Skip to main content
Pure Technical Services

vSphere Plugin User Guide: Configuring Authentication

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

 



The Pure Storage Plugin for the vSphere Client (which will be shortened in this article to the vSphere Plugin) provides the ability to VMware users to have insight into and control of their Pure Storage FlashArray environment while directly logged into the vSphere Client. The Pure Storage plugin extends the vSphere Client interface to include environmental statistics and objects that underpin the VMware objects in use and to provision new resources as needed.

In order to use the plugin, it must be authenticated with the FlashArray(s) in-use in the vSphere environment. It is only necessary to authenticate the FlashArrays you would like to have insight to and/or manage. Each FlashArray must be individually authenticated though the same credentials can be used repeatedly if they are valid for more than one array.

Additionally, the vSphere Plugin can be authenticated with the Pure1 REST API. This is required for Pure1-related features in the plugin and can help assist in mass-registration of FlashArrays with the plugin. No provisioning workflows are blocked when Pure1 is not authenticated, though intelligent provisioning and other insights are disabled.

Network Requirements

These tables cover the network requirements of the remote vSphere client plugin.

Network Requirements

Remote vSphere Client Plugin Network Requirements

Register the Remote Plugin Extensions with vCenter Server

Source Target TCP Port Network
Pure Storage VMware Appliance vCenter Server 8443 and 443 vCenter Server Management Network

Authentication with Pure1 for Plugin Features

Source Target TCP Port Network
Pure Storage VMware Appliance Pure1 443 api.pure1.purestorage.com

52.40.255.224/27
  • Access to Pure1 is not required from ESXi hosts or the vCenter Server

Connection to Pure1 for Appliance updates and upgrades

Source Target TCP Port Network
Pure Storage VMware Appliance Pure1 443 deb.cloud-support.purestorage.com
  • Access to Pure1 is not required from ESXi hosts or the vCenter Server

Authentication with target FlashArray/s

Source Target TCP Port Network
Pure Storage VMware Appliance FlashArray 443 FlashArray Management Network (vir0/vir1)
  • No network access is required from ESXi or the vCenter Server to the target FlashArray

Local vSphere Client Plugin Network Requirements

Authentication with Pure1 for Plugin Features

Source Target TCP Port Network
vCenter Server Pure1 443 api.pure1.purestorage.com

52.40.255.224/27
  • If a proxy is required to route to an external network, Pure1 connectivity is not supported with the Local Plugin (Plugin versions 4.5.2 and lower).

Authentication with target FlashArray/s

Source Target TCP Port Network
vCenter Server FlashArray 443 FlashArray Management Network (vir0/vir1)
  • No network access is required from ESXi

Authentication of the plugin with Pure1 is recommended but not required. Authenticating Pure1 with the vSphere plugin allow for further insights and provisioning assistance, as well as mass-FlashArray authentication and, likely, in the future more features. So for these reasons, authentication is recommended.

Authenticating a Pure1 Connection - Plugin Managed Keys

Starting with vSphere plugin 5.3.1, authenticating with Pure1 through the plugin's managed keys is far simpler than user managed keys. If the environment doesn't require user managed keys, using plugin managed keys is the preferable route.

Authenticating a Pure1 Connection - Plugin Managed Keys

From the vCenter web UI, left-click the (1) hamburger, left-click (2) Pure Storage then left-click (3) AUTHENTICATE WITH PURE1

Pure1Workflow1.png

Select the (1) Plugin managed keys bullet, select and copy the entire (2) Public Key and leave this screen open. This public key will be used in Pure1 to generate the Application ID for use a little later.

Pure1Workflow2.png

Log in to the Pure1 web GUI at pure1.purestorage.com. From there, left-click (1) API Registration then left-click (2) + Register Application.

Pure1Workflow3.png

Populate a (1) Name for the application, paste the (2) Public Key from earlier and finally select a (3) Pure1 Role. You may specify either the admin role or read only. Please note the Public Key must start with -----BEGIN PUBLIC KEY----- and end with  -----END PUBLIC KEY-----

Pure1Workflow4.png

Select and copy the (1) Application ID to paste into the vCenter web GUI in the next step.

