Skip to main content
Pure Technical Services

vSphere Plugin User Guide: Configuring Authentication

The Pure Storage Plugin for the vSphere Client (which will be shortened in this article to the vSphere Plugin) provides the ability to VMware users to have insight into and control of their Pure Storage FlashArray environment while directly logged into the vSphere Client. The Pure Storage plugin extends the vSphere Client interface to include environmental statistics and objects that underpin the VMware objects in use and to provision new resources as needed.

In order to use the plugin, it must be authenticated with the FlashArray(s) in-use in the vSphere environment. It is only necessary to authenticate the FlashArrays you would like to have insight to and/or manage. Each FlashArray must be individually authenticated though the same credentials can be used repeatedly if they are valid for more than one array.

Additionally, the vSphere Plugin can be authenticated with the Pure1 REST API. This is required for Pure1-related features in the plugin and can help assist in mass-registration of FlashArrays with the plugin. No provisioning workflows are blocked when Pure1 is not authenticated, though intelligent provisioning and other insights are disabled.

Network Requirements

To authenticate a Pure1 connection the following is required:

  • TCP Port 443 access to pure1.purestorage.com from vCenter
  • No network access is required from ESXi
  • Currently if a proxy is required to route to an external network, Pure1 connectivity is not supported.

To authenticate a FlashArray connection the following is required:

  • TCP Port 443 access to the virtual IP address (this can be virtual IP address 0 or 1) of the target FlashArray from vCenter
  • No network access is required from ESXi

Authenticating a Pure1 Connection

Authentication of the plugin with Pure1 is recommended, but not required. Authenticating Pure1 with the vSphere plugin allow for further insights and provisioning assistance, as well as mass-FlashArray authentication and, likely, in the future more features. So for these reasons, authentication is recommended.

Authentication is a significantly different than the standard "username and password"-based authentication to provide a more secure authentication mechanism to a public REST API endpoint (Pure1). Instead of asking for a username or password, Pure1 asks for what is called a JWT (a JSON Web Token) which is a fancy term for authentication information that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows for the token to be decrypted which is then used to create a session token.

There is a variety of ways to do this, and the list below is not exhaustive. The overall process is as follows:

  1. Create a public/private key pair
  2. Add the public key to Pure1
  3. Copy the application ID
  4. Generate a JWT with the application ID and your private key
  5. Paste the JWT into the vSphere Client

Create Public Private Key Pair

OpenSSL

OpenSSL is probably the most common option for generating a RSA-based public/private key pair and is supported on a variety of platforms and comes natively with most Linux distributions.

https://www.openssl.org/

The instructions are consistent across OSes (the example below uses the native install of OpenSSL on Ubuntu).

Create the key pair. You might need sudo and optionally (not required but recommended) a password to protect it.

openssl genrsa -aes256 -out private.pem 2048

clipboard_ee6b3bdde49f659c1d2b03b02e2e2336b.png

Next extract the public key:

clipboard_edeac104d963e845f0ca79457b285a1ab.png

Copy the entire contents of the public key, public.pem, for use in the next step. (Include the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.)

cat public.pem

clipboard_e524f9db394f98dca3de058f9a05aad1a.png

 

Windows Certificate Store

Public/private keys can come in the form of certificate in Windows-based systems. The simplest way to create a key pair is through the creation of a self-signed local certificate. This can be achieved through the Pure1 PowerShell module available through the PowerShell Gallery.

To install the module, open PowerShell and install the module from the PowerShell gallery:

install-module PureStorage.Pure1

clipboard_e4fde74dd51c551708d645111259251da.png

Next create a new certificate:

$cert= New-PureOneCertificate

Then extract the public key:

$publicKey = $cert |Get-PureOnePublicKey

The public key can then be copied out of the window.

clipboard_eda901879d8210a31e8b7fafc94f09d72.png

Copy the entire key, including the dashes and BEGIN PUBLIC KEY and END PUBLIC KEY:

clipboard_e723fa33af97aa31c656c1365e256d2f2.png

Add the Public Key to Pure1

Once you have a public key, it needs to be entered into the Pure1 web site to create an application ID. Login to pure1.purestorage.com as an admin. If you do not see the Administration section on the left-hand side, you are not logged in as an administrative user. If you are not, find your Pure1 admin and have them generate the token. If you do not know your admin, reach out to Pure Storage support.

