[gpfsug-discuss] Enabling SSL/HTTPS/ on Object S3.

Andi Christiansen andi at christiansen.xxx
Wed Apr 1 10:04:56 BST 2020 

Hi,

We are trying to enable S3 on the object protocol within scale but there seem to be little to no documentation to enable https endpoints for the S3 protocol?

According to the documentation enabling S3 for the keystone server is possible with the mmuserauth command but when i try to run it as IBM have documented, it says that Object protocol is not correctly installed.. And yes it hasnt been configured yet..

The "mmobj swift base" command which is used to configure Object/S3 automatically includes the "mmuserauth" command without the ssl option enabled.. and then all endpoints will start with http://


I hope that anyone out there have a guide to do this ? or is able to explain how to set it up?


Basically all i need is this:

https://s3.something.com:8080 which points to the WAN ip of the CES cluster (already configured and ready)

and endpoints like this:

None | keystone | identity | True | public | https://cluster_domain:5000/
RegionOne | swift | object-store | True | public | https://cluster_domain:443/v1/AUTH_%(tenant_id)s
RegionOne | swift | object-store | True | public | https://cluster_domain:8080/v1/AUTH_%(tenant_id)s

if i manually add those endpoints and put my certificates in /etc/swift/ and update the config it says (SSL: Wrong_Version_Number). Here is output:

C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN https://WAN :443 s3 ls
SSL validation failed for https://WAN_IP/DOMAIN:443/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)
C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN:8080 s3 ls
SSL validation failed for https://WAN_IP/DOMAIN:8080/ [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)


its only port 8080 and 5000 that is allowed through the firewall, so i only tested with 443 to see if it gave another error as it is not allowed through and it did.. 


It works just fine when "mmobj swift base" is run normally and i only have http endpoints, then it is reachable from local network or WAN with no issues..



Thanks in advance!


Best Regards
Andi Christiansen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200401/c9fc4ced/attachment-0001.htm>

More information about the gpfsug-discuss mailing list