Skip to main content
Contact Us
Register
Pure Technical Services

vRealize Orchestrator 8 User Guide: Authentication

  1. Last updated
  2. Save as PDF

Currently viewing public documentation. Please login to access the full scope of documentation.

The Pure Storage Plugin for vRealize Orchestrator provides a few things:

  1. Default workflows for running common tasks
  2. Discrete actions for assembling common functions together to create workflows
  3. JavaScript libraries to create very customized workflows 
  4. REST API libraries to make specific REST calls that are not included in the JavaScript libraries
  5. Integrated authentication
  6. Integrated and synchronized inventory of Pure Storage environments

To perform most tasks in the plugin, authentication needs to be configured first. The Pure Storage Plugin supports authentication via the following targets:

  • Pure1
  • FlashArray (or Cloud Block Store--authentication is the same)
  • FlashBlade

If you have many FlashArrays, FlashBlades, or Cloud Block Store instances, they can be be registered in an automated fashion via a Pure1 connection. For details on that process refer to the section on Fleet Registration towards the bottom of this page.

Network Requirements 

To authenticate a Pure1 connection the following is required:

  • TCP Port 443 access to pure1.purestorage.com from vRealize Orchestrator

To authenticate a FlashArray or Cloud Block Store connection the following is required:

  • TCP Port 443 access to the virtual IP address (this can be virtual IP address 0 or 1) of the target FlashArray from vRealize Orchestrator

To authenticate a FlashBlade connection the following is required:

  • TCP Port 443 access to the virtual IP address (this can be virtual IP address 0 or 1) of the target FlashBladey from vRealize Orchestrator
  • If you plan to generate a FlashBlade API token directly from vRO you will need TCP port 22 opened as well.

Authenticating with Pure1

Adding a Pure1 Connection

The 4.0.0 release of the Pure Storage Plugin for vRealize Orchestrator is similar in function in most ways to the previous release--3.5.x. The most significant enhancement is that it is directly built for vRealize Orchestrator 8.x (it does not support vRO version 7.x and earlier). Like the 3.5 release, the 4.x release offers the ability to authenticate with the Pure1 REST API which provides additional information about your fleet of storage as well as metrics and metadata not available directly from the arrays themselves. Pure1 authentication is not required, but recommended to fully take advantage of the plugin.

Generating a Key Pair

The Pure1 REST API uses RSA256 private/public key-based authentication. In order to authenticate an application with Pure1, a public key must be configured within Pure1 that corresponds to the private key configured within that application. There are a variety of mechanisms to do this, but the Pure Storage Plugin for vRealize Orchestrator (from now on will be shortened to "vRO Plugin") provides the ability to do this. You do not have to use this procedure, but this is the simplest in context to vRO.

To authenticate to Pure1, navigate to the workflow named Generate RSA Key under Library > Pure Storage > Connection Management > Pure1:

clipboard_e88a16738340613518348306ecfd8d515.png

 

Click the workflow and and click Run in the workflow panel:

clipboard_ed3a0e75dc1f5318a3a03749358aaff82.png

The only option in the workflow is to choose if the workflow outputs the private key as a secure string or as a regular string. If you plan on copying the key and storing it externally, deselect the box (most common). If you have included this workflow in a larger one, it is recommended to keep this as Yes (default) so that vRO passes the private key in a secure fashion.

clipboard_e92cece3489cbdf6928e55eee7d0fcba4.png

Choose your option and click Run. Under the Logs tab of the workflow run, select the value of the public key, it is the log line with -----BEGIN PUBLIC KEY-----:

clipboard_e1451ccdc4d5f2520dbd81fcb65eb7e1e.png

 

And copy it.

clipboard_ecf8a9ec90d4d14dce1ddd846e0feb32e.png

Do the same thing with the private key (privateKeyOutput) and store the key for later.