clipboard_ef9a283818015c5be419250a5d505b157.png

Click on API Registrations the Register Application:

clipboard_ec8c6dff00924a7e62ed48df4d3ba92dc.png

Give the application a descriptive name and paste in the public key. This must start with -----BEGIN PUBLIC KEY----- and end with  -----END PUBLIC KEY-----. You may specify either the admin role or read only. As of the 4.3.x release of the vSphere Plugin, there is no need for administrative API access.

clipboard_ed6840e6a7610e61f8ac6cfcd336332a3.png

Click Upload to finish the process. Find the application ID and copy it, or have the admin provide it to you. It will start with pure1:apikey:

clipboard_ee37823a6fe84961b547dfd8017380cdd.png

 

Generating a JWT

Once you have an application ID you can create the JWT. A JWT can be generated in a myriad of ways below are the methods using Python or PowerShell

Generating a JWT with Python

The JWT can be generated with Python using the linked code snipped from GitHub:

pure1_token_factory.py

Upload this script to a host that has Python installed. You can optionally directly download the script via:

curl https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py

Then install the requirements via pip, if pip is not installed, run:

sudo apt install python3-pip

Install the requirements (which are saved in a hosted requirements file):

pip3 install -r https://pure1-scripting.s3-us-west-1.amazonaws.com/requirements.txt

If you cannot download the requirements file, create it manually:

Then place the requirement.txt file with following contents:

PyJWT 
paramiko>=2.7.1 
requests 
cryptography 
six 

Then install the requirements:

pip3 install -r requirements.txt

Now pass in the private key (find your .pem file) to the script and application ID:

sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem

This will return the JWT. Copy the whole JWT.

clipboard_ee6e0941b4b3a07bd48f6c594b79cbe87.png

 

 

Generating a JWT with PowerShell

Once you have your application ID, take your previously created certificate and pass it into the New-PureOneJWT command. Retrieve your certificate via the following command:

$cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object {$_.Subject -eq "CN=PureOneCert"}

If you have done this multiple times this will return more than one certificate, so you then need to specify the cert with $cert[0] or $cert[1] etc to identify the certificate that matches the application ID. If you have stored the certificate in a different path besides cert:\CurrentUser\My (personal certs) change the certificate path location.

Pass the cert into the New-PureOneJWT command:

The default JWT (created through the cmd below) allows the JWT to work for up to a year. You can change the expiration by passing in a specific expiration date into the New-PureOneJWT cmdlet with the parameter -expiration. 

$jwt = $cert |New-PureOneJwt -pureAppID pure1:apikey:aebVzb4k3Gq7oQE7

clipboard_ed88cad5130f083c23059a6f2506efc91.png

The JWT will be stored in $jwt. Copy the contents:

clipboard_ea6330f4b27151e111076daac13d47d4a.png

Adding a JWT to the vSphere Client

Login to the vSphere Client, click on the top menu and choose Pure Storage.

clipboard_e98e50b2e2ff759defcf2d21b900546e7.png

Click on the Authenticate with Pure1 button in the top right corner:

clipboard_ef37d8408180a75bef40513cf215d4f0e.png

Paste in the JWT into the box that appears:

clipboard_e3b99125fff81fedd026e1d482a13ec3f.png

Click Authenticate. This will authenticate into Pure1. You will then be able to see Pure1 features in the plugin, like tag display and the load meter chart:

clipboard_eca310ad57db4cf9b17c16ac933bf4c5d.png

 

Editing a Pure1 Connection

There is no difference to creating a new Pure1 connection and editing one. If you would like to change the JWT being used, follow the same process. The only minor difference is that the Authenticate with Pure1 button will now say Connected with Pure1. Click on that to upload a new JWT.

Removing a Pure1 Connection

There is no method to remove a specific JWT in the vSphere Plugin today. Though you can de-authenticate the public key that pairs with the private key used to generate it.

Login to Pure1.purestorage.com and click on API registration. Find the application you wish to de-authenticate. 

clipboard_e242af1b4af1351515b3625922c464b07.png

Navigate to the far right and click on the trashcan icon:

clipboard_e1816187eff93d0348e16fa5618d76fa0.png

Confirm the deletion. This will de-authenticate any integration using the correlated private key from authenticating (or any JWT that has been derived from it).

clipboard_e10407f3a9de564dbb91c3bd61f633c6f.png

Authenticating a FlashArray Connection

One or more FlashArrays can be added to the vSphere Plugin.

