Configuring TLS mutual authentication between FlashArray and CryptoHub

9min

Before enabling RDL on the FlashArray, the array and the  must establish a mutual trust relationship by validating their respective digitally signed certificates.
Notes about certificates:
Certificates used on the FlashArray must be PEM formatted (Base64-encoded).
Intermediary certificates are not supported for use with KMIP.
Using the Purity internal management certificate for KMIP configuration is not supported.
Perform the following tasks to configure TLS mutual authentication:
1 | Create a FlashArray certificate and construct a CSR
Use the FlashArray Command Line Interface (CLI) to perform the following tasks to create a Certificate Signing Request (CSR):
a | Generate a FlashArray certificate
1
Use the following purecert create CLI command to create a self-signed certificate:
Shell
pureuser@purefa-ct0:# purecert create cert_1 --self-signed --common-name purefa
pureuser@purefa-ct0:# purecert create cert_1 --self-signed --common-name purefa
﻿
2
Display the certificate by using the following purecert list command: (Copy the displayed certificate for use in a later step.)
Shell
pureuser@purefa-ct0:# purecert list cert_1 --certificate
pureuser@purefa-ct0:# purecert list cert_1 --certificate
﻿
b | Construct a CSR
1
Use the following purecert construct command to construct a CSR:
Shell
pureuser@purefa-ct0:# purecert construct cert_1 --certificate-signing-request
pureuser@purefa-ct0:# purecert construct cert_1 --certificate-signing-request
﻿
2
Copy the CSR that is displayed in the terminal and paste it into a file editor. Save the file with either the .pem or .csr extension. Then, move the file via SFTP or other means to the external storage device configured on the .
c | Sign the FlashArray CSR with a CA created on the ﻿
Refer to the  User Guide for guidance on creating a certificate authority and issuing a certificate from the FlashArray CSR.
2 | Configure certificates in the FlashArray CLI
Copy the contents of the FlashArray and the CA certificates to your clipboard for use in the following configuration tasks:
a | Define the KMIP Server and import the KMIP Server's CA certificate
The purekmip create command allows for the creating of a KMIP Server and provides a way for importing the CA certificate for the KMIP server. After executing the command, you are prompted to paste in the KMIP server's CA certificate. Be sure to copy the entire certificate including "-----BEGIN" and "----END" lines.
In the uri field, the IP or hostname of the  and the KMIP port number must be specified.
Shell
pureuser@purefa-ct0:# purekmip create kmip_srvr –-uri 10.0.5.127:5696 --certificate
cert_1 --ca-certificate

Please enter CA certificate followed by Enter and then Ctrl-D:
-----BEGIN CERTIFICATE-----
MIIDEjCCAfoCCQD5SRlGfudwrzANBgkqhkiG9w0BAQsFADBLMRswGQYDVQQLDBJQ
---pasted lines omitted---
8mMBeuA8IYYihHIqd6nj03k0aESMtA==
-----END CERTIFICATE-----
pureuser@purefa-ct0:# purekmip create kmip_srvr –-uri 10.0.5.127:5696 --certificate
cert_1 --ca-certificate

Please enter CA certificate followed by Enter and then Ctrl-D:
-----BEGIN CERTIFICATE-----
MIIDEjCCAfoCCQD5SRlGfudwrzANBgkqhkiG9w0BAQsFADBLMRswGQYDVQQLDBJQ
---pasted lines omitted---
8mMBeuA8IYYihHIqd6nj03k0aESMtA==
-----END CERTIFICATE-----
﻿
If the command is successful, there will be output showing the name and URI of the KMIP Server, the name of the FlashArray certificate associated with it, and a boolean value of True or False for whether the CA certificate is configured.
b | Import the signed FlashArray certificate
The purecert setattr command will be used to import the signed FlashArray certificate. After executing the command, you are prompted to paste in the signed FlashArray certificate. Be sure to copy the entire certificate including "-----BEGIN" and "----END" lines.
Shell
pureuser@purefa-ct0:# purecert setattr --certificate cert_1

Please enter certificate followed by Enter and then Ctrl-D:
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIANgThwAAAIcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
---pasted lines omitted---
sQPNMlbDt1C7DN4yP0PK7g==
-----END CERTIFICATE-----
pureuser@purefa-ct0:# purecert setattr --certificate cert_1

Please enter certificate followed by Enter and then Ctrl-D:
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIANgThwAAAIcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
---pasted lines omitted---
sQPNMlbDt1C7DN4yP0PK7g==
-----END CERTIFICATE-----
﻿
If the command succeeds, the output lists the certificate name, and the Status field shows Imported.
c | Test connection and authentication from the FlashArray to the ﻿
The following purekmip test command verifies that the configured credentials successfully contact and authenticate to the KMIP port on the .
Shell
pureuser@purefa-ct0:# purekmip test kmip_srvr
pureuser@purefa-ct0:# purekmip test kmip_srvr
﻿
If the command succeeds, the output lists the name of the KMIP server, and the Status field displays OK.
Be sure to run the purekmip test command to test the server-array communication path before enabling RDL.
﻿

Updated 11 Dec 2024

Did this page help you?

Deploy the service

Enable RDL on the FlashArray

Configuring TLS mutual authentication between FlashArray and CryptoHub

1 | Create a FlashArray certificate and construct a CSR

a | Generate a FlashArray certificate

b | Construct a CSR

c | Sign the FlashArray CSR with a CA created on the ﻿

2 | Configure certificates in the FlashArray CLI

a | Define the KMIP Server and import the KMIP Server's CA certificate

b | Import the signed FlashArray certificate

c | Test connection and authentication from the FlashArray to the ﻿

c | Sign the FlashArray CSR with a CA created on the

c | Test connection and authentication from the FlashArray to the