Purity //FA 5.0 to 5.2

How-Tos for VMware Solutions

Audience
Public
Source Type
Documentation

In the event that the FlashArray is running Purity/FA 5.0.x, 5.1.x or 5.2.x, then the storage providers will need to be removed and re-registered.

If the re-register is failing, then you may need to open up a support case to have support reset the certificates on the VASA service for each controller.

Once the certificate is reset by Pure Support, then re-register the storage providers with the new IP addresses.

Support, please run the following from the both controllers in the event that the customer is unable to re-register the storage providers after changing the IP address of the controller.

Essentially, the customer is going to be in a state that the certificates currently loaded for vasa-ct0 and vasa-ct1 will have the old IP addresses in them. For the most part, the customer should be able to just remove the old storage providers and re-register them again with the updated IP addresses. However, in the event that they are unable to register the storage providers, then support can reset the certificates and restart the vasa service.

Please note that on 5.3.0+ these actions are not necessary. Do not run these steps on a 5.3.0+ array.

Here are the commands that will need to be followed to reset the certificate in Purity 5.1.6+ and 5.2.0+


openssl genrsa -out /cache/ssl/vasa.key 2048
openssl req -new -key /cache/ssl/vasa.key -out /cache/ssl/vasa.csr -subj "/C=US/O=Pure Storage/OU=Pure Storage/CN=Pure Storage"
openssl x509 -req -days 7300 -in /cache/ssl/vasa.csr -signkey /cache/ssl/vasa.key -out /cache/ssl/vasa.crt
rm /cache/ssl/vasa.csr
service vasa restart
service nginx reload

Once the Certificate is reset, have the customer register the storage providers.

There could be a chance that if the array is on 5.1.6 or 5.1.7 and the customer is using intermediate certificates. If that is the case, make sure you follow the steps to update the vasa nginx; look at Correcting the Problem.

If the customer is running Purity 5.1.0-5.1.5 or Purity 5.0, the process for resetting the certificates is a bit easier. You'll remove the keystore and truststore and then restart vasa. This will need to be done for both controllers.


## Check the KeyStore and Truststore and see if the old IP is there ##

keytool -list -v -keystore /cache/ui/keystore
keytool -list -v -keystore /cache/ui/truststore

## Then run the following to clear them and restart VASA, this will reset the Certificate ##

rm /cache/ui/keystore /cache/ui/truststore && service vasa restart

## Check the Current Keystore and Truststore ##
## Password for both stores is purestorage ##

root@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jetty
Creation date: Jun 27, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Pure Storage, OU=Pure Storage, O=Pure Storage, C=US
Issuer: OU=VMware Engineering, O=3m-vvol-vc-cert.dev.purestorage.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA
Serial number: ff4ed0d401b85282
Valid from: Mon Jun 26 12:51:30 PDT 2017 until: Wed Jun 27 12:51:30 PDT 2018
Certificate fingerprints:
MD5:  14:E9:2C:66:F8:74:95:8B:D6:61:FD:36:AC:AC:96:90
SHA1: 9B:02:FC:BD:0B:D2:DF:08:C4:A5:B0:AA:51:EC:58:96:DD:78:8E:23
SHA256: E1:54:21:A3:6C:1A:9D:FE:9C:A8:D5:19:32:61:8B:31:52:E7:9A:59:C2:06:85:FD:81:E9:0A:47:39:49:32:A9
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 80 A3 05 66 4C 5C 84 33   45 A7 99 5F 52 78 10 49  ...fL\.3E.._Rx.I
0010: 79 F9 FC 94                                        y...
]
]
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 10.14.64.161
]
*******************************************
*******************************************

root@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: vmca_0
Creation date: Jul 12, 2017
Entry type: trustedCertEntry
Owner: OU=VMware Engineering, O=3m-vvol-vc-cert.dev.purestorage.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA
Issuer: OU=VMware Engineering, O=3m-vvol-vc-cert.dev.purestorage.com, ST=California, C=US, DC=local, DC=vsphere, CN=CA
Serial number: da703ac078fc7cf6
Valid from: Sat Dec 17 15:22:09 PST 2016 until: Tue Dec 15 15:22:09 PST 2026
Certificate fingerprints:
MD5:  38:F8:04:1B:A3:03:3D:52:1D:AE:FE:B8:5C:EC:CD:1D
SHA1: FE:F4:CD:E3:2B:FE:F6:8A:DD:D8:D5:8F:9E:E0:5F:C3:56:13:97:33
SHA256: AF:C8:E4:50:5D:B1:8E:D1:68:FF:45:F9:2D:F4:4E:85:6A:C8:FB:E1:F0:4F:5A:86:F6:7C:50:81:08:73:7E:BE
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: email@acme.com
  IPAddress: 127.0.0.1
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 80 A3 05 66 4C 5C 84 33   45 A7 99 5F 52 78 10 49  ...fL\.3E.._Rx.I
0010: 79 F9 FC 94                                        y...
]
]
*******************************************
*******************************************

## Remove the stores and restart vasa ##

root@fs64-16-ct1:~# rm /cache/ui/keystore /cache/ui/truststore && service vasa restart

## Check the new stores ##

root@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jetty
Creation date: Feb 2, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Pure Storage, O=Pure Storage, OU=Pure Storage, C=US
Issuer: CN=Pure Storage, O=Pure Storage, OU=Pure Storage, C=US
Serial number: 4f2b166c
Valid from: Thu Feb 02 15:04:12 PST 2012 until: Wed Jan 28 15:04:12 PST 2032
Certificate fingerprints:
MD5:  0D:E8:64:78:C5:66:5E:64:8C:4D:D8:AB:EC:78:20:FE
SHA1: D8:8F:22:67:B8:9C:30:31:69:66:F4:23:E9:69:94:A4:B2:38:79:21
SHA256: E2:3E:10:E5:A7:92:68:F0:63:0C:D2:81:ED:34:2F:97:B6:9E:08:7F:82:F6:E1:53:43:01:27:67:ED:2F:D9:DD
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

root@fs64-16-ct1:~# keytool -list -v -keystore /cache/ui/truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries

Support: do not run these commands on a FlashArray that is running Purity 5.3.0 or higher. It is very important to run neither the openssl method or keystore method on a Purity 5.3 array.