Pure1Workflow5.png

Switch back to the vCenter web GUI page and paste the (1) Application ID from the previous step and left-click (2) AUTHENTICATE.

Pure1Workflow6.png


Authenticating a Pure1 Connection - User Managed Keys

Authenticating with Pure1 through user managed keys is also possible.

Authenticating a Pure1 Connection - User Managed Keys

Authentication is a significantly different than the standard "username and password"-based authentication to provide a more secure authentication mechanism to a public REST API endpoint (Pure1). Instead of asking for a username or password, Pure1 can use either vSphere plugin managed keys or user managed keys.

When using plugin managed keys, the workflow is much simpler.

When using user managed keys, Pure1 asks for what is called a JWT (a JSON Web Token) which is a fancy term for authentication information that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows for the token to be decrypted which is then used to create a session token.

There are a variety of ways to do this, and the list below is not exhaustive. The overall process is as follows:

  1. Create a public/private key pair
  2. Add the public key to Pure1
  3. Copy the application ID
  4. Generate a JWT with the application ID and your private key
  5. Paste the JWT into the vSphere Client

Create Certificate

PowerShell--Linux/MacOS

First ensure that you have at least the 1.2.0.0 release of the Pure1 PowerShell Module installed. Instructions to install PowerShell on Linux/MacOS here.

For PowerShell-based management, there is a PowerShell Gallery hosted module called PureStorage.Pure1. For more information (or to open bugs or feature requests) on the PowerShell Module, see here:

https://github.com/PureStorage-OpenConnect/PureStorage.Pure1

clipboard_e927c2d5fdc78716672d7fca97326702b.png

Create a new key pair and enter a password when prompted.

New-PureOneCertificate

clipboard_eb73e108e5e3e33603184434152c3576a.png

Then retrieve the public key (enter the private key password):

Get-PureOnePublicKey
clipboard_e31e357bc4faf715dce1a7cfddf32c056.png

Now copy that key:

clipboard_eb0c209be42b46236403f9be6efc16d22.png

PowerShell--Windows

Public/private keys can come in the form of certificate in Windows-based systems. The simplest way to create a key pair is through the creation of a self-signed local certificate. This can be achieved through the Pure1 PowerShell module available through the PowerShell Gallery.

To install the module, open PowerShell and install the module from the PowerShell gallery:

install-module PureStorage.Pure1

clipboard_e4fde74dd51c551708d645111259251da.png

Next create a new certificate and return the public key:

New-PureOneCertificate | Get-PureOnePublicKey

clipboard_ed727ecb0e9df5639656ec3912ab6603c.png

Copy the entire key, including the dashes and BEGIN PUBLIC KEY and END PUBLIC KEY:

clipboard_ec9e06aafac908008e0d4782342d46f97.png

Add the Public Key to Pure1

Once you have a public key, it needs to be entered into the Pure1 web site to create an application ID. Login to pure1.purestorage.com as an admin. If you do not see the Administration section on the left-hand side, you are not logged in as an administrative user. If you are not, find your Pure1 admin and have them generate the token. If you do not know your admin, reach out to Pure Storage support.

clipboard_ef9a283818015c5be419250a5d505b157.png

Click on API Registrations the Register Application:

clipboard_ec8c6dff00924a7e62ed48df4d3ba92dc.png

Give the application a descriptive name and paste in the public key. This must start with -----BEGIN PUBLIC KEY----- and end with  -----END PUBLIC KEY-----. You may specify either the admin role or read only.

clipboard_e06addfd782e2226453897b93926c5e37.png

Click Upload to finish the process. Find the application ID and copy it, or have the admin provide it to you. It will start with pure1:apikey:

clipboard_ee37823a6fe84961b547dfd8017380cdd.png

 

