Vcenter Unable to Authenticate Please Try Again

vSphere Plugin User Guide: Configuring Hallmark

1. Last updated

2. Relieve as PDF

The Pure Storage Plugin for the vSphere Client (which will be shortened in this commodity to the vSphere Plugin) provides the power to VMware users to have insight into and control of their Pure Storage FlashArray environment while directly logged into the vSphere Customer. The Pure Storage plugin extends the vSphere Client interface to include ecology statistics and objects that underpin the VMware objects in use and to provision new resources as needed.

In order to apply the plugin, it must be authenticated with the FlashArray(s) in-apply in the vSphere environment. Information technology is merely necessary to authenticate the FlashArrays you would like to have insight to and/or manage. Each FlashArray must be individually authenticated though the same credentials tin can be used repeatedly if they are valid for more one array.

Additionally, the vSphere Plugin can exist authenticated with the Pure1 Balance API. This is required for Pure1-related features in the plugin and tin can aid assistance in mass-registration of FlashArrays with the plugin. No provisioning workflows are blocked when Pure1 is non authenticated, though intelligent provisioning and other insights are disabled.

Network Requirements

To authenticate a Pure1 connection the following is required:

• TCP Port 443 access to pure1.purestorage.com from vCenter
• No network admission is required from ESXi
• Currently if a proxy is required to road to an external network, Pure1 connectivity is not supported.

To authenticate a FlashArray connection the post-obit is required:

• TCP Port 443 access to the virtual IP address (this can be virtual IP address 0 or 1) of the target FlashArray from vCenter
• No network access is required from ESXi

Authenticating a Pure1 Connectedness

Authentication of the plugin with Pure1 is recommended, but non required. Authenticating Pure1 with the vSphere plugin allow for further insights and provisioning help, as well as mass-FlashArray hallmark and, likely, in the time to come more features. So for these reasons, authentication is recommended.

Authentication is a significantly different than the standard "username and countersign"-based hallmark to provide a more secure authentication mechanism to a public Balance API endpoint (Pure1). Instead of asking for a username or password, Pure1 asks for what is chosen a JWT (a JSON Web Token) which is a fancy term for hallmark data that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows for the token to exist decrypted which is then used to create a session token.

There is a variety of ways to do this, and the list below is not exhaustive. The overall process is equally follows:

1. Create a public/individual central pair
2. Add the public key to Pure1
3. Copy the application ID
4. Generate a JWT with the application ID and your private key
5. Paste the JWT into the vSphere Customer

Create Certificate

PowerShell--Linux/MacOS

First ensure that you have at least the i.2.0.0 release of the Pure1 PowerShell Module installed. Instructions to install PowerShell on Linux/MacOS here.

For PowerShell-based direction, in that location is a PowerShell Gallery hosted module chosen PureStorage.Pure1. For more information (or to open up bugs or characteristic requests) on the PowerShell Module, run into here:

https://github.com/PureStorage-OpenConnect/PureStorage.Pure1

Create a new key pair and enter a countersign when prompted.

New-PureOneCertificate                  

Then retrieve the public key (enter the private key password):

Become-PureOnePublicKey                  

Now re-create that fundamental:

PowerShell--Windows

Public/private keys can come up in the class of certificate in Windows-based systems. The simplest style to create a key pair is through the creation of a self-signed local certificate. This tin can exist achieved through the Pure1 PowerShell module available through the PowerShell Gallery.

To install the module, open PowerShell and install the module from the PowerShell gallery:

install-module PureStorage.Pure1

Next create a new certificate and return the public key:

New-PureOneCertificate | Get-PureOnePublicKey

Copy the unabridged key, including the dashes and BEGIN PUBLIC KEY and END PUBLIC Primal:

Add the Public Key to Pure1

Once you lot have a public cardinal, information technology needs to be entered into the Pure1 web site to create an application ID. Login to pure1.purestorage.com every bit an admin. If you lot do not see the Administration section on the left-hand side, you are not logged in equally an administrative user. If you are not, discover your Pure1 admin and have them generate the token. If you lot do not know your admin, reach out to Pure Storage support.

Click on API Registrations the Annals Awarding:

Give the awarding a descriptive name and paste in the public central. This must offset with -----Begin PUBLIC Primal----- and end with  -----END PUBLIC Central-----. Yous may specify either the admin role or read only. As of the four.three.ten release of the vSphere Plugin, there is no demand for authoritative API access.

