Understanding the FlashArray Replication Connection Key

A question came up in a today at work that I answered and I thought it might be a good topic for a quick blog post:

How do you change your connection key for FlashArray replication?

The question misunderstands what the connection key actually is, so let me explain.

When you connect one FlashArray to another, you need three pieces of information:

  1. The FQDN or IP for the management address of the remote array
  2. The FQDN or IP for the replication address of the remote array
  3. A connection key

 

enterkey

My connection key looks like this:

5d735633-7445-c08d-10b1-deb5ed237f8a

Entering the connection key during the initial connection provides a way to make sure the remote array authorizes the connection for replication.

What if you want to change this connection key? There doesn’t seem to be a place to do it where the “get connection key” and “connect array” options are.

connectarrat

Well, look back at that connection key, does it look familiar? If you use our REST API, you might recognize it. It is a REST API token that is used as a part of our REST authentication. Those REST API keys are assigned on a user by user basis. So if you always log in as the same user the connection key will always be the same, unless you change your REST API token which you can do (see a few images down for where that can be done).

Logged in as “pureuser”:

connectionkey

findAPItoken

Notice they are both the same:

5d735633-7445-c08d-10b1-deb5ed237f8a

5d735633-7445-c08d-10b1-deb5ed237f8a

So if you change it by saying recreate API token, the connection key also changes:

newconnectionkey

If I log in as a different user, one from my active directory named arrayadmin, I have a different connection key (because since I am a different user, I have a different API token and therefore a different key).

differenuser

If you change the API token that you used to create the FlashArray replication connection, the connection will not be severed–it only uses the token for the initial connection.

So, why not use “get API token” all of the time instead of “get connection key” at all? Well if you are an array admin, that would work. But that is the highest security level, if you are anything lower you cannot connect replication but that requires an administrative change to the FlashArray. If you do not have the proper security level the “get connection key” will be grayed out:

grayedout

This prevents people from falsely thinking they can connect an array, which is why we kind of make it look like it is a different key. If you cannot get the connection key it indicates that you do not have permissions. If you try to use an API token of an account with lower security levels you will get an error:

failedconnect

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.