Generating a JWT

Once you have an application ID you can create the JWT. A JWT can be generated in a myriad of ways below are the methods using Python or PowerShell

Generating a JWT with Python

The JWT can be generated with Python using the linked code snipped from GitHub:

pure1_token_factory.py

Upload this script to a host that has Python installed. You can optionally directly download the script via:

curl https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py

Then install the requirements via pip, if pip is not installed, run:

sudo apt install python3-pip

Install the requirements (which are saved in a hosted requirements file):

pip3 install -r https://pure1-scripting.s3-us-west-1.amazonaws.com/requirements.txt

If you cannot download the requirements file, create it manually:

Then place the requirement.txt file with following contents:

PyJWT 
paramiko>=2.7.1 
requests 
cryptography 
six 

Then install the requirements:

pip3 install -r requirements.txt

Now pass in the private key (find your .pem file) to the script and application ID:

sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem

This will return the JWT. Copy the whole JWT.

clipboard_ee6e0941b4b3a07bd48f6c594b79cbe87.png

 

 

Generating a JWT with PowerShell

Linux/MacOS

Once you have your application ID, take your previously created private key, pass both into the New-PureOneJWT command.  Enter the private key password in the operation or interactively (as shown below):

New-PureOneJwt -pureAppID pure1:apikey:aebVzb4k3Gq7oQE7 

clipboard_e5883a7233167dda98d826e20bae0b1f6.png

Windows

Once you have your application ID, pass it into the New-PureOneJWT command:

clipboard_e441ffdc08dce4acf0320059694d6ef48.png

Adding a JWT to the vSphere Client

Login to the vSphere Client, click on the top menu and choose Pure Storage.

clipboard_e98e50b2e2ff759defcf2d21b900546e7.png

Click on the Authenticate with Pure1 button in the top right corner:

clipboard_ef37d8408180a75bef40513cf215d4f0e.png

Paste in the JWT into the box that appears:

Pure1Workflow7.png

Click Authenticate. This will authenticate into Pure1. You will then be able to see Pure1 features in the plugin, like tag display and the load meter chart:

clipboard_eca310ad57db4cf9b17c16ac933bf4c5d.png

 


Editing a Pure1 Connection

Editing a Pure1 Connection

There is no difference to creating a new Pure1 connection and editing one. If you would like to change the JWT being used, follow the same process. The only minor difference is that the Authenticate with Pure1 button will now say Connected with Pure1. Click on that to upload a new JWT.


Removing a Pure1 Connection

There is no method to remove a specific Pure1 authentication in the vSphere Plugin today.  The public key that pairs with the private key used to generate it can be removed from Pure1.

Removing a Pure1 Connection

Login to Pure1.purestorage.com and click on API registration. Find the application you wish to deauthenticate. 

clipboard_e242af1b4af1351515b3625922c464b07.png

Navigate to the far right and click on the trashcan icon:

clipboard_e1816187eff93d0348e16fa5618d76fa0.png

Confirm the deletion. This will de-authenticate any integration using the correlated private key from authenticating (or any JWT that has been derived from it).

clipboard_e10407f3a9de564dbb91c3bd61f633c6f.png


Authenticating a FlashArray Connection

One or more FlashArrays can be added to the vSphere Plugin.

Authenticating a FlashArray Connection

Adding a FlashArray Manually

To add a single FlashArray, login to the vSphere Client and click on the Menu drop-down and choose Pure Storage.

clipboard_ed786352f108ec40c9f36c5fec08def78.png

Click on the +Add button shown under the Pure Storage icon.

clipboard_ef0071cd2399fe166fefa7242461ae62e.png

Choose Add a Single Array:

clipboard_e5a0cee3578e36b9b558375dd86d6aaaa.png

Enter in:

  • Array name. This does not have to be the actual FlashArray's domain name, but it is recommended. This name is not verified--but should be descriptive either way.
  • Array URL. In the form of an IP address or fully-qualified domain name representing a FlashArray virtual address. FQDN is always preferred.
  • Username. A username of either a local user or a directory attached user.
  • Password. The corresponding password of selected user.