Click Upload to terminate the process. Find the awarding ID and copy it, or take the admin provide it to you. It will starting time with pure1:apikey:

Generating a JWT

Once you take an application ID you can create the JWT. A JWT can be generated in a myriad of ways below are the methods using Python or PowerShell

Generating a JWT with Python

The JWT can be generated with Python using the linked code snipped from GitHub:

pure1_token_factory.py

Upload this script to a host that has Python installed. Y'all can optionally straight download the script via:

curl https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py                  

And so install the requirements via pip, if pip is not installed, run:

sudo apt install python3-pip                  

Install the requirements (which are saved in a hosted requirements file):

pip3 install -r https://pure1-scripting.s3-us-west-ane.amazonaws.com/requirements.txt                  

If y'all cannot download the requirements file, create information technology manually:

Then identify the requirement.txt file with following contents:

PyJWT  paramiko>=2.7.1  requests  cryptography  half-dozen                  

Then install the requirements:

pip3 install -r requirements.txt

Now pass in the private central (find your .pem file) to the script and application ID:

sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem                  

This will return the JWT. Re-create the whole JWT.

Generating a JWT with PowerShell

Linux/MacOS

In one case yous have your application ID, accept your previously created private key, pass both into the New-PureOneJWT command.  Enter the individual central countersign in the operation or interactively (equally shown below):

New-PureOneJwt -pureAppID pure1:apikey:aebVzb4k3Gq7oQE7                    

Windows

Once y'all take your application ID, pass it into the New-PureOneJWT command:

Calculation a JWT to the vSphere Client

Login to the vSphere Client, click on the pinnacle carte du jour and choose Pure Storage.

Click on the Authenticate with Pure1 button in the top right corner:

Paste in the JWT into the box that appears:

Click Authenticate. This will authenticate into Pure1. You will then be able to see Pure1 features in the plugin, like tag display and the load meter nautical chart:

Editing a Pure1 Connection

There is no difference to creating a new Pure1 connection and editing one. If y'all would similar to change the JWT existence used, follow the same process. The only minor difference is that the Authenticate with Pure1 button will at present say Connected with Pure1. Click on that to upload a new JWT.

Removing a Pure1 Connectedness

There is no method to remove a specific JWT in the vSphere Plugin today. Though yous can de-cosign the public key that pairs with the individual primal used to generate it.

Login to Pure1.purestorage.com and click on API registration. Observe the application you wish to de-cosign.

Navigate to the far right and click on the trashcan icon:

Confirm the deletion. This will de-cosign whatever integration using the correlated individual key from authenticating (or any JWT that has been derived from it).

Authenticating a FlashArray Connection

One or more FlashArrays tin be added to the vSphere Plugin.

Adding a FlashArray Manually

To add together a unmarried FlashArray, login to the vSphere Client and click on the Menudrop-down and choose Pure Storage.

Click on the +Add push shown under the Pure Storage icon.

Choose Add a Single Assortment:

Enter in:

• Array proper noun. This does non take to be the actual FlashArray'south domain proper name, but it is recommended. This proper noun is non verified--but should be descriptive either way.
• Assortment URL. In the form of an IP address or fully-qualified domain name representing a FlashArray virtual address. FQDN is always preferred.
• Username. A username of either a local user or a directory attached user.
• Password. The corresponding password of selected user.

The virtual address can be verified from the array on Settings > Network > Subnets & Interfaces:

FQDN can be verified with nslookup or similar tools:

Calculation One or More FlashArrays through Pure1

For environments with many FlashArrays, or environments where y'all may not know the addresses of all FlashArray, an administrator tin can leverage the Pure1 Connexion to annals a fleet of FlashArrays at one time.

Go to the Pure Storage Plugin home screen and click Add.

Click on the Import Arrays from Pure1 tab. The plugin will attain out to Pure1 and call up all FlashArray and Cloud Block Store arrays registered in the target Pure1 system. The plugin will then:

1. Pull all of the FlashArray or Cloud Block Storage VIR0 (virtual IP 0) addresses and the array names from the Pure1 REST API
2. Attempt a DNS lookup for the FQDN. If at that place is no address found the IP volition be used for the URL, if one is found it will use the FQDN
3. Test network connectivity to the discovered FQDNs or IPs. If an array is not available on the network it volition not be filtered out, merely will be marked equally offline.
4. Filter arrays out that are already authenticated in the plugin

You then have the option to individually add credentials for each assortment or if they all share the same credentials, select the Utilize the same credentials for all arrays box. If that is selected you only have to enter in the credentials for the first array.

If you an array is marked with the following icon:

Information technology means the array address is non reachable from vCenter.

