Vcenter Unable to Authenticate Please Try Again

vSphere Plugin User Guide: Configuring Authentication

1. Last updated

2. Save as PDF

The Pure Storage Plugin for the vSphere Client (which volition be shortened in this article to the vSphere Plugin) provides the ability to VMware users to accept insight into and control of their Pure Storage FlashArray environment while straight logged into the vSphere Customer. The Pure Storage plugin extends the vSphere Client interface to include environmental statistics and objects that underpin the VMware objects in use and to provision new resource as needed.

In order to use the plugin, it must be authenticated with the FlashArray(due south) in-employ in the vSphere environment. It is but necessary to authenticate the FlashArrays you would similar to take insight to and/or manage. Each FlashArray must be individually authenticated though the same credentials can exist used repeatedly if they are valid for more than one array.

Additionally, the vSphere Plugin tin can be authenticated with the Pure1 REST API. This is required for Pure1-related features in the plugin and can help help in mass-registration of FlashArrays with the plugin. No provisioning workflows are blocked when Pure1 is not authenticated, though intelligent provisioning and other insights are disabled.

Network Requirements

To cosign a Pure1 connection the following is required:

• TCP Port 443 access to pure1.purestorage.com from vCenter
• No network access is required from ESXi
• Currently if a proxy is required to route to an external network, Pure1 connectivity is non supported.

To cosign a FlashArray connection the following is required:

• TCP Port 443 access to the virtual IP address (this tin can be virtual IP address 0 or 1) of the target FlashArray from vCenter
• No network admission is required from ESXi

Authenticating a Pure1 Connection

Authentication of the plugin with Pure1 is recommended, but not required. Authenticating Pure1 with the vSphere plugin allow for further insights and provisioning assistance, as well as mass-FlashArray hallmark and, likely, in the future more features. So for these reasons, hallmark is recommended.

Hallmark is a significantly different than the standard "username and password"-based hallmark to provide a more secure authentication mechanism to a public Balance API endpoint (Pure1). Instead of asking for a username or password, Pure1 asks for what is chosen a JWT (a JSON Spider web Token) which is a fancy term for authentication information that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows for the token to be decrypted which is then used to create a session token.

There is a multifariousness of ways to exercise this, and the listing below is non exhaustive. The overall process is as follows:

1. Create a public/individual key pair
2. Add the public key to Pure1
3. Copy the application ID
4. Generate a JWT with the awarding ID and your private fundamental
5. Paste the JWT into the vSphere Client

Create Certificate

PowerShell--Linux/MacOS

First ensure that you lot have at to the lowest degree the 1.2.0.0 release of the Pure1 PowerShell Module installed. Instructions to install PowerShell on Linux/MacOS here.

For PowerShell-based direction, at that place is a PowerShell Gallery hosted module called PureStorage.Pure1. For more information (or to open up bugs or characteristic requests) on the PowerShell Module, see here:

https://github.com/PureStorage-OpenConnect/PureStorage.Pure1

Create a new primal pair and enter a password when prompted.

New-PureOneCertificate                  

Then retrieve the public primal (enter the individual fundamental password):

Get-PureOnePublicKey                  

Now copy that key:

PowerShell--Windows

Public/private keys tin come in the form of certificate in Windows-based systems. The simplest fashion to create a key pair is through the creation of a self-signed local document. This can be achieved through the Pure1 PowerShell module available through the PowerShell Gallery.

To install the module, open up PowerShell and install the module from the PowerShell gallery:

install-module PureStorage.Pure1

Adjacent create a new certificate and return the public cardinal:

New-PureOneCertificate | Go-PureOnePublicKey

Copy the entire key, including the dashes and BEGIN PUBLIC Key and END PUBLIC Key:

Add the Public Key to Pure1

One time you take a public key, it needs to be entered into the Pure1 spider web site to create an awarding ID. Login to pure1.purestorage.com as an admin. If y'all exercise not run into the Assistants section on the left-hand side, y'all are non logged in as an administrative user. If you are non, find your Pure1 admin and have them generate the token. If you practice non know your admin, attain out to Pure Storage support.

Click on API Registrations the Annals Application:

Give the application a descriptive proper name and paste in the public fundamental. This must showtime with -----BEGIN PUBLIC Primal----- and cease with  -----Finish PUBLIC Primal-----. You lot may specify either the admin role or read only. As of the 4.iii.x release of the vSphere Plugin, in that location is no need for administrative API access.