Adding a Public Key to Pure1

Login to Pure1 as an administrator. If you are not an administrator, provide the key to your admin and have them follow this section.

https://pure1.purestorage.com

On the left-hand side, click on API Registration under the Administration section. If you do not see this, you are not a Pure1 administrator.

clipboard_e1b5f807a902dbc9b3b38250c2234b7b4.png

Click on Register Application

clipboard_e30237aa20c52e031a3ca2f58319fde97.png

Give the application a name (something descriptive) and paste in the public key.

Now choose either Admin or Read Only. It is recommended to make the application admin (this will allow you to create tags from vRO) but not required. 

clipboard_e463788a0dc672a0679d028c35fb7cb40.png

Click Upload.

Now identify the key in the table and find the application ID (API key). Copy it and return to vRealize Orchestrator.

clipboard_e2fdaddb1d888a63b162298ee8c4055fc.png

Authenticating a Pure1 Connection

Find and select the workflow called Add Pure1 Organization under Library > Pure Storage > Connection Management Pure1.

clipboard_e0ff037ce63b5ccfda84679c177ba20d4.png

Click Run.

clipboard_ec0760309dafc40bf87c166c350398c76.png

Add a name for the organization (no spaces).

clipboard_e2562d7f85b7d6efb162034e44db9e897.png

There are two ways to authenticate Pure1. Either enter in a private key and the Pure1 application ID generated from its public key (from the process above) or you can paste in a JSON Web Token. A JSON Web Token (JWT) is generated from the application ID and the private key (instructions on creating a JWT can be found here).

The benefit of using a private key directly is that the connection is valid as long as the public key is still configured in Pure1. There is no set expiration. This is the simplest option as you also do not need to generate (or have someone generate) a JWT. The JWT option is better for organizations with stricter access control. A JWT can have an expiration and therefore an admin provisioning authentication to vRO can provide a JWT that is good for 3 months (for example). Once it expires they will need request a new JWT. The benefit to that is stricter control. The downside is that you must monitor your expiration and replace it as needed.

To enter in a private key keep the option deselected. To enter a JWT, select the box. vRealize Orchestrator also requires the Pure1 certificate be added. Either select the "accept certificate box" or wait and the workflow will ask you to verify the certificate interactively.

clipboard_ea808b883eae2dc256fdbc1af6c3c250d.png

Click the App ID Based tab.

clipboard_ede3bba91fe893061c5537a8e646ca1ba.png

Paste in your private key and you application ID, or a JWT, depending on the previously selected method.

clipboard_e243c3094f895db252318ede067a5ac22.png

Click Run.

Once complete:

clipboard_ef8bbab59d0a577ca44e2b099086f97f0.png

This will add the Pure1 organization to the inventory:

clipboard_ed3f15bd74740a1247e0c82926d13989d.png

You may add more than one organization, but a given organization can only be added once.

Note that existing FlashArray, FlashBlade, or Cloud Block Store connections will not be moved into a Pure1 organization if it was registered before its corresponding Pure1 organization was. Also if an array is moved to a new organization by Pure Storage support, vRO will not automatically respond and move the connection. To move a connection into the correct Pure1 organization once the Pure1 has been authenticated, run the Update FlashArray Connection or Update FlashBlade Connection and it will automatically be placed in the correct organization.

Permission Requirements of a Pure1 Connection

There are two levels of permissions needed for Pure1 authentication. First, there needs to be a user with Pure1 login credentials who is an administrator in your Pure1 organization. If you are unsure who your administrator is, contact Pure Storage Support. Once the administrator logs in, they should see the Administration section on the lower-left of the Pure1 screen. If they do not, they are not an admin.

clipboard_e3d1cf896c91358cf77e338090b4a484b.png

Having an admin level REST application ID does not provide this ability--this is separate from a Pure1 login administrator and has less privileges. Once logged in, an administrator creates an application ID with a certain level of permissions--as of the writing of this document it is either Admin or Read Only.

