Should the FlashArray be on Purity 5.3.0 or higher the steps to reset the certificate do not apply. Rather an Array Admin user can manually reset the VASA certificate or import a new certificate to the FlashArray. The process of removing and re-registering the Storage Providers will still be required. The workflow would be as follows.
- Remove the Storage Providers with expired certificates in vCenter
- Please refer to the KB about managing VASA certificates with purecert Web Guide: Managing the VASA Certificates with purecert via the CLI.
- If the certificate was signed by a CA, then the end user will need to generate a new CSR, get a newly signed certificate and import the newly signed certificate.
- If the certificate was the default vSphere certificate, then the end user will need to delete the existing vasa-ct0 and vasa-ct1 certificates, then create new default self signed certificates.
- Re-register the storage providers in vCenter.
This process isn't as easy or simple as renewing a cert that is about to expire. In this case you can't renew the cert; instead you have to remove the storage providers and then re-register the storage providers. However, as part of this process Everpure Support will need to manually clear the expired cert and restart the vasa provider. Otherwise the re-registration of the storage providers will fail. This process is something that Pure is working to improve moving forward.
The impact of having the storage providers cert expire will be impactful to any further vVol related operations that have to communicate with the VASA provider on the array. Such is powering on VMs, vMotioning VMs, deploying new VMs, etc. However, any currently running VMs will continue to run without impact. The process of removing the expired storage provider, clearing the expired cert and then restarting the VASA service will not be impactful to the currently running vVol VMs.
Here are the steps to follow in order to Renew a Storage Provider that has had it's certificate expire.
- Log into the vCenter that the Storage Providers are registered.
- Navigate to the hosts, vms or datastores tab and select the vCenter object.
- Select the configure tab and then the storage providers option. Locate the Storage providers that have the expired certificate.
- Here you can see if you try to renew the Certificate it will fail:
Certificate is expired, unable to renew
- You will need to remove both Storage Providers
Remove Both Expired Storage Providers
- If you have the storage providers registered with another vCenter that is in Enhanced Linked mode, be sure to remove them from all the vCenters that are registered with them.
- If the FlashArray is running Purity 5.3.0 or higher, Resetting the VASA Certificates with purecert.
- If the FlashArray is not running Purity 5.3.0 or higher then once both storage providers are removed from all vCenter Servers you will want to work with Pure Support. You will need to enable remote assist and reference this KB in your support case. There will be steps for Pure Support to follow.
Do not manually reset certificates if the FlashArray is running Purity 5.3.0 or higher in the same method as outlined in this KB for Purity 5.0, 5.1 or 5.2. All management of the VASA certificates must be done by the customer with purecert via the CLI on Purity 5.3.0 and higher.
Steps to Clear Keystore Cache and restart VASA Service
In order for the TSE to proceed, they will need the customer to open up Remote Assist to the Array. After that, confirm that this is the array that they need you to remove the expired Certificate.
Essentially all you will need to do is remove the keystore and truststore cache and restart the vasa service for both controllers.
Please refer to the How to check and clear Array Key Store for more information about this process, but here is what you will essentially do after the customer contacts you.
For Purity Versions 5.0.x and 5.1.0 - 5.1.5
These are the steps for Purity running below 5.1.6. If the array is running 5.1.6 or higher, the process is different
- Use Remote Assist to Connect with the Array (unless it's a dark site, then you'll need to do this over a zoom session)
- Get the output of the keystore, the password is "purestorage".
keytool -list -v -keystore /cache/ui/keystoreroot@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: Jun 27, 2017 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Pure Storage, OU=Pure Storage, O=Pure Storage, C=US Issuer: OU=VMware Engineering, O=3m-vvol-vc-cert.dev.purestorage.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA Serial number: ff4ed0d401b85282 Valid from: Mon Jun 26 12:51:30 PDT 2017 until: Wed Jun 27 12:51:30 PDT 2018 Certificate fingerprints: MD5: 14:E9:2C:66:F8:74:95:8B:D6:61:FD:36:AC:AC:96:90 SHA1: 9B:02:FC:BD:0B:D2:DF:08:C4:A5:B0:AA:51:EC:58:96:DD:78:8E:23 SHA256: E1:54:21:A3:6C:1A:9D:FE:9C:A8:D5:19:32:61:8B:31:52:E7:9A:59:C2:06:85:FD:81:E9:0A:47:39:49:32:A9 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 80 A3 05 66 4C 5C 84 33 45 A7 99 5F 52 78 10 49 ...fL\.3E.._Rx.I 0010: 79 F9 FC 94 y... ] ] #2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ IPAddress: 10.14.64.161 ] ******************************************* ******************************************* - Remove the keystore and truststore cache and restart the vasa service
rm /cache/ui/keystore /cache/ui/truststore && service vasa restart - Check the keystore and verify it's cleared
keytool -list -v -keystore /cache/ui/keystoreroot@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: Feb 2, 2012 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Pure Storage, O=Pure Storage, OU=Pure Storage, C=US Issuer: CN=Pure Storage, O=Pure Storage, OU=Pure Storage, C=US Serial number: 4f2b166c Valid from: Thu Feb 02 15:04:12 PST 2012 until: Wed Jan 28 15:04:12 PST 2032 Certificate fingerprints: MD5: 0D:E8:64:78:C5:66:5E:64:8C:4D:D8:AB:EC:78:20:FE SHA1: D8:8F:22:67:B8:9C:30:31:69:66:F4:23:E9:69:94:A4:B2:38:79:21 SHA256: E2:3E:10:E5:A7:92:68:F0:63:0C:D2:81:ED:34:2F:97:B6:9E:08:7F:82:F6:E1:53:43:01:27:67:ED:2F:D9:DD Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* -
Repeat the same steps above for the peer controller
-
Update the customer that the expired certs have been cleared from the array cache and the VASA service has been restarted.
For Purity Versions 5.1.6+ and 5.2+
If the array is running Purity 5.1.6 or higher here is the process that should be followed for steps 2 through 4 above: