[gpfsug-discuss] Enabling SSL/HTTPS/ on Object S3.

Smita J Raut smita.raut at in.ibm.com
Wed Apr 1 10:52:44 BST 2020 

Hi Andi,

For object SSL configuration you need to reconfigure auth after "mmobj 
swift base". Instructions are here-
https://www.ibm.com/support/knowledgecenter/STXKQY_5.0.4/com.ibm.spectrum.scale.v5r04.doc/bl1adm_configlocalauthssl.htm

Some more info on object auth configuration-
https://www.slideshare.net/SmitaRaut/ibm-spectrum-scale-authentication-for-object-deep-dive 
(Check slide 26)

Thanks,
Smita



From:   Andi Christiansen <andi at christiansen.xxx>
To:     "gpfsug-discuss at spectrumscale.org" 
<gpfsug-discuss at spectrumscale.org>
Date:   04/01/2020 02:35 PM
Subject:        [EXTERNAL] [gpfsug-discuss] Enabling SSL/HTTPS/ on Object 
S3.
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Hi, 

We are trying to enable S3 on the object protocol within scale but there 
seem to be little to no documentation to enable https endpoints for the S3 
protocol? 

According to the documentation enabling S3 for the keystone server is 
possible with the mmuserauth command but when i try to run it as IBM have 
documented, it says that Object protocol is not correctly installed.. And 
yes it hasnt been configured yet.. 

The "mmobj swift base" command which is used to configure Object/S3 
automatically includes the "mmuserauth" command without the ssl option 
enabled.. and then all endpoints will start with http:// 


I hope that anyone out there have a guide to do this ? or is able to 
explain how to set it up? 


Basically all i need is this: 

https://s3.something.com:8080 which points to the WAN ip of the CES 
cluster (already configured and ready) 

and endpoints like this: 

None | keystone | identity | True | public | https://cluster_domain:5000/ 
RegionOne | swift | object-store | True | public | 
https://cluster_domain:443/v1/AUTH_%(tenant_id)s 
RegionOne | swift | object-store | True | public | 
https://cluster_domain:8080/v1/AUTH_%(tenant_id)s 

if i manually add those endpoints and put my certificates in /etc/swift/ 
and update the config it says (SSL: Wrong_Version_Number). Here is output: 


C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN:443 s3 
ls 
SSL validation failed for https://WAN_IP/DOMAIN:443/ [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed 
certificate (_ssl.c:1076) 
C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN:8080 
s3 ls 
SSL validation failed for https://WAN_IP/DOMAIN:8080/ [SSL: 
WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076) 


its only port 8080 and 5000 that is allowed through the firewall, so i 
only tested with 443 to see if it gave another error as it is not allowed 
through and it did.. 


It works just fine when "mmobj swift base" is run normally and i only have 
http endpoints, then it is reachable from local network or WAN with no 
issues.. 



Thanks in advance! 


Best Regards 
Andi Christiansen _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=ZKPP3G6NR3aLNRqaXZWW90vDcvevU1hcxJA6_1Up8Ic&m=ZSHZbcegNHURIVsXPDASH5sTFwYAZYYLv-RnoaKNzxw&s=n1X6h1EYg8gdiHH8BFe4OYVQvIMSxoYXRMX3SC2IaBY&e= 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200401/7f679d86/attachment.htm>

More information about the gpfsug-discuss mailing list