clipboard_ee5f25c6e0f48b3566a60a91376f2aa3d.png

Today there is not a significant difference between the two levels. An admin application ID can create, delete or edit tags plus everything else in the REST API. A read only user cannot create, edit, or delete tags, only read them. In short, a read only application ID cannot do anything besides authenticate and run GET-type REST operations as described in the Pure1 REST API Swagger:

https://static.pure1.purestorage.com/api-swagger/index.html

The vRO Plugin has workflows to tag arrays in Pure1, so to use that functionality it is recommended to generate application IDs with administrative permissions--but it is only needed if you plan to orchestrate tagging through vRO.

Updating a Pure1 Connection

To update a Pure1 Connection navigate to the workflow inventory within vRO, and under Library > Pure Storage > Connection Management Pure1 find and run the Update Pure1 Organization workflow.

clipboard_ee586b1b31cdd61f951bb88515314e926.png

Select it and click Run.

clipboard_edcb1de397859a6ab145616d9770ac272.png

Choose the Pure1 organization you would like to change.

clipboard_edf67e279cae36eb3e68e75eb13e69f31.png

From here, enter in the changes you would like to make (rename, changing private key/application ID, update JWT, or switch from one authentication option to the other).

clipboard_e4b17829b4c2ba37bc329751f52132890.png

Click Run.

Removing a Pure1 Connection

To remove an authenticated Pure1 organization, there is a workflow called Remove Pure1 Organization under Library Pure Storage > Connection Management > Pure1 

clipboard_ee146de98d669e6ec1d35edd8a0d6378b.png

From here, choose the workflow and click Run.

clipboard_e3c82ffbe997ccbea30942bdd6629ea64.png

Click in the entry box to selecte the Pure1 organization to be removed

clipboard_ef6d47b53cb6fec21035345485ac09086.png

Then click Run.

clipboard_e1e9ee57c90adf7830b11aa4e6242addc.png

If the workflow finds any remaining FlashArray, Cloud Block Store, or FlashBlade connections it will ask for additional input after the workflow has began. Click Answer.

clipboard_e4f77107a1f9b3b97f35d40d1f4451614.png

This will ask if you want all identified connections to also be removed. The default is No (deselected). If you choose No the connections will be moved to the Uncategorized organization. If you choose Yes (selected) they will be removed entirely.

clipboard_eedc6dfcbefc1daf5f6b9cd9fc6e13c02.png

Click Answer.

Automated Fleet Authentication via Pure1

If you have more than one array, the vRO plugin offers an automated way to authenticate all of your arrays. Once you have authenticated a Pure1 organization, there is a workflow called Register FlashArrays from Pure1 under Library > Pure Storage > Connection Management > Pure1 

clipboard_e91c70f344e6a86dde02dd54eda6aedbc.png

Select the workflow named Register Arrays from Pure1 and click Run.

clipboard_eb04a5be766ef30a1f6162ac8ac95be91.png

 

There are a few required inputs:

clipboard_ec8bded103f40ded798bc07d53a8ef664.png

Pure1 Connection. Specify the Pure1 organization from which you would like to register the arrays. Click in the empty box and choose the correct organization and click Select. Use same credentials? If one set of credentials is valid for all targets, you can specify them here. If not, choose No and it will not require credentials. They can be added one at a time during the workflow Resolve IPs? Pure1 (currently) does not offer the FQDN of arrays, only the IP. The vRO workflow will attempt to do a DNS lookup of the IPs and use the identified FQDN. If the lookup fails, it will use the IP. If you would like it to skip arrays that it cannot resolve, choose No.
clipboard_e73411f2710ec4c791022a8f2ae9844dd.png clipboard_e6e6c43f1c1d68f4a134ad73351a7a169.png clipboard_e031b49327ffbddf04080267d5619f925.png

There is another option that asks if you want to import certificates automatically. Select this to do so, or leave it deselected to confirm each certificate one-by-one interactively.

