Hi Smita, Thanks for your reply.
i have tried what you suggested. mmobj swift base ran fine. but after i have deleted the userauth and try to set it up again with ks-ssl enabled it just hangs: # mmuserauth service create --data-access-method object --type local --enable-ks-ssl still waiting for it to finish, 15 mins now.. :) Best Regