[gpfsug-discuss] Enabling SSL/HTTPS/ on Object S3.

Andi Christiansen andi at christiansen.xxx
Wed Apr 1 12:21:37 BST 2020 

Hi Smita,

Thanks for your reply.

i have tried what you suggested. mmobj swift base ran fine. but after i have deleted the userauth and try to set it up again with ks-ssl enabled it just hangs:

# mmuserauth service create --data-access-method object --type local --enable-ks-ssl

still waiting for it to finish, 15 mins now.. :)

Best Regards
Andi Christiansen

>     On April 1, 2020 11:52 AM Smita J Raut <smita.raut at in.ibm.com> wrote:
> 
> 
>     Hi Andi,
> 
>     For object SSL configuration you need to reconfigure auth after "mmobj swift base". Instructions are here-
>     https://www.ibm.com/support/knowledgecenter/STXKQY_5.0.4/com.ibm.spectrum.scale.v5r04.doc/bl1adm_configlocalauthssl.htm https://www.ibm.com/support/knowledgecenter/STXKQY_5.0.4/com.ibm.spectrum.scale.v5r04.doc/bl1adm_configlocalauthssl.htm
> 
>     Some more info on object auth configuration-
>     https://www.slideshare.net/SmitaRaut/ibm-spectrum-scale-authentication-for-object-deep-dive https://www.slideshare.net/SmitaRaut/ibm-spectrum-scale-authentication-for-object-deep-dive (Check slide 26)
> 
>     Thanks,
>     Smita
> 
> 
> 
>     From:         Andi Christiansen <andi at christiansen.xxx>
>     To:         "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
>     Date:         04/01/2020 02:35 PM
>     Subject:         [EXTERNAL] [gpfsug-discuss] Enabling SSL/HTTPS/ on Object S3.
>     Sent by:         gpfsug-discuss-bounces at spectrumscale.org
> 
>     ---------------------------------------------
> 
> 
> 
>     Hi,
> 
>     We are trying to enable S3 on the object protocol within scale but there seem to be little to no documentation to enable https endpoints for the S3 protocol?
> 
>     According to the documentation enabling S3 for the keystone server is possible with the mmuserauth command but when i try to run it as IBM have documented, it says that Object protocol is not correctly installed.. And yes it hasnt been configured yet..
> 
>     The "mmobj swift base" command which is used to configure Object/S3 automatically includes the "mmuserauth" command without the ssl option enabled.. and then all endpoints will start with http://
> 
> 
>     I hope that anyone out there have a guide to do this ? or is able to explain how to set it up?
> 
> 
>     Basically all i need is this:
> 
>     https://s3.something.com:8080 https://s3.something.com:8080 which points to the WAN ip of the CES cluster (already configured and ready)
> 
>     and endpoints like this:
> 
>     None | keystone | identity | True | public | https://cluster_domain:5000/ https://cluster_domain:5000/
>     RegionOne | swift | object-store | True | public | https://cluster_domain:443/v1/AUTH_%(tenant_id)s
>     RegionOne | swift | object-store | True | public | https://cluster_domain:8080/v1/AUTH_%(tenant_id)s
> 
>     if i manually add those endpoints and put my certificates in /etc/swift/ and update the config it says (SSL: Wrong_Version_Number). Here is output:
> 
>     C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN https://WAN :443 s3 ls
>     SSL validation failed for https://WAN_IP/DOMAIN:443/ https://WAN_IP/DOMAIN:443/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)
>     C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN:8080 https://WAN_IP/DOMAIN:8080 s3 ls
>     SSL validation failed for https://WAN_IP/DOMAIN:8080/ https://WAN_IP/DOMAIN:8080/ [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1076)
> 
> 
>     its only port 8080 and 5000 that is allowed through the firewall, so i only tested with 443 to see if it gave another error as it is not allowed through and it did..  
> 
> 
>     It works just fine when "mmobj swift base" is run normally and i only have http endpoints, then it is reachable from local network or WAN with no issues..
> 
> 
> 
>     Thanks in advance!
> 
> 
>     Best Regards
>     Andi Christiansen _______________________________________________
>     gpfsug-discuss mailing list
>     gpfsug-discuss at spectrumscale.org
>     http://gpfsug.org/mailman/listinfo/gpfsug-discuss http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200401/157ad8a9/attachment-0002.htm>

More information about the gpfsug-discuss mailing list