When ready click Run.

clipboard_eed7638bfbd16785d053abbb2c8d08761.png

If you have chosen to specify credentials one at a time, or the credentials are wrong, it will prompt for credentials for arrays that the credentials are not valid for. You will see the workflow is waiting for input by the person icon next to the workflow run:

clipboard_e5737e65d0da377d0c4d5705dd037d8c1.png

Click Answer to enter the correct credentials.

 

Enter the credentials and click Submit.

clipboard_ee3c9565c3100445e901df73d3b33b45c.png

You can choose to skip an array by selecting the box to skip it and register it later.

clipboard_ee49aaf905b13a1dba95d6bc7a4539cf1.png

Once done, all of the arrays in that organization will be authenticated and added to the Pure1 organization in the vRO inventory.

clipboard_ec152f2dec8e66c486051fe58eefb353c.png

There are a few points to make about this workflow:

  1. This is only supported for FlashArray and Cloud Block Store. FlashBlades will be skipped. Inclusion of FlashBlades will come in a future release.
  2. Arrays that cannot be reached on the network will be skipped.
  3. Arrays that are already registered will be skipped.
  4. There is no option to choose a REST version--it will automatically choose the latest available 1.x release of REST on that target (REST 2.x is not yet supported).

 

 

 

 

Authenticating with a FlashArray or Cloud Block Store

Adding a FlashArray Connection

If you do not have access to Pure1, or you want to customize the FlashArray connections as added, you can manually authenticate each FlashArray or Cloud Block Store storage platform. To do so, navigate to the Import FlashArray certificate from URL workflow under Library > Pure Storage > FlashArray Connection Management.

clipboard_ea87e2188b038f7e8df6a16f69f39d3fc.png

Select the workflow and choose Run:

clipboard_e924dd0b8c61c68e58f521997c627697e.png

Enter in the FQDN of the FlashArray/Cloud Block Store management address and  choose whether or not to accept an untrusted certificate. Click Run.

clipboard_ef243684ed8c0516b893eedd53ab59081.png

Now click on the workflow Add FlashArray Connection

clipboard_e7c22c54c2aeba3ce87ec055475b326d7.png

and choose Run:

clipboard_e2012a39aee5ffa8fd3e71554d565bf10.png

Enter in the following pieces of information:

  • Name. This is a friendly name and can be anything.
  • IP/FQDN. Enter in whatever you entered when adding the certificate.
  • REST API version. If you have added the certificate, the workflow will pull all available REST API versions and will choose the latest available on on that array. If this list does not show up (make sure autopopulate is set to yes), it means either the certificate was not loaded, or the IP/FQDN was entered incorrectly. Click on the box to choose a REST version. 
  • Credentials. Enter in a user name and password.

clipboard_ea49f51907f04eb422c60c40dc2646f45.png

 

The vRO Plugin does not yet support REST API version 2.x on the FlashArray so those versions are filtered out. Support for that will be in a future release.

clipboard_e95d460e4c4a11d7019e78d198c8f7e6c.png

Click Run to add the connection.

clipboard_e270839b7ff7ccf5dbbf9b274ad127b65.png

Once added it will appear in the vRO inventory. Navigate to the inventory pane, then click on Pure Storage. A FlashArray/Cloud Block Store will be added to the Pure1 organization owning it if the Pure1 organization is authenticated in vRO. If it is not, it will be added to the default group called Uncategorized. Both FlashArrays and Cloud Block Storage connections will appear under the FlashArray Connection folder.

clipboard_e99cf4f2ec7a3bb2f6ae29f04e498e06a.png

 

Permission Requirements of a FlashArray Connection

A FlashArray or Cloud Block Store supports a variety of permission levels:

clipboard_ec42c4891571881aa11eb2c1278d051e3.png

While vRO does not require a certain level, the higher level credentials you provide, the more you can do with the plugin. If you plan on orchestrating array configuration or pod creation/management, you will need array admin permissions. If you plan to only configure and provision storage, storage admin will suffice.