Click Upload to terminate the procedure. Observe the application ID and copy it, or have the admin provide information technology to you lot. Information technology will showtime with pure1:apikey:

Generating a JWT

Once you have an awarding ID you can create the JWT. A JWT tin be generated in a myriad of ways below are the methods using Python or PowerShell

Generating a JWT with Python

The JWT tin can exist generated with Python using the linked code snipped from GitHub:

pure1_token_factory.py

Upload this script to a host that has Python installed. You lot tin can optionally straight download the script via:

curlicue https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py                  

Then install the requirements via pip, if pip is non installed, run:

sudo apt install python3-pip                  

Install the requirements (which are saved in a hosted requirements file):

pip3 install -r https://pure1-scripting.s3-us-westward-1.amazonaws.com/requirements.txt                  

If you cannot download the requirements file, create it manually:

Then place the requirement.txt file with following contents:

PyJWT  paramiko>=2.7.1  requests  cryptography  6                  

Then install the requirements:

pip3 install -r requirements.txt

Now pass in the private key (find your .pem file) to the script and application ID:

sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem                  

This will render the JWT. Copy the whole JWT.

Generating a JWT with PowerShell

Linux/MacOS

In one case you lot have your application ID, take your previously created individual key, pass both into the New-PureOneJWT command.  Enter the private key password in the operation or interactively (as shown below):

New-PureOneJwt -pureAppID pure1:apikey:aebVzb4k3Gq7oQE7                    

Windows

In one case you accept your application ID, pass it into the New-PureOneJWT command:

Adding a JWT to the vSphere Client

Login to the vSphere Customer, click on the top menu and choose Pure Storage.

Click on the Authenticate with Pure1 button in the elevation correct corner:

Paste in the JWT into the box that appears:

Click Authenticate. This volition authenticate into Pure1. Yous will then be able to run into Pure1 features in the plugin, like tag display and the load meter chart:

Editing a Pure1 Connexion

There is no difference to creating a new Pure1 connection and editing one. If you would like to modify the JWT beingness used, follow the same process. The but modest divergence is that the Authenticate with Pure1 button will at present say Connected with Pure1. Click on that to upload a new JWT.

Removing a Pure1 Connectedness

There is no method to remove a specific JWT in the vSphere Plugin today. Though yous can de-cosign the public key that pairs with the private key used to generate it.

Login to Pure1.purestorage.com and click on API registration. Find the awarding you wish to de-authenticate.

Navigate to the far correct and click on the trashcan icon:

Confirm the deletion. This volition de-authenticate any integration using the correlated private key from authenticating (or any JWT that has been derived from it).

Authenticating a FlashArray Connectedness

One or more FlashArrays can be added to the vSphere Plugin.

Adding a FlashArray Manually

To add together a single FlashArray, login to the vSphere Client and click on the Menudrib-down and choose Pure Storage.

Click on the +Add together button shown under the Pure Storage icon.

Choose Add a Single Array:

Enter in:

• Array name. This does not have to be the actual FlashArray'southward domain proper name, but it is recommended. This name is not verified--only should exist descriptive either way.
• Array URL. In the course of an IP address or fully-qualified domain name representing a FlashArray virtual address. FQDN is always preferred.
• Username. A username of either a local user or a directory attached user.
• Password. The corresponding password of selected user.

The virtual address can be verified from the assortment on Settings > Network > Subnets & Interfaces:

FQDN can be verified with nslookup or similar tools:

Adding One or More FlashArrays through Pure1

For environments with many FlashArrays, or environments where yous may not know the addresses of all FlashArray, an ambassador can leverage the Pure1 Connectedness to register a fleet of FlashArrays at once.

Go to the Pure Storage Plugin dwelling house screen and click Add.

Click on the Import Arrays from Pure1 tab. The plugin will achieve out to Pure1 and call back all FlashArray and Cloud Block Store arrays registered in the target Pure1 organization. The plugin will and so:

1. Pull all of the FlashArray or Deject Block Storage VIR0 (virtual IP 0) addresses and the array names from the Pure1 REST API
2. Attempt a DNS lookup for the FQDN. If there is no address found the IP will exist used for the URL, if one is plant it will utilize the FQDN
3. Test network connectivity to the discovered FQDNs or IPs. If an array is not available on the network it will not be filtered out, just will exist marked as offline.
4. Filter arrays out that are already authenticated in the plugin

You then have the option to individually add credentials for each array or if they all share the same credentials, select the Utilise the same credentials for all arrays box. If that is selected you only take to enter in the credentials for the first assortment.

If you lot an assortment is marked with the following icon:

It means the array accost is not reachable from vCenter.

