Articles in this section

Managing S3 Connection Settings

Sara Levy
  • Updated
Follow

S3 Connection Settings

By default, clients can connect to the S3 service via HTTP or HTTPS. Settings are available to disable/renable each type of connection:

Disable/Enable S3 Connection Types from the VAST Web UI

  1. Navigate to Settings > Cluster.

  2. Optionally disable/enable the following:

    • Enable S3 HTTP

    • Enable S3 HTTPS

Disable/Enable S3 Connection Types from the VAST CLI

Use the cluster modify command with one of the following options: --enable-s3-http, --disable-s3-http, --enable-s3-https, --disable-s3-https

For example, to disable S3 HTTP connections:

vcli: admin> cluster modify --disable-s3-http

Enabling FIPS 140-2 Validated Compliant HTTPS Connection

Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection uses SSL encryption. The algorithms used to encrypt the connection use FIPS 140-2 validated libraries.

In order to enable S3 clients to connect to the S3 service over HTTPS, an SSL certificate must be installed for the S3 service. The S3 server presents the installed certificate to clients during the SSL handshake that takes place to establish the HTTPS connection.

There is a pre-installed self-signed certificate. You may wish to install an authority-signed SSL certificate in its place.

Certificate Requirements

The certificate must be in the PEM file format. It can be a Certificate Authority (CA) authorized root certificate or chain or you can use a self signed certificate if you choose not to obtain a CA certificate.

How to Install the Certificate

  1. Obtain the SSL server certificate in PEM format, consisting of two files: a certificate file and a key file.

  2. In the VAST Web UI, open the Settings page from the left navigation menu and then select the SSL Certificate for S3 tab. 

  3. Paste the certificate file content in the Server Certificate field and the key file content into the Private Key field.

  4. Click Update.

    Your certificate is installed.

Client Side Configuration

When you configure a client to connect to the S3 service, you need to make sure that certificate verification on the client side is configured in such a way that the HTTPS connection can be established successfully. These are some suggested configurations to do on the S3 client:

  • Configure the client to use a certificate trust store that contains the signer for the installed certificate, or verify that it does by default. For a self signed certificate, you might do this by pointing the client to a non default trust store path and storing the certificate itself at that path.

  • Alternatively, disable certificate verification on the client. This will enable the HTTPS connection to be established without the client's certificate trust store containing the certificate signer.

  • Either make sure that the hostname embedded in the certificate matches the service endpoint URL on the client or configure the client not to verify the certificate's hostname. This will prevent connection failure due to a mismatch between the service endpoint URL configured on the client and the hostname embedded in the certificate.

Related articles

Comments

0 comments

Article is closed for comments.