It is recommended, however, to create a local service account (or through LDAP/active directory) to authenticate the plugin.

Updating a FlashArray Connection

 To update a connection, navigate to the Update FlashArray Connection workflow under Library Pure Storage > FlashArray Connection Management.

clipboard_e4f8dfb8f66080076e29758196e61ef67.png

Select Update FlashArray Connection and click Run.

clipboard_e791f93f22e964d16bbe6c5bbf4fe6511.png

Click the empty connection box to open the inventory navigator to choose the connection to be updated.

clipboard_ea6626b0a24d07461f9d69694fa1ed73d.png

Check the box for the corresponding connection and click the Select button.

clipboard_e1425c340bcc6dbae0717507a30b34b54.png

Click the Update FlashArray Connection Properties tab.

Update the credentials, name, FQDN, REST version as needed. No matter what, you must re-enter valid credentials to complete any change.

clipboard_e16642b876dc7a246ff14b63c70417dac.png

Click Run to execute the change.

Running an update connection on a connection will also ensure the array is in the right Pure1 organization. So if it is currently in the Uncategorized organization because its owning organization was not yet registered in vRO, but is subsequently, when the update connection workflow is run, the connection will be moved to the right organization.

 

Removing a FlashArray Connection

To remove a FlashArray or Cloud Block Store connection one at a time, go to the workflow inventory, and select the workflow called Remove FlashArray Connection under Library > Pure Storage > Connection Management > FlashArray

To remove all FlashArray or Cloud Block Store connections within a specific Pure1 connection, you can remove the Pure1 connection and opt to also remove all children connections.

clipboard_e19be012aa5768d5803bf26767bf7d3f2.png

Choose the workflow and click Run.

clipboard_ef714aaea260322d4e4d4151e2b7301a6.png

Click in the connection box to open the object navigator and choose the connection you want to remove.

clipboard_e5bbcb9860613fa570dde5fd8bda3bd77.png

Confirm the array and click Run to remove it.

clipboard_ec8cffc27d21c2533f8e9dd8d968d78d4.png

This completes the process to remove the connection.

Authenticating with a FlashBlade

Adding a FlashBlade Connection

Authentication with a FlashBlade uses an API token which can be generated or pulled via a user name and password. The API token cannot be retrieved through the API--only through SSH to the FlashBlade. The vRO Plugin has the ability to do this, but it means that port 22 TCP to the FlashBlade must be open from the vRO appliance in addition to port 443 TCP for the REST connection.

Retrieve a FlashBlade API Token

If you do not have a FlashBlade API token, but you do have a username and password to the FlashBlade, you can either login to the FlashBlade via SSH directly and retrieve it, or you can use the vRO Plugin to do so. To generate (or retrieve) an API token, run the workflow called Create FlashBlade Token under Library > Pure Storage > Connection Management > FlashBlade.

clipboard_e518533a535c0d070d8df3175a11c211b.png

Click it and choose Run:

clipboard_e69de3e6b19d0bf7077138df09315d60e.png

Enter in the FlashBlade IP or FQDN and valid credentials.

clipboard_e6c8b15dcc5fb24ea3eda7eef449210a6.png

Click Submit. This will either retrieve the token for that user or create a new one and return it. You can go into the logs and copy the token from the log line showing the token:

clipboard_ec00c25f56c931118e6f2e5518eb7d4ef.png

Copy it. If you want to programmatically pass it to another workflow, it is stored in the variable apiToken as a secure string:

clipboard_e97d938c73e593c901317fb88662466b9.png

Import the FlashBlade Certificate

Before adding a FlashBlade, you must import its certificate. To do so, navigate to the workflow Import FlashBlade certificate from URL under Library Pure Storage > Connection Management FlashBlade.

clipboard_e6e32c75c0719c1b7d44a4fa81b4dee9e.png

Select the workflow and choose Run:

clipboard_e6c487655e13e8d86534713dc6772f539.png

Enter in the FQDN of the FlashBlade management address and choose whether or not to accept an untrusted certificate.

clipboard_e8d32e9c0bc37a2893f658227147800dc.png

Click Run.