Adding a FlashArray Manually

To add a single FlashArray, login to the vSphere Client and click on the Menu drop-down and choose Pure Storage.

clipboard_ed786352f108ec40c9f36c5fec08def78.png

Click on the +Add button shown under the Pure Storage icon.

clipboard_ef0071cd2399fe166fefa7242461ae62e.png

Choose Add a Single Array:

clipboard_e5a0cee3578e36b9b558375dd86d6aaaa.png

Enter in:

  • Array name. This does not have to be the actual FlashArray's domain name, but it is recommended. This name is not verified--but should be descriptive either way.
  • Array URL. In the form of an IP address or fully-qualified domain name representing a FlashArray virtual address. FQDN is always preferred.
  • Username. A username of either a local user or a directory attached user.
  • Password. The corresponding password of selected user.

clipboard_ed3d40e3eaf2e8bd0856aa3d7f1e319d2.png

The virtual address can be verified from the array on Settings > Network > Subnets & Interfaces:

clipboard_e6eef0325e4b565dc0ceada35da8292db.png

FQDN can be verified with nslookup or similar tools:

clipboard_ebdf84a1db6911ac71a92702c744d44f4.png

Adding One or More FlashArrays through Pure1

For environments with many FlashArrays, or environments where you may not know the addresses of all FlashArray, an administrator can leverage the Pure1 Connection to register a fleet of FlashArrays at once.

Go to the Pure Storage Plugin home screen and click Add.

clipboard_e84f3cc31bab57ba321f65bc0bb8361ef.png

Click on the Import Arrays from Pure1 tab. The plugin will reach out to Pure1 and retrieve all FlashArray and Cloud Block Store arrays registered in the target Pure1 organization. The plugin will then:

  1. Pull all of the FlashArray or Cloud Block Storage VIR0 (virtual IP 0) addresses and the array names from the Pure1 REST API
  2. Attempt a DNS lookup for the FQDN. If there is no address found the IP will be used for the URL, if one is found it will use the FQDN
  3. Test network connectivity to the discovered FQDNs or IPs. If an array is not available on the network it will not be filtered out, but will be marked as offline.
  4. Filter arrays out that are already authenticated in the plugin

clipboard_e23b21150ed73647e329579dd28a83256.png

You then have the option to individually add credentials for each array or if they all share the same credentials, select the Use the same credentials for all arrays box. If that is selected you only have to enter in the credentials for the first array.

If you an array is marked with the following icon:

clipboard_e4bdb8ef384a9bc47c9663e456d572c7a.png

It means the array address is not reachable from vCenter.

Once you have added credentials, select the arrays that you would like to authenticate.

Note that if you choose the top "select all" box in the upper left of the table:

clipboard_e5db5633e3b6fc1bfc00a0696c77b5aca.png

It will only select all of the arrays on that particular page. You must click the next arrow and repeat to authenticate all discovered arrays. This ensures that the user confirms and verifies all selected arrays before completion.

clipboard_e9e504c70223675620660f0e5ae1a0f6a.png

When you have selected all of the desired arrays, click Add in the lower right hand corner.

clipboard_e18298a5e6bba3f678978edbff66c7193.png

The plugin will attempt to authenticate all arrays and will report all of the arrays that succeeded and any that failed:

clipboard_e36ddd8bb791ba31e66d468fc4050051e.png

If there are arrays with errors, hover over the information tooltip (circle with an exclamation mark) for more information.

clipboard_eec4e81b062023605e87762c3c9c67961.png

Click Done with finished.

Editing a FlashArray Connection

To edit a FlashArray connection, select the connection and click Edit.

clipboard_e5b6140a1af551fefdd2eb2a4881de46c.png

From here, you can alter the alias, the URL, the username, and/or the password. Enter your change(s) and click Submit. To make ANY change you do need to re-enter the username and password--this can be the existing credentials or new ones.

clipboard_ee2d2ff4a53a1b8efdb8f3c5eca55d11d.png

In the above case the array name (alias) was changed, and the existing credentials were re-used:

clipboard_e1f714e3783bb4af132e8f0a1de460c71.png

Removing a FlashArray Connection

To remove a FlashArray Connection, select the desired connection and click the Remove button:

clipboard_e6591d8b6a11b0bc3384fbbcea77618f6.png

Confirm the removal of the connection:

clipboard_e80404a1205c0a44723845bdc2bcab1d2.png

No existing storage will be affected, but the FlashArray represented by that connection can no longer be managed within the plugin unless it is re-authenticated.