clipboard_ed3d40e3eaf2e8bd0856aa3d7f1e319d2.png

The virtual address can be verified from the array on Settings > Network > Subnets & Interfaces:

clipboard_e6eef0325e4b565dc0ceada35da8292db.png

FQDN can be verified with nslookup or similar tools:

clipboard_ebdf84a1db6911ac71a92702c744d44f4.png

Adding One or More FlashArrays through Pure1

For environments with many FlashArrays, or environments where you may not know the addresses of all FlashArray, an administrator can leverage the Pure1 Connection to register a fleet of FlashArrays at once.

Go to the Pure Storage Plugin home screen and click Add.

clipboard_e84f3cc31bab57ba321f65bc0bb8361ef.png

Click on the Import Arrays from Pure1 tab. The plugin will reach out to Pure1 and retrieve all FlashArray and Cloud Block Store arrays registered in the target Pure1 organization. The plugin will then:

  1. Pull all of the FlashArray or Cloud Block Storage VIR0 (virtual IP 0) addresses and the array names from the Pure1 REST API
  2. Attempt a DNS lookup for the FQDN. If there is no address found the IP will be used for the URL, if one is found it will use the FQDN
  3. Test network connectivity to the discovered FQDNs or IPs. If an array is not available on the network it will not be filtered out, but will be marked as offline.
  4. Filter arrays out that are already authenticated in the plugin

clipboard_e23b21150ed73647e329579dd28a83256.png

You then have the option to individually add credentials for each array or if they all share the same credentials, select the Use the same credentials for all arrays box. If that is selected you only have to enter in the credentials for the first array.

If you an array is marked with the following icon:

clipboard_e4bdb8ef384a9bc47c9663e456d572c7a.png

It means the array address is not reachable from vCenter.

Once you have added credentials, select the arrays that you would like to authenticate.

Note that if you choose the top "select all" box in the upper left of the table:

clipboard_e5db5633e3b6fc1bfc00a0696c77b5aca.png

It will only select all of the arrays on that particular page. You must click the next arrow and repeat to authenticate all discovered arrays. This ensures that the user confirms and verifies all selected arrays before completion.

clipboard_e9e504c70223675620660f0e5ae1a0f6a.png

When you have selected all of the desired arrays, click Add in the lower right hand corner.

clipboard_e18298a5e6bba3f678978edbff66c7193.png

The plugin will attempt to authenticate all arrays and will report all of the arrays that succeeded and any that failed:

clipboard_e36ddd8bb791ba31e66d468fc4050051e.png

If there are arrays with errors, hover over the information tooltip (circle with an exclamation mark) for more information.

clipboard_eec4e81b062023605e87762c3c9c67961.png

Click Done with finished.


Editing a FlashArray Connection

Sometimes updating an existing FlashArray connection is necessary. Follow these steps to update the connection.

Editing a FlashArray Connection

To edit a FlashArray connection, select the connection and click Edit.

clipboard_e5b6140a1af551fefdd2eb2a4881de46c.png

From here, you can alter the alias, the URL, the username, and/or the password. Enter your change(s) and click Submit. To make ANY change you do need to re-enter the username and password--this can be the existing credentials or new ones.

clipboard_ee2d2ff4a53a1b8efdb8f3c5eca55d11d.png

In the above case the array name (alias) was changed, and the existing credentials were re-used:

clipboard_e1f714e3783bb4af132e8f0a1de460c71.png


Removing a FlashArray Connection

Sometimes removing a FlashArray connection is necessary. Follow these steps to remove the connection.

Removing a FlashArray Connection

To remove a FlashArray Connection, select the desired connection and click the Remove button:

clipboard_e6591d8b6a11b0bc3384fbbcea77618f6.png

Confirm the removal of the connection:

clipboard_e80404a1205c0a44723845bdc2bcab1d2.png

No existing storage will be affected, but the FlashArray represented by that connection can no longer be managed within the plugin unless it is re-authenticated.

