FlashArray Deprecation of TLS 1.0 Support and the vSphere Web Client Plugin

In the recent release of the Purity Operating Environment on the FlashArray we deprecated TLS 1.0 support due to the ever growing list of vulnerabilities in it. Communication will be restricted to TLS 1.1 and later. Unfortunately, this affects some plugins/integrations. This is not an exhaustive list, but related to the ones VMware customers probably touch the most. If something is not listed ping the relevant support organization for more information.

The following plugins are NOT affected and will continue to work with Purity 4.7:

  • vRealize Operations Management Pack
  • vRealize Orchestrator Workflow Package
  • vRealize Log Insight Content Pack

The following are affected and will need to be upgraded to a specific version to work with Purity 4.7:

  • Site Recovery Manager Storage Replication Adapter (this needs to be version 1.5, which will be out soon)
  • vSphere Web Client Plugin (this needs to be version 2.0.10+)
  • VSS Provider (this needs to be version 1.0.2)
  • PowerShell SDK (this needs to be version 1.5)

SRM, VSS and PowerShell upgrades are pretty simple. The Web Client plugin upgrade process is normally pretty simple too, but this TLS stuff throws a bit of a wrench into the gears. To review, this is what happens during the installation:

  1. You login to the FlashArray and then enter the IP or FQDN of the vCenter and then click installinstallplugingui
  2. This process does not really “install” the plugin, instead it just registers the plugin information as an extension in vCenter (info on that here). You can see the extension info registered in the vCenter, which includes some basic information (version, vendor etc.) and a URL to actually download the plugin files.extensioninfo
  3.  At the next login to the vSphere Web Client, vCenter will download the zip from that URL and unzip to the correct location, allowing the plugin to load for you. At login the version will be checked each time, so if you upgraded it will download the new version and update the files.

So the problem here is not registering the extension the problem is two-fold:

  1. Version 2.0.9 of the plugin used TLS 1.0 in general to communicate to the FlashArray so if you upgrade Purity to 4.7 it will stop working until you upgrade to 2.0.10 or later.
  2. When vCenter tries to download the new zip file for 2.0.10 or later, it will try to communicate with the FlashArray over TLS 1.0, which the FlashArray will block. So the final install step will fail and the plugin will not appear in the Web Client home inventory.

If you look at the virgo log of the Web Client server you will see an error like below:

[2016-04-18 23:59:11.743] [INFO ] vc-service-pool-10 70000087 100003 200001 com.vmware.vise.vim.extension.VcExtensionManager Downloading plugin package from https://10.21.8.17/download/purestorage-vsphere-plugi
n.zip?version=2.0.10 (no proxy defined)
[2016-04-18 23:59:11.763] [ERROR] vc-service-pool-10 70000087 100003 200001 com.vmware.vise.vim.extension.VcExtensionManager Package com.purestorage.plugin.vsphere was not installed!
Error downloading https://10.21.8.17/download/purestorage-vsphere-plugin.zip?version=2.0.10. Make sure that the URL is reachable then logout/login to force another download. java.net.SocketException: Connection reset

This means your vCenter connection was blocked by the FlashArray. So from here you have a couple of options:

  1. Upgrade the vCenter Java JRE to 1.8 which supports TLS
  2. Manually install the plugin
  3. Use a temporary location to host the plugin zip file to use TLS 1.0.
  4. Upgrade to 2.0.10 prior to upgrading to Purity 4.7
  5. Upgrade vCenter to 6.0 U2 (more on this later)

Option 1, I am generally avoiding because I am not sure what in your environment might have Java dependencies, so I would only do that under direction from VMware support. Option 3 is something we can provide you with, but I am not a huge fan of it either. Option 4 is probably the simplest option which doesn’t really need further explanation. Option 5 I will talk about at the end of this post. So option 2…

Manual Installation

***DO NOT PERFORM THIS METHOD WITH PLUGIN 2.5.0 or later. Please contact for support for alternative.***

One option to getting the plugin installed without too much hassle is to manually install it. You still need to run the installation process from the FlashArray GUI to register the plugin first. This doesn’t change. This is the part that registers the plugin as an extension and needs to be done.

NOTE: This example uses the 2.0.10 version of the plugin, but the same rules apply for newer versions.

What you do need to do now is to place the plugin files manually on the vCenter. The first step is to get the zip file for the 2.0.10 plugin, this is going to be stored on your FlashArray.

Using a compatible browser enter in the zip file URL which will be something like:

https://10.21.8.17/download/purestorage-vsphere-plugin.zip?version=2.0.10

The IP will be different for you, or use the FQDN of your FlashArray. The rest of the URL will be the same. This will prompt you to download the zip file.

downloadplugin

Once you have this unzip it to a folder, call it:

 com.purestorage.plugin.vsphere-2.0.10

If the plugin is a newer version than 2.0.10 replace it with that version like

com.purestorage.plugin.vsphere-2.0.11

Now copy this to your vCenter (SCP if you are using the Linux Appliance or copy/paste or whatever for Windows).