Click Remove to complete the process.

User Accounts and Privileges

In order to authenticate either Pure1 or one or more FlashArrays to the vSphere Plugin certain vCenter privileges are required. In order to authenticate to Pure1 or a FlashArray specific privileges are required for the access accounts. These requirements are documented below.

Required vCenter Privileges

In order to add a FlashArray connection into the vSphere Plugin, the logged in user adding the connection must be assigned a role with the following privileges:

  • Global > 'Manage Custom Attributes'
  • Global > 'Set Custom Attribute'

clipboard_e61f68bacdb41e4658563b5afb1069213.png

Note this is just the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the individual feature documentation for required vCenter permissions.

Required Pure1 Privileges

When you authenticate with the Pure1 REST API it is not username/password-based, as described above. The JWT used to authenticate the plugin can be created from a private key that has an associated public key with either admin or read-only permissions. There are currently no features in the vSphere Plugin that requires administrative access to the Pure1 REST API. This may change in the future as more active control is added into Pure1.

clipboard_e2e4d5133095e23ec69f90540675c435c.png

Required FlashArray Privileges

In order to enable the use of a FlashArray in the VMware environment, vSphere administrators must authenticate the vSphere Plugin with the desired FlashArray(s). Users can choose to create local FlashArray users or use LDAP-connected users. It is recommended to provision a specific account for plugin access to the FlashArray (sometimes referred to as a system account) that doesn't necessarily reflect a specific person, but either a group or a use (username: vSpherePlugin for instance).

For the process to create a new local account on the FlashArray, please refer the the FlashArray user guide for your respective version of Purity:

FlashArray User Guide

The vSphere Plugin supports a few permission levels for the registered user:

  • Array Admin--this will provide the logged in users with access to all of the advertised features in the plugin. This is a supported level, but not recommended. This elevated permission set is not needed by the plugin.
  • Storage Admin--this is the recommend level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions.
  • Read Only--if you want end-users to be able to view information about their storage environment (performance, data reduction, snapshots, capacity information, etc) you may provision a read only user account. This will block the ability to make any storage changes (change, add, remove, storage resources) with the plugin on the array(s) authenticated with this level of role.

clipboard_e6cea23373214088e0c6995548a4d7f85.png

Audit Trail

Currently, all logged in users of the vSphere Client will share the same permissions of a given FlashArray or Pure1--in other words--once you authenticate a FlashArray in the vSphere Plugin, all authenticated users in vSphere will share that authentication. All operations executed in the plugin against a FlashArray will appear as the same authenticated user account in the FlashArray audit trail.

As an example, if a FlashArray is added with the username of "vsphereplugin":

clipboard_e05d4fe905a34b9f73829375a3badcf3f.png

Then user cody@purecloud.com logs in:

clipboard_eff96ec9699d674dcd9d47504f4d36272.png

And creates a VMFS snapshot:

1) Clicks Create Snapshot button 2) Calls the snapshot newSnapcody
clipboard_e9a8e9b6af2b965ba3e881ea3b1b9afbb.png clipboard_eb90b325cf2af66ce111e8b08b79e755e.png

We see in the audit trail on the FlashArray:

clipboard_e73cbe30650a887e19d0c5829115a437c.png

The user is vsphereplugin.

Then user janice@purecloud.com logs in:

clipboard_e4ed0e3179db305f4a1c43818b243080c.png

And creates a VMFS snapshot:

1) Clicks Create Snapshot button 2) Calls the snapshot newSnapjanice
clipboard_e931f4428bcaa99f5720906c910580ad1.png clipboard_e0fa8563f5eb657eedae6a833d3c07d4f.png

We see in the audit trail on the FlashArray:

clipboard_efba450908bdaf9718077a57bdb48ccab.png

The user is also vsphereplugin. Since all users share the same authentication it is recommended to not authenticate with an account that is assigned to a certain person, but instead a group or application account.

Video Demo: