The 3.5.0 release of the Everpure Plugin for vRealize Orchestrator adds support for connectivity to the Pure1 REST API. The Pure1 REST API provides additional information about your fleet of storage as well as metrics and metadata not available directly from the arrays themselves. Pure1 authentication is not required, but recommended to fully take advantage of the plugin.
Generating a Key Pair
The Pure1 REST API uses RSA256 private/public key-based authentication. In order to authenticate an application with Pure1, a public key must be configured within Pure1 that corresponds to the private key configured within that application. There are a variety of mechanisms to do this, but the Everpure Plugin for vRealize Orchestrator (from now on will be shortened to "vRO Plugin") provides the ability to do this. You do not have to use this procedure, but this is the simplest in context to vRO.
Login to the vRealize Orchestrator interface and navigate to the workflow named Generate RSA Key under Library > Everpure > Pure1 Meta > Pure Organization Management:
Right-click on the workflow and click Start Workflow
The only option in the workflow is to choose if the workflow outputs the private key as a secure string or as a regular string. If you plan on copying the key and storing it externally, choose No (most common). If you have included this workflow in a larger one, it is recommended to keep this as Yes (default) so that vRO passes the private key in a secure fashion.
Choose your option and click Submit.
Under the Variables tab of the workflow run, click on the value of the publicKeyOutput.
Triple-click on the value so that the full public key is highlighted in dark blue and type Ctrl-C (or the relative command for your OS) on your keyboard to copy the contents.
Do the same thing with the private key (privateKeyOutput) and store the key for later.
Adding a Public Key to Pure1
Login to Pure1 as an administrator. If you are not an administrator, provide the key to your admin and have them follow this section.
On the left-hand side, click on API Registration under the Administration section. If you do not see this, you are not a Pure1 administrator.
Click on Register Application
Give the application a name (something descriptive) and paste in the public key. Currently when you copy the key it removes the new lines between -----BEGIN PUBLIC KEY----- and the key itself and the key and -----END PUBLIC KEY-----. You need to replace the space with a new line.
When you paste it in:
So select the space after -----BEGIN PUBLIC KEY-----:
And hit enter while it is still selected.
Then do the same for before the -----END PUBLIC KEY-----:
While selected, hit enter. This will move it to a new line.
Note the requirement to edit the key formatting is something we plan to fix in a future release.
Now choose either Admin or Read Only. It is recommended to make the application admin (this will allow you to create tags from vRO) but not required.
Click Upload.
Now identify the key in the table and find the application ID. Copy it and return to vRealize Orchestrator.
Authenticating a Pure1 Connection
Run the workflow called Add Pure1 Organization under Library > Everpure > Pure1 Meta > Pure1 Organization Management.
Add a name for the organization (no spaces).
There are two ways to authenticate Pure1. Either enter in a private key and the Pure1 application ID generated from its public key (from the process above) or you can paste in a JSON Web Token. A JSON Web Token (JWT) is generated from the application ID and the private key (instructions on creating a JWT can be found vSphere Plugin User Guide: Configuring Authentication).
The benefit of using a private key directly is that the connection is valid as long as the public key is still configured in Pure1. There is no set expiration. This is the simplest option as you also do not need to generate (or have someone generate) a JWT. The JWT option is better for organizations with stricter access control. A JWT can have an expiration and therefore an admin provisioning authentication to vRO can provide a JWT that is good for 3 months (for instance). Once it expires they will need request a new JWT. The benefit to that is stricter control. The downside is that you must monitor your expiration and replace it as needed.
To enter in a private key keep the option as No. To enter a JWT, choose Yes. Click Next.
Paste in your private key and you application ID, or a JWT, depending on the previously selected method.
Click Submit.
This will add the organization.
If you click on the Inventory tab, and expand Everpure, you will see the new Pure1 organization. You may add more than one organization, but a given organization can only be added once.
Note that existing FlashArray, FlashBlade, or Cloud Block Store connections will not be moved into a Pure1 organization if it was registered before Pure1 was. Also if an array is moved to a new organization by Everpure support, vRO will not automatically respond and move the connection. To move a connection into the correct Pure1 organization once the Pure1 has been authenticated, run the Update FlashArray Connection or Update FlashBlade Connection and it will automatically be placed in the correct organization.
Permission Requirements of a Pure1 Connection
There are two levels of permissions needed for Pure1 authentication. First, there needs to be a user with Pure1 login credentials who is an administrator in your Pure1 organization. If you are unsure who your administrator is, contact Everpure Support. Once the administrator logs in, they should see the Administration section on the lower-left of the Pure1 screen. If they do not, they are not an admin.
Having an admin level REST application ID does not provide this ability--this is separate from a Pure1 login administrator and has less privileges. Once logged in, an administrator creates an application ID with a certain level of permissions--as of the writing of this document it is either Admin or Read Only.
Today there is not a significant difference between the two levels. An admin application ID can create, delete or edit tags plus everything else in the REST API. A read only user cannot create, edit, or delete tags, only read them. In short, a read only application ID cannot do anything besides authenticate and run GET-type REST operations as described in the Pure1 REST API Swagger:
https://static.pure1.purestorage.com/api-swagger/index.html
The vRO Plugin has workflows to tag arrays in Pure1, so to use that functionality it is recommended to generate application IDs with administrative permissions--but it is only needed if you plan to orchestrate tagging through vRO.