vSphere Plugin: Authenticating a Pure1 Connection - User Managed Keys

User Guides for VMware Solutions

Audience
Public
Content Type
User Guides
Source Type
Documentation

It is recommended to use the plugin managed keys instead of the user managed keys.

Authenticating a Pure1 Connection - User Managed Keys

Authentication is a significantly different than the standard "username and password" based authentication to provide a more secure authentication mechanism to a public REST API endpoint (Pure1). Instead of asking for a username or password, Pure1 can use either vSphere plugin managed keys (recommended) or user managed keys (below).

When using user managed keys, Pure1 asks for what is called a JWT (a JSON Web Token) which is a term for authentication information that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows the token to be decrypted; the token is then used to create a session token.

There are a variety of ways to do this, and the list below is not exhaustive. The overall process is as follows:

  1. Create a public/private key pair

  2. Add the public key to Pure1

  3. Copy the application ID

  4. Generate a JWT with the application ID and the private key

  5. Paste the JWT into the vSphere Client

Create Certificate

PowerShell--Linux/macOS

First ensure that at least the 1.2.0.0 release of the Pure1 PowerShell Module is installed. Instructions to install PowerShell on Linux/macOS here.

For PowerShell-based management, there is a PowerShell Gallery hosted module called PureStorage.Pure1. For more information (or to open bugs or feature requests) on the PowerShell Module, see here:

https://github.com/PureStorage-OpenConnect/PureStorage.Pure1

PS /Users/nelam> get-module PureStorage.Pure1 -ListAvailable

    Directory: /Users/nelam/.local/share/powershell/Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     1.4.4.2               PureStorage.Pure1                   Core,Desk {New-PureOneConnection, Get-PureOneArray, New-PureOneOperation, Get-PureOneArrayTag…}
Script     1.4.4.1               PureStorage.Pure1                   Core,Desk {New-PureOneConnection, Get-PureOneArray, New-PureOneOperation, Get-PureOneArrayTag…}

Create a new key pair and enter a password when prompted.


New-PureOneCertificate
PS /Users/nelam> new-pureonecertificate
Please enter a password to be used for the private key: *********

Name                           Value
----                           -----
PrivateKey                     /Users/nelam/PureOnePrivate.pem
PublicKey                      /Users/nelam/PureOnePublic.pem

Then retrieve the public key (enter the private key password):


Get-PureOnePublicKey
PS /Users/nelam> get-pureonePublicKey
Please enter your RSA private key password: *********
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1MC+nW1FOy4tMMO51Cj
Sf20gBO1UeLFj89uoF+KXMlaxzZ7FgVCXqdUfzOgHk96R0CLuavE92qvEQG3a88p
EzSGhUIlh6CxzaFTHv04vuneXRW4jOiZtzFrRcl52b1GCUNz24Q3E6IHTyZqnp8I
W9pJlafg1t+fH71/dsdlezJiTHVdcHuiNifQDELzprBSgSTtb+bI0Zq28VS8FEZb
7WWuggOJmR8Tp21GMWex8p/EiDuxo1cRYGKrxFh/aiB25PmK2SFmxnGWs9I478fz
NraHadE959Y3AdEFgCdhxZ1yIvcSINbYXsxshuaHXfFuoK6JWZOVR0CCybBOHESR
cwIDAQAB
-----END PUBLIC KEY-----

Copy the key for use in Pure1 later. All of the characters are required, starting with -----BEGIN PUBLIC KEY----- and ending with -----END PUBLIC KEY-----

PowerShell--Windows

Public/private keys can come in the form of certificate in Windows-based systems. The simplest way to create a key pair is through the creation of a self-signed local certificate. This can be achieved through the Pure1 PowerShell module available through the PowerShell Gallery.

To install the module, open PowerShell and install the module from the PowerShell gallery:


install-module PureStorage.Pure1

Next create a new certificate and return the public key:


New-PureOneCertificate | Get-PureOnePublicKey

Copy the entire key, including the dashes and BEGIN PUBLIC KEY and END PUBLIC KEY:

Add the Public Key to Pure1

Once the public key is created, it needs to be entered into the Pure1 web site to create an application ID. Login to pure1.purestorage.com as an admin. If the Administration section on the left-hand side is not visible, the account logged into Pure1 is not an administrative user. If the section isn't visible, find the Pure1 admin for the organization and have them generate the token. If the know Pure1 organization admin isn't known, reach out to Everpure support.

Click on API Registrations the Register Application:

Give the application a descriptive name and paste in the public key from earlier. This must start with -----BEGIN PUBLIC KEY----- and end with -----END PUBLIC KEY-----. The admin role or read only role may be selected.

Click Upload to finish the process. Find the application ID and copy it, or have the admin provide it. It will start with pure1:apikey:

Generating a JWT

Once the application ID is created, create the JWT. A JWT can be generated in a myriad of ways below are the methods using Python or PowerShell.

Generating a JWT with Python

The JWT can be generated with Python using the linked code snipped from GitHub:

pure1_token_factory.py

Upload this script to a host that has Python installed. Optionally, directly download the script via:


curl https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py

Then install the requirements via pip, if pip is not installed, run:


sudo apt install python3-pip

Install the requirements (which are saved in a hosted requirements file):


pip3 install -r https://pure1-scripting.s3-us-west-1.amazonaws.com/requirements.txt

If the requirements file cannot be downloaded, create it manually, then place the requirement.txt file with following contents:


PyJWT 
paramiko>=2.7.1 
requests 
cryptography 
six 

Then install the requirements:

pip3 install -r requirements.txt

Now pass in the private key (find the .pem file) to the script and application ID:


sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem

This will return the JWT. Copy the whole JWT.

Generating a JWT with PowerShell

Linux/macOS

Once the application ID is created, take the previously created private key and pass both into the New-PureOneJWT command. Enter the private key password in the operation or interactively (as shown below):


New-PureOneJwt -pureAppID pure1:apikey:[Pure1APIKey] 

Windows

Once the application ID is created, pass it into the New-PureOneJWT command:

Adding a JWT to the vSphere Client

Login to the vSphere Client, click on the top menu and choose Everpure.

Click on the Authenticate with Pure1 button in the top right corner:

Paste in the JWT into the box that appears:

Click Authenticate. This will authenticate into Pure1. Then the Pure1 features in the plugin will be visible, like tag display and the load meter chart: