I’ve been working with the Pure1 REST for about a year now and have really enjoyed what it brings. I’ve integrated it into a few things: PowerShell. vRO. vSphere Plugin. One of the “tricky” things about it though is the authentication. Instead of a username and password it requires the use of a RSA256 public/private key pair. This is inherently more secure, but of course requires a bit more know-how when it comes to pair generation.

I simplified a fair amount of it in PowerShell, but didn’t quite get to the finish line. The generation of the key pair could be done but it came in the form of a PFX–which basically combines the public key and private key into one file. Unfortunately, Pure1 requires the them to be separated as all it needs is the public key, not your private key. While this is “better” it does leave Windows users at a bit of a disadvantage–there is no built in mechanism to generate this without installing OpenSSL directly. The process could not be done entirely in PowerShell. Or so I thought…

I blogged about creating the right type of certificate here. But you still need to extract the public key, which by default is not in the right format. This is where using OpenSSL came in, it had the ability to convert it into the PEM (good explanation of it here) which needs it to be encoded as INT64, not bytes, not hex, and certainly not decimal.

The requirement to install OpenSSL wasn’t a big deal I suppose as it was a one time kind of thing, but it was annoying. When we released support for Pure1 authentication in the vSphere Plugin recently it came up again (in my mind at least). How can we simplify this? First off, lets review the steps to authenticate for Pure1:

Generate a RSA256 public/private key.

Add the public key to Pure1.

Pure1 gives you an application ID.

With that application ID, generate a JSON web token that is encrypted with your private key. You can specify in that token how long it is valid for, in other words for how long it can be used to create a session with Pure1.

Send the JWT to Pure1.

Pure1 sends you back a session token. That token is valid for 10 hours (or until you remove the public key from Pure1–whichever comes first.

Our vSphere Plugin asks you for a JWT. So you generate a JWT configure it in the vSphere Plugin:

So how do I get to that?! Well I just made it A LOT easier. I have updated my Pure1 PowerShell module with a few new cmdlets.

New-PureOneCertificate

Get-PureOnePublicKey

New-PureOneJwt

Authenticating Pure1 with the vSphere Plugin

Let us start with the vSphere Plugin. How do I get that infernal JWT? Good question Cody.

Step one is to install the module. So either run:

install-module PureStorage.Pure1

Or if it is already installed:

update-module PureStorage.Pure1

NOTE: If you already have the Cody.PureStorage.Pure1 module installed uninstall it first and then install this one. While the Cody.PureStorage.Pure1 version has this feature, I am deprecating it. Also if you are using the PureStorage.FlashArray.VMware module, make sure you update it first too, as older versions have a dependency on the Cody.PureStorage.Pure1 module.

Now let’s create a new certificate.

$cert = New-PureOneCertificate

Btw, if you are using Windows 2012 R2, make sure you are at least on the 1.0.0.1 version of the module.

By default I create it in the current user store (which incidentally makes it not run into this problem anymore). Though there is a parameter to override that with a certificate store of your choosing.

Great. Now I need to add the public key from this certificate to Pure1. So run:

Get-PureOnePublicKey -certificate $cert

Now copy the result of that (including the dashes and public key stuff). Highlight it and press Enter.

I will write a blog post on how I did this without installing OpenSSL soon.

Now got to Pure1.purestorage.com and click on API Registration:

If you do not see this, that means you are not a Pure1 admin. Find your admin. Or become one. Click on Register Application.

Now paste that public key into that.

Give it a name and choose a role. Currently this is admin or read only.

The only significant difference that I am aware of is that a read only user cannot create tags. Beyond that everything else is currently read only. But this is 12/03/2019. This may and WILL change in the future, admin will likely be able to do more things in the future.

Click Upload.

You will no longer need to do this again, unless you want to create a separate key for something else. Or you lose/delete the private key/certificate.

You will see it listed now. Copy the application ID.

It will be in the form of pure1:apikey:………….

Back to PowerShell. Run:

New-PureOneJwt -certificate $cert -pureAppID pure1:apikey:rUMmI6I7LEneeAfR

Don’t worry, this public key has been deleted by the time of publishing. You can’t use it :). Nice try though.

So how long does this JWT authorize the plugin to talk to Pure1 for? Not forever. One of the internal fields of the JWT is an expiration date. This date says that this JWT can be used to create new Pure1 REST sessions until this date in time OR you can remove the public key from Pure1–this will kill the use of any JWTs for that key entirely.

The default behavior of the new-pureonejwt cmdlet is to create a JWT that is valid for 30 days. Though you likely want longer than that. The cmdlet has a parameter called expiration that allows you to specify a custom expiration date too.It takes in the dateTime data type.

So if you want it to last a year, specify a date one year in the future. Which would be like (Get-Date).addYears(1). If you want 60 days: ( (Get-Date).addDay(60) )

New-PureOneJwt -certificate $cert -pureAppID pure1:apikey:rUMmI6I7LEneeAfR -expiration((Get-Date).AddDays(60))

Copy that full response and go to the Pure Storage vSphere Plugin home screen and click on Authenticate with Pure1.

Paste the JWT into there

Click Authenticate.

You’re done!

If this fails, check out this post:

Authenticating PowerShell with Pure1

What if I want to authenticate the Pure1 PowerShell module with Pure1? Well this is even easier then the above.

Now let’s create a new certificate.

$cert = New-PureOneCertificate

By default I create it in the current user store (which incidentally makes it not run into this problem anymore). Though there is a parameter to override that with a certificate store of your choosing.

Great. Now I need to add the public key from this certificate to Pure1. So run:

Get-PureOnePublicKey -certificate $cert

Now copy the result of that (including the dashes and public key stuff). Highlight it and press Enter.

Now got to Pure1.purestorage.com and click on API Registration:

If you do not see this, that means you are not a Pure1 admin. Find your admin. Or become one. Click on Register Application.

Now paste that public key into that.

Give it a name and choose a role. Currently this is admin or read only.

The only significant difference that I am aware of is that a read only user cannot create tags. Beyond that everything else is currently read only. But this is 12/03/2019. This may and WILL change in the future, admin will likely be able to do more things in the future.

Click Upload.

You will no longer need to do this again, unless you want to create a separate key for something else. Or you lose/delete the private key/certificate.

You will see it listed now. Copy the application ID.

It will be in the form of pure1:apikey:………….

Back to PowerShell. Run:

New-PureOneRestConnection -certificate $cert -pureAppID pure1:apikey:rUMmI6I7LEneeAfR

The session is authenticated and you can now run commands against Pure1.

Like Get-PureOneArray