Once you accept added credentials, select the arrays that yous would like to cosign.

Note that if y'all choose the top "select all" box in the upper left of the table:

Information technology will merely select all of the arrays on that particular page. You must click the side by side pointer and repeat to cosign all discovered arrays. This ensures that the user confirms and verifies all selected arrays earlier completion.

When you have selected all of the desired arrays, click Add in the lower right hand corner.

The plugin volition attempt to cosign all arrays and will study all of the arrays that succeeded and any that failed:

If there are arrays with errors, hover over the information tooltip (circle with an assertion mark) for more information.

Click Done with finished.

Editing a FlashArray Connection

To edit a FlashArray connection, select the connectedness and click Edit.

From here, you can alter the alias, the URL, the username, and/or the countersign. Enter your change(southward) and click Submit. To make ANY alter you exercise need to re-enter the username and password--this can be the existing credentials or new ones.

In the above case the assortment name (alias) was changed, and the existing credentials were re-used:

Removing a FlashArray Connection

To remove a FlashArray Connection, select the desired connection and click the Remove button:

Ostend the removal of the connection:

No existing storage will be afflicted, just the FlashArray represented by that connection can no longer exist managed within the plugin unless it is re-authenticated.

Click Remove to complete the process.

User Accounts and Privileges

In order to authenticate either Pure1 or 1 or more than FlashArrays to the vSphere Plugin certain vCenter privileges are required. In club to authenticate to Pure1 or a FlashArray specific privileges are required for the admission accounts. These requirements are documented below.

Required vCenter Privileges

In order to add a FlashArray connexion into the vSphere Plugin, the logged in user adding the connexion must be assigned a role with the post-obit privileges:

• Global > 'Manage Custom Attributes'
• Global > 'Fix Custom Attribute'

Notation this is simply the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the private characteristic documentation for required vCenter permissions.

Required Pure1 Privileges

When you authenticate with the Pure1 REST API it is not username/password-based, as described above. The JWT used to authenticate the plugin can be created from a private cardinal that has an associated public key with either admin or read-only permissions. In that location are currently no features in the vSphere Plugin that requires authoritative admission to the Pure1 Remainder API. This may alter in the future as more active control is added into Pure1.

Required FlashArray Privileges

In order to enable the utilize of a FlashArray in the VMware environment, vSphere administrators must cosign the vSphere Plugin with the desired FlashArray(s). Users tin choose to create local FlashArray users or use LDAP-connected users. Information technology is recommended to provision a specific business relationship for plugin access to the FlashArray (sometimes referred to every bit a system business relationship) that doesn't necessarily reflect a specific person, but either a group or a apply (username: vSpherePlugin for case).

For the process to create a new local account on the FlashArray, please refer the the FlashArray user guide for your respective version of Purity:

FlashArray User Guide

The vSphere Plugin supports a few permission levels for the registered user:

• Array Admin--this volition provide the logged in users with admission to all of the advertised features in the plugin. This is a supported level, but not recommended. This elevated permission set up is non needed by the plugin.
• Storage Admin--this is the recommend level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions.
• Read Just--if you want end-users to exist able to view data about their storage environment (functioning, data reduction, snapshots, chapters information, etc) you may provision a read only user business relationship. This will block the ability to make any storage changes (alter, add, remove, storage resources) with the plugin on the array(s) authenticated with this level of role.

Audit Trail

Currently, all logged in users of the vSphere Client volition share the aforementioned permissions of a given FlashArray or Pure1--in other words--once you cosign a FlashArray in the vSphere Plugin, all authenticated users in vSphere will share that authentication. All operations executed in the plugin against a FlashArray will appear as the same authenticated user business relationship in the FlashArray audit trail.

As an case, if a FlashArray is added with the username of "vsphereplugin":

Then user cody@purecloud.com logs in:

And creates a VMFS snapshot:

We see in the audit trail on the FlashArray:

The user is vsphereplugin.

So user janice@purecloud.com logs in:

And creates a VMFS snapshot:

We encounter in the inspect trail on the FlashArray:

The user is also vsphereplugin. Since all users share the same authentication information technology is recommended to non authenticate with an business relationship that is assigned to a certain person, but instead a grouping or application account.

Video Demo:

ayalabaced1986.blogspot.com

Source: https://support.purestorage.com/Solutions/VMware_Platform_Guide/User_Guides_for_VMware_Solutions/Using_the_Pure_Storage_Plugin_for_the_vSphere_Client/vSphere_Plugin%3A_Configuring_FlashArray_Connections

Bagikan Artikel ini