Linux-Based vCenter Virtual Appliance

In vSphere 5.5.x put the folder in the following location:

/var/lib/vmware/vsphere-client/vc-packages/vsphere-client-serenity

In vSphere 6.0.x the location is a bit different:

/etc/vmware/vsphere-client/vc-packages/vsphere-client-serenity/

Note that this directory may not exist so you might need to create it, in a vCenter with no plugins often the vc-packages and vsphere-client-serenity folders need to be created.

createfolder

Then copy the “com.purestorage.plugin.vsphere-2.0.10” folder you unzipped to that folder. I usually use WinSCP to do this for the vApp. If you run into this error trying that:

Host is not communicating for more than 15 seconds. If the problem repeats, try turning off 'Optimize connection buffer size'

Check this KB on how to fix that. Or this workaround which I think I prefer.

copyplugin

Then you are done! Log back into the vSphere Web Client and the Pure icon should appear. You need to restart the Web Client service at this point, it never seems to show up after manual installation without a restart. You don’t need to restart vCenter–just the Web Client service.

installed

Windows-based vCenter

A Windows install of vCenter is a bit different than the Linux flavor of vCenter when it comes to installing plugins. Note your drive letter might be different than what I have below.

In vSphere 5.5.x put the folder in the following location:

C:\Program Files\VMware\Infrastructure\vSphereWebClient\plugin-packages\purestorage\

In vSphere 6.0.x the location is a bit different:

C:\Program Files\VMware\vCenter Server\WebClient\plugin-packages\purestorage\

To install the plugin you need to create the purestorage directory.

Do not copy the whole directory including the top level folder called com.purestorage.plugin.vsphere-2.0.10, instead just copy the contents of the directory com.purestorage.plugin.vsphere-2.0.10.

So only copy the following folders/directories from inside of com.purestorage.plugin.vsphere-2.0.10 into the purestorage directory you created on your vCenter, 5 files and a folder (with 6 .jar files and 1 .war file inside of it):

files

Once they are copied, restart the vSphere Web Client service (takes a few minutes) and then you are good to go.

diurectory

Manual Upgrade (either platform)

So if this is not a fresh install of the plugin (which for most probably isn’t) you need to upgrade likely. A manual upgrade is pretty much the same process as a manual install with an extra step (deleting the old files). Log into your FlashArray with the newer plugin version and run the standard upgrade process.

upgrade

Now copy the new files to the appropriate location and directory format as the above relevant section indicates with the newer version number and delete the old files.

Only delete the files for the Pure Storage plugin, so you don’t affect other plugins!

deleteold

Restart the vSphere Web Client service and you are upgraded!

vCenter 6.0 Update 2

No manual installation required! Yay!

Versions of vCenter earlier than 6.0 U2 do not support TLS 1.1 or 1.2 for communication in this manner by default (they added support for a lot of functions with TLS 1.1+ though in 6.0 U1b), which is why the above manual installation is necessary. That being said, in vCenter 6.0 U2 this is changed. It now allows TLS 1.1/1.2 usage with Java-based apps by default, so the normal installation process works great like before, so the manual intervention is not necessary. Interestingly, the release notes of vCenter U1b mention TLS support as changing but that versions still exhibits the failed behavior that older versions do. So I suspect it is the combination of the JRE update in 6.0 U2 and the TLS change that corrects this, as mentioned in the vCenter 6.0 U2 Release Notes

But…

After installation of the plugin, you will see it still does not show up in the vSphere Web Client 🙁

No matter if you install it through the automated process or through manual processes. It simply does not load upon login. You will see errors like below in the vSphere Web Client virgo logs:

[2016-04-19T05:05:18.750Z] [ERROR] fs-watcher org.eclipse.virgo.medic.eventlog.default DE0002E Installation of bundle 'com.purestorage' version '2.0.10' failed. org.eclipse.virgo.kernel.osgi.framework.UnableToSatisfyBundleDependenciesException: Unable to satisfy dependencies of bundle 'com.purestorage' at version '2.0.10': Cannot resolve: com.purestorage

Along with the TLS version support enhancement in vCenter came some changed Java packages that break the plugin version 2.0.10 and earlier. With the latest vSphere 6.0 update 2, VMware added a new library which broke the plugin. The plugin uses guava version 18 while they are using guava version 15. We modified our plugin code to use the older version (15) of guava for it to work

So you need version 2.0.11 for vCenter 6.0 U2 and later, there is no workaround (that I know of) to get earlier versions of the plugin to work, you must get version 2.0.11 of the Pure Storage Web Client Plugin. Currently, this can be obtained from support (just ask, they will get it to you quickly). We will bundle it in Purity in upcoming release.

6 Replies to “FlashArray Deprecation of TLS 1.0 Support and the vSphere Web Client Plugin”

  1. Hi,
    I’m in following Situation now. In the pure Administration it says available plugin 2.0.10, installed plugin 2.0.10. We are running vCenter appliance 6.0 U2. What to do to install pure plugin 2.0.11? I already uninstalled Version 2.0.10, installed it again, then copied Version 2.0.11 to the appliance. after restarting the web Client i dont see a plugin installed. on the appliance are the files for Version 2.0.10 and 2.0.11. What did I wrong?

    1. Did support load the 2.0.11 plugin onto your array? This needs to be done so you can register the new version as an extension. Once that is done the normal installation will work like always without any manual work since you are on 6.0 U2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.