Reference Guide
Secure communication between PowerStore
appliances within a cluster
During cluster creation, the primary node of the cluster master appliance creates a certificate authority (CA) certificate, also
known as the cluster CA. The master appliance passes the cluster CA certificate to the appliances joining the cluster.
Each PowerStore appliance in a cluster generates its own unique IPsec certificate which is signed by the cluster CA certificate.
The sensitive data that PowerStore appliances transmit over their cluster network are protected by IPsec and TLS so that the
security and integrity of the data is preserved.
Secure communication for replication and data import
PowerStore's certificate and credential infrastructure allows the exchange of server and client certificates, and user credentials.
This process includes:
● Retrieving and validating server certificate during TLS handshake
● Adding the trusted CA certificate from the remote system to the credential store
● Adding the trusted server/client certificate to the credential store
● Assisting in establishing secure connections once the trust is established
PowerStore supports the following certificate management functionality:
● For replication, a certificate exchange between two PowerStore clusters to establish trusted management communication.
To facilitate replication between PowerStore clusters, bi-directional trust must be established between the clusters to allow
for mutual TLS authentication when issuing replication REST control requests.
● For data import, a certificate and credentials exchange with persistence, to establish a secure connection between a Dell
EMC storage system (a VNX, Unity, Storage Center (SC), or a Peer Storage (PS) system) and a PowerStore cluster.
vSphere Storage API for Storage Awareness support
vSphere Storage API for Storage Awareness (VASA) is a VMware-defined, vendor-neutral API for storage awareness. A VASA
Provider comprises multiple components working in cooperation to service incoming VASA API requests. The VASA API
gateway, which receives all incoming VASA APIs, is deployed on the primary appliance (the one that owns the floating
management IP) in a PowerStore cluster. ESXi hosts and vCenter Server connect to the VASA Provider and obtain information
about available storage topology, capabilities, and status. Subsequently, the vCenter Server provides this information to vSphere
clients. VASA is used by VMware clients rather than PowerStore Manager clients.
The vSphere user must configure the VASA Provider instance as the provider of VASA information for the cluster. In the event
that the lead appliance goes down, the related process will restart on the appliance that becomes the next primary, along with
the VASA Provider. The IP address fails over automatically. Internally, the protocol will see a fault when obtaining configuration
change events from the newly active VASA Provider, but this will cause an automatic resynchronization of the VASA objects
without user intervention.
The PowerStore provides VASA 3.0 interfaces for vSphere 6.5 and 6.7.
VASA 3.0 supports Virtual Volumes (vVols). VASA 3.0 supports interfaces to query storage abstractions such as vVols and
Storage Containers. This information helps storage policy based management (SPBM) make decisions about virtual drive
placement and compliance. VASA 3.0 also supports interfaces to provision and manage the lifecycle of vVols used to back up
virtual drives. These interfaces are directly invoked by ESXi hosts.
For more information related to VASA, vSphere, and vVols, refer to the VMware documentation and the PowerStore Manager
online help.
Authentication related to VASA
To initiate a connection from vCenter to the PowerStore Manager VASA Provider, use the vSphere client to enter the following
information:
● URL of the VASA Provider, using the following format for VASA 3.0: https://<Management IP address>:8443/version.xml.
● Username of a PowerStore Manager user (the role must be either VM Administrator or administrator).
14
Authentication and access