Authenticate a FlashBlade

To authenticate a FlashBlade, run the workflow called Add FlashBlade Connection under Library Pure Storage > Connection Management FlashBlade.

clipboard_e85c04c8249293d7bb25bac88c99d4f5c.png

Select the workflow and choose Run:

clipboard_e1f93fb97ee16157397f82ffce3a49bfb.png

Enter in the following pieces of information:

  • Name. This is a friendly name and can be anything.
  • IP/FQDN. Enter in whatever you entered when adding the certificate.
  • REST API version. If you have added the certificate, the workflow will pull all available REST API versions and will choose the latest available on on that array. If this list does not show up (make sure autopopulate is set to yes), it means either the certificate was not loaded, or the IP/FQDN was entered incorrectly.
  • API token. Enter in an API token.

clipboard_e39d2dc52a2a3e9872d81a5cf29c79e87.png

Add the API token:

clipboard_e53ecfc3843f99e85272ac92cd18575ad.png

Click Run to add the connection.

If a Pure1 organization that owns that FlashBlade is registered, it will be added to it automatically. If not, it will be added the the Uncategorized organization:

clipboard_e826401b3fe734d29ee0d1b2230c3a135.png

To move the FlashBlade into a correct organization at a later time once that Pure1 organization has been added, run the Update FlashBlade Connection workflow and it will be automatically placed in the right organization.

 

Permission Requirements of a FlashBlade Connection

A FlashBlade supports a variety of permission levels:

clipboard_e343de99a01f9c344659c4a17b99f5430.png

While vRO does not require a certain level, the higher level credentials you provide, the more you can do with the plugin. If you plan on orchestrating array configuration, you will need array admin permissions. If you plan to only configure and provision storage, storage admin will suffice.

Updating a FlashBlade Connection

To update a FlashBlade connection, run the workflow called Update FlashBlade Connection under Library Pure Storage > Connection Management FlashBlade.

clipboard_e503182a35723cf5e91006a355df6c64a.png

Select the workflow and choose Run:

clipboard_e85c4f2f6f46527cee276b8bf38cbb903.png

In the FlashBlade Connection input, click in empty box to open the inventory navigator to select the FlashBlade.

clipboard_e224ae4a8325c184c61c380c5be07b60c.png

Find the FlashBlade connection and check the corresponding box to select it. Click Select. Now, update the FQDN, REST version, API token, or name. You do not need to re-enter the API token to change the name.

clipboard_ef6c7f998da307a2335027585d0ee7a9d.png

Click Submit to make the change.

Running an update connection on a connection will also ensure the array is in the right Pure1 organization. So if it is currently in the Uncategorized organization because its owning organization was not yet registered in vRO, but is subsequently, when the update connection workflow is run, the connection will be moved to the right organization.

Removing a FlashBlade Connection

To remove a FlashBlade connection, run the workflow called Remove FlashBlade Connection under Library Pure Storage > Connection Management FlashBlade.

clipboard_e8a5ec39af0ca869a86db7886c176fa7d.png

Select the workflow and choose Run:

To remove all FlashBlade connections within a specific Pure1 connection, you can remove the Pure1 connection and opt to also remove all children connections.

In the FlashBlade Connection input, click in empty box to open the inventory navigator to select the FlashBlade.

clipboard_e224ae4a8325c184c61c380c5be07b60c.png

Click Select. Then click Run to remove the connection.

clipboard_ed95972ef731df14df58c6512964af32a.png

This completes the process to remove the connection.