Click Remove to complete the process.


User Accounts and Privileges

In order to authenticate either Pure1 or one or more FlashArrays to the vSphere Plugin certain vCenter privileges are required. In order to authenticate to Pure1 or a FlashArray specific privileges are required for the access accounts. These requirements are documented below.

User Accounts and Privileges

Required vCenter Privileges

In order to add a FlashArray connection into the vSphere Plugin, the logged in user adding the connection must be assigned a role with the following privileges:

  • Global > 'Manage Custom Attributes'
  • Global > 'Set Custom Attribute'

clipboard_e61f68bacdb41e4658563b5afb1069213.png

Note this is just the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the individual feature documentation for required vCenter permissions.

Required Pure1 Privileges

When you authenticate with the Pure1 REST API it is not username/password-based, as described above. The JWT used to authenticate the plugin can be created from a private key that has an associated public key with either admin or read-only permissions. There are currently no features in the vSphere Plugin that requires administrative access to the Pure1 REST API. This may change in the future as more active control is added into Pure1.

clipboard_e2e4d5133095e23ec69f90540675c435c.png

Required FlashArray Privileges

In order to enable the use of a FlashArray in the VMware environment, vSphere administrators must authenticate the vSphere Plugin with the desired FlashArray(s). Users can choose to create local FlashArray users or use LDAP-connected users. It is recommended to provision a specific account for plugin access to the FlashArray (sometimes referred to as a system account) that doesn't necessarily reflect a specific person, but either a group or a use (username: vSpherePlugin for instance).

For the process to create a new local account on the FlashArray, please refer the the FlashArray user guide for your respective version of Purity:

FlashArray User Guide

The vSphere Plugin supports a few permission levels for the registered user:

  • Array Admin--this will provide the logged in users with access to all of the advertised features in the plugin. This is a supported level, but not recommended. This elevated permission set is not needed by the plugin.
  • Storage Admin--this is the recommended level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions.
  • Read Only--if you want end-users to be able to view information about their storage environment (performance, data reduction, snapshots, capacity information, etc) you may provision a read only user account. This will block the ability to make any storage changes (change, add, remove, storage resources) with the plugin on the array(s) authenticated with this level of role.

clipboard_e6cea23373214088e0c6995548a4d7f85.png

Audit Trail

Currently, all logged in users of the vSphere Client will share the same permissions of a given FlashArray or Pure1--in other words--once you authenticate a FlashArray in the vSphere Plugin, all authenticated users in vSphere will share that authentication. All operations executed in the plugin against a FlashArray will appear as the same authenticated user account in the FlashArray audit trail.

As an example, if a FlashArray is added with the username of "vsphereplugin":

clipboard_e05d4fe905a34b9f73829375a3badcf3f.png

Then user cody@purecloud.com logs in:

clipboard_eff96ec9699d674dcd9d47504f4d36272.png

And creates a VMFS snapshot:

1) Clicks Create Snapshot button 2) Calls the snapshot newSnapcody
clipboard_e9a8e9b6af2b965ba3e881ea3b1b9afbb.png clipboard_eb90b325cf2af66ce111e8b08b79e755e.png

We see in the audit trail on the FlashArray:

clipboard_e73cbe30650a887e19d0c5829115a437c.png

The user is vsphereplugin.

Then user janice@purecloud.com logs in:

clipboard_e4ed0e3179db305f4a1c43818b243080c.png

And creates a VMFS snapshot:

1) Clicks Create Snapshot button 2) Calls the snapshot newSnapjanice
clipboard_e931f4428bcaa99f5720906c910580ad1.png clipboard_e0fa8563f5eb657eedae6a833d3c07d4f.png

We see in the audit trail on the FlashArray:

clipboard_efba450908bdaf9718077a57bdb48ccab.png

The user is also vsphereplugin. Since all users share the same authentication it is recommended to not authenticate with an account that is assigned to a certain person, but instead a group or application account.


Video Demo: