMTr7lvT73qU/qcDZ
GdyvddslqS598dd6fO94R7A8TrlcVHe14PjOSmn2GgGHwwDvVyhoZmDjpNFV5CAI
yuo1ISCO5TebNpDnbXd2+Bge9gLn1X3DE+CVAgMBAAGjgZEwgY4wEwYJKwYBBAGC
NxQCBAYeBABDAEEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFLUWvEe1Vs8+Zh9TWAVfYriidnTsMBIGCSsGAQQBgjcVAQQFAgMBAAEw
IwYJKwYBBAGCNxUCBBYEFH3NWbj+o48SD2H9JZcXRYegpf/bMA0GCSqGSIb3DQEB
CwUAA4IBAQCVooEUPOTGaXSFWiNc6ZMkp5oM6he80EsHCUPy4o7sS3uHzZ/DptnG
iwlnvzBwyNW0HqpZwjeLRYvNU5pkwRtxxtNeLoNUaUJ1kiEe6hEqOOIEca6htUuv
X0unZv5k8+Z1O1kBrvYFldkAG7VXZFZ08FIw/TKAW9aXeLa7+parv6zl03/XgstC
QcFfOwLT1Ebm+xPwgP3CCwcEUpH6GAM9jPSd23/iAy6mFFN3i0ToOi1GNtb0X7UM
HRkCpatFEMt+dLvd73dO/n7bUVSi7AhznlOaxmnimOU4KEVSIAgif8hGzDcip1tl
0ftrgaug1yLEKq+sJKSpCljIPd1dQOa3
-----END CERTIFICATE-----

root@prod-vcsa [ ~ ]#

## Then use the dir-cli tool to publish this root cert ##


root@prod-vcsa [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/custom-root-cert.pem
Enter password for administrator@sso.alex.purestorage.com:
Certificate pubished successfully
root@prod-vcsa [ ~ ]#

If the Root CA cert is being imported, you will want to make sure that the vCenter Trusted Root certs are getting published to the ESXi hosts in the vCenter. This can be done manually for each host, however, PowerCLI and PowerShell can also do this. 

Leverage the following workflow:


## Connect to the vCenter Server ##
Connect-VIServer -server vcenter-server
  
  
## Get the ESXi hosts and set it to a variable ##
$hosts = get-vmhost
  
  
## Start the Service Instance ##
$si = Get-View ServiceInstance
  
  
## Start the certificate Manager view ##
$certMgr = Get-View -Id $si.Content.CertificateManager
  
  
## Using the Cert Manager, refresh the ESXi hosts Certs ##
## This pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host. ##
$certMgr.CertMgrRefreshCACertificatesAndCRLs($Hosts.ExtensionData.MoRef)
  
  
## Now in vCenter the vvol datastore should be accessible for each of those hosts.  No need to do the ssl_reset and restart on VVold ##

Here is an example of this workflow:

PS C:\> Connect-VIServer -Server dev-vcsa

Name                           Port  User                          
----                           ----  ----                          
dev-vcsa                       443   ALEX\Carver                   

PS C:\> Get-Cluster -Name "Dev Cluster"

Name                           HAEnabled  HAFailover DrsEnabled DrsAutomationLevel  
                                          Level                                     
----                           ---------  ---------- ---------- ------------------  
Dev Cluster                    True       1          True       FullyAutomated      

PS C:\> $ESXi_Cluster = Get-Cluster -Name "Dev Cluster"

PS C:\> $ESXi_Cluster | Get-VMHost

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
esxi-7.alex.pures... Connected       PoweredOn      16         151       38304          14.586         255.897   6.7.0
esxi-6.alex.pures... Connected       PoweredOn      20         141       43880          16.166         255.892   6.7.0
esxi-4.alex.pures... Connected       PoweredOn      20          94       43880           8.945         255.892   6.7.0

PS C:\> $hosts = $ESXi_Cluster | Get-VMHost

PS C:\> $hosts

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
esxi-7.alex.pures... Connected       PoweredOn      16         151       38304          14.586         255.897   6.7.0
esxi-6.alex.pures... Connected       PoweredOn      20         141       43880          16.166         255.892   6.7.0
esxi-4.alex.pures... Connected       PoweredOn      20          94       43880           8.945         255.892   6.7.0

PS C:\> $si = Get-View ServiceInstance

PS C:\> $certMgr = Get-View -Id $si.Content.CertificateManager

PS C:\> $certMgr.CertMgrRefreshCACertificatesAndCRLs($Hosts.ExtensionData.MoRef)

PS C:\>
 

Once this is all completed, you can register the storage providers.


Registering Storage Providers

With the OpenSSL or CA signed certificate, be sure double check that the CA Root Certificate is already added to the vCenters trusted root certs.  If not, this will need to be done prior to registering the storage providers.  Be sure that the trusted root cert has propagated to each of the ESXi hosts as well.  A method is provided in the previous section that will ensure that each ESXi host has the trusted root certs propagated to the ESXi hosts. 

  1. Check if the FlashArray's VASA providers are already registered for the given vCenter. Should they be, remove the offline storage providers.
    multi-vcenter-kb-01.png
  2. Use the Pure Storage vSphere Plugin to register the storage providers.
    multi-vcenter-kb-02.png
    multi-vcenter-kb-03.png
  3. Navigate back to the vCenter storage providers page and check that the providers are online and healthy.
    multi-vcenter-kb-10.png

Repeat for as many vCenter Servers as needed.


Closing Thoughts

Overall the process is fairly straightforward.  However, when creating either a self-signed or signed certificate, you must make sure the SAN entry for the IP Address matches the Common Name (this would be the IP address for either ETH0 or ETH1).  There is some additional testing being done for both IPv6 and FQDNs being used as the common name and SAN, however, at this time we still recommend using IPv4 for the Common Name and SAN attribute.  Keep in mind that any request to the VASA Provider will fail between the time that the certificates are imported and when the storage providers are re-registered.  This is expected as the storage providers would be marked as offline since the certificates changed.  Take this into account when planning to import a signed certificate.

If you have any questions, concerns or feedback on the process either leave feedback on the KB or open a support case.