In one case you accept added credentials, select the arrays that you would like to authenticate.

Annotation that if you choose the peak "select all" box in the upper left of the tabular array:

Information technology will only select all of the arrays on that particular page. You must click the next arrow and repeat to authenticate all discovered arrays. This ensures that the user confirms and verifies all selected arrays before completion.

When you have selected all of the desired arrays, click Add together in the lower right hand corner.

The plugin volition attempt to authenticate all arrays and will study all of the arrays that succeeded and any that failed:

If there are arrays with errors, hover over the data tooltip (circle with an exclamation marking) for more data.

Click Done with finished.

Editing a FlashArray Connection

To edit a FlashArray connection, select the connectedness and click Edit.

From hither, you can change the alias, the URL, the username, and/or the password. Enter your change(due south) and click Submit. To make ANY change you practice need to re-enter the username and countersign--this can be the existing credentials or new ones.

In the above example the assortment name (allonym) was changed, and the existing credentials were re-used:

Removing a FlashArray Connection

To remove a FlashArray Connection, select the desired connection and click the Remove push:

Confirm the removal of the connection:

No existing storage will exist affected, but the FlashArray represented by that connection tin no longer exist managed within the plugin unless it is re-authenticated.

Click Remove to complete the process.

User Accounts and Privileges

In order to authenticate either Pure1 or one or more FlashArrays to the vSphere Plugin certain vCenter privileges are required. In order to authenticate to Pure1 or a FlashArray specific privileges are required for the access accounts. These requirements are documented beneath.

Required vCenter Privileges

In lodge to add together a FlashArray connection into the vSphere Plugin, the logged in user adding the connectedness must be assigned a role with the post-obit privileges:

• Global > 'Manage Custom Attributes'
• Global > 'Set Custom Aspect'

Annotation this is but the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the individual feature documentation for required vCenter permissions.

Required Pure1 Privileges

When you authenticate with the Pure1 REST API it is not username/password-based, equally described in a higher place. The JWT used to authenticate the plugin tin can be created from a individual key that has an associated public fundamental with either admin or read-but permissions. At that place are currently no features in the vSphere Plugin that requires administrative access to the Pure1 Residual API. This may alter in the future as more active control is added into Pure1.

Required FlashArray Privileges

In gild to enable the employ of a FlashArray in the VMware environment, vSphere administrators must authenticate the vSphere Plugin with the desired FlashArray(s). Users can choose to create local FlashArray users or use LDAP-continued users. It is recommended to provision a specific account for plugin access to the FlashArray (sometimes referred to every bit a arrangement account) that doesn't necessarily reverberate a specific person, merely either a grouping or a use (username: vSpherePlugin for instance).

For the procedure to create a new local account on the FlashArray, please refer the the FlashArray user guide for your respective version of Purity:

FlashArray User Guide

The vSphere Plugin supports a few permission levels for the registered user:

• Array Admin--this will provide the logged in users with access to all of the advertised features in the plugin. This is a supported level, just non recommended. This elevated permission fix is non needed by the plugin.
• Storage Admin--this is the recommend level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions.
• Read Simply--if you want end-users to be able to view data about their storage environment (performance, data reduction, snapshots, capacity information, etc) y'all may provision a read merely user account. This will block the ability to make any storage changes (change, add, remove, storage resource) with the plugin on the array(s) authenticated with this level of role.

Audit Trail

Currently, all logged in users of the vSphere Client will share the same permissions of a given FlashArray or Pure1--in other words--once yous authenticate a FlashArray in the vSphere Plugin, all authenticated users in vSphere will share that hallmark. All operations executed in the plugin against a FlashArray will appear equally the same authenticated user account in the FlashArray audit trail.

As an example, if a FlashArray is added with the username of "vsphereplugin":

Then user cody@purecloud.com logs in:

And creates a VMFS snapshot:

We come across in the audit trail on the FlashArray:

The user is vsphereplugin.

And so user janice@purecloud.com logs in:

And creates a VMFS snapshot:

We see in the audit trail on the FlashArray:

The user is also vsphereplugin. Since all users share the aforementioned authentication information technology is recommended to not authenticate with an business relationship that is assigned to a certain person, but instead a group or application account.

Video Demo:

sanchezwasher.blogspot.com

Source: https://support.purestorage.com/Solutions/VMware_Platform_Guide/User_Guides_for_VMware_Solutions/Using_the_Pure_Storage_Plugin_for_the_vSphere_Client/vSphere_Plugin:_Configuring_FlashArray_Connections

Share this post