By default, clients can connect to the S3 service via HTTP or HTTPS. Settings are available to disable/renable each type of connection:
Use the cluster modify command with one of the following options:
For example, to disable S3 HTTP connections:
vcli: admin> cluster modify --disable-s3-http
Clients using the S3 protocol can connect with the cluster over HTTPS connection. The HTTPS connection uses SSL encryption. The algorithms used to encrypt the connection use FIPS 140-2 validated libraries.
In order to enable S3 clients to connect to the S3 service over HTTPS, an SSL certificate must be installed for the S3 service. The S3 server presents the installed certificate to clients during the SSL handshake that takes place to establish the HTTPS connection.
There is a pre-installed self-signed certificate. You may wish to install an authority-signed SSL certificate in its place.
The certificate must be in the PEM file format. It can be a Certificate Authority (CA) authorized root certificate or chain or you can use a self signed certificate if you choose not to obtain a CA certificate.
Obtain the SSL server certificate in PEM format, consisting of two files: a certificate file and a key file.
From the left navigation menu of the VAST Web UI, select Settings and then Certificates.
From the Certificate for dropdown, select S3.
Paste the certificate file content in the Server Certificate field and the key file content into the Private Key field.
Your certificate is installed.
When you configure a client to connect to the S3 service, you need to make sure that certificate verification on the client side is configured in such a way that the HTTPS connection can be established successfully. These are some suggested configurations to do on the S3 client:
Configure the client to use a certificate trust store that contains the signer for the installed certificate, or verify that it does by default. For a self signed certificate, you might do this by pointing the client to a non default trust store path and storing the certificate itself at that path.
Alternatively, disable certificate verification on the client. This will enable the HTTPS connection to be established without the client's certificate trust store containing the certificate signer.
Either make sure that the hostname embedded in the certificate matches the service endpoint URL on the client or configure the client not to verify the certificate's hostname. This will prevent connection failure due to a mismatch between the service endpoint URL configured on the client and the hostname embedded in the certificate.