By default, clients can connect to the S3 service via HTTP or HTTPS. Settings are available to disable/renable each type of connection:
Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection uses SSL encryption. The algorithms used to encrypt the connection use FIPS 140-2 validated libraries.
In order to enable S3 clients to connect to the S3 service over HTTPS, an SSL certificate must be installed for the S3 service. The S3 server presents the installed certificate to clients during the SSL handshake that takes place to establish the HTTPS connection.
There is a pre-installed self-signed certificate. You may wish to install an authority-signed SSL certificate in it's place.
The certificate must be in the PEM file format. It can be a Certificate Authority (CA) authorized root certificate or chain or you can use a self signed certificate if you choose not to obtain a CA certificate.
Obtain the SSL server certificate in PEM format, consisting of two files: a certificate file and a key file.
In the VAST Web UI, open the Settings page from the left navigation menu and then select the SSL Certificate for S3 tab.
Paste the certificate file content in the Server Certificate field and the key file content into the Private Key field.
Your certificate is installed.
When you configure a client to connect to the S3 service, you need to make sure that certificate verification on the client side is configured in such a way that the HTTPS connection can be established successfully. These are some suggested configurations to do on the S3 client:
Configure the client to use a certificate trust store that contains the signer for the installed certificate, or verify that it does by default. For a self signed certificate, you might do this by pointing the client to a non default trust store path and storing the certificate itself at that path.
Alternatively, disable certificate verification on the client. This will enable the HTTPS connection to be established without the client's certificate trust store containing the certificate signer.
Either make sure that the hostname embedded in the certificate matches the service endpoint URL on the client or configure the client not to verify the certificate's hostname. This will prevent connection failure due to a mismatch between the service endpoint URL configured on the client and the hostname embedded in the certificate.
When a bucket is created via an S3 API request, a view is created for the bucket. That view is manageable via VMS.
Views that are created this way are configured based on an S3 Endpoint-enabled view. S3 Endpoint can be selected as a protocol when creating a view. An S3 Endpoint view acts as a template for creating a view on a bucket. The S3 Endpoint view provides the view policy and the Element Store path under which the bucket is created.
You can create multiple S3 Endpoint views and use them to manage the path placement of new buckets in the Element Store.
S3 Endpoint views specify bucket creator users and groups. When a user creates a bucket by S3 API request, the view is created using an S3 Endpoint view that specifies the user as a bucket creator or specifies a group to which the user belongs as a bucket creator group.
If the requesting user is not specified in any S3 Endpoint view as a bucket creator, the bucket is placed directly under the root path, '/' of the Element Store and configured with a default view policy called S3_default_policy.
There is a cluster setting that enables you to restrict bucket creation via S3 API requests to S3 Endpoint views. The setting is called S3 Force Endpoint Bucket Creation. If you enable this setting, requests to create buckets fail if the user is not specified as a bucket owner for an S3 Endpoint-view.
It is possible to enable NFSv3 and NFSv4.1 protocols on the same view as S3 Endpoint protocol. The NFS protocols are then able to access the Element Store path into which the buckets are placed.
To create an S3 Endpoint view, follow the VAST Web UI or VAST CLI procedure in Creating Views to create a view and choose the following configurations:
Enable S3 Endpoint as a protocol.
Specify users and/or groups as bucket creators.
Specify a view policy that has S3 Native flavor.
Go to the Cluster settings page (either search for "Cluster" or select Settings from the menu and then Cluster).
Slide the S3 Force Endpoint Bucket Creation slider to the ON position to disallow bucket creation outside of S3 endpoints or to the OFF position to allow bucket creation API requests without the user being a specified bucket owner in an S3 Endpoint view.
You can create a bucket via VMS by creating a view and enabling S3 Bucket as a protocol. When creating a bucket this way, you specify a user as a bucket owner. The bucket owner user does not need to have bucket creation permission in VMS.
To create an S3 Bucket view, follow the VAST Web UI or VAST CLI procedure in Creating Views to create a view and choose the following configurations:
Select S3 Bucket as a protocol.
Set the name of the bucket if you wish. Otherwise the view's path with default as the bucket name.
Choose a view policy with a security flavor that supports S3 (either NFS or S3).
Set the bucket owner to the user name of a user that has an entry on a provider such as Active Directory or the local provider.
Optionally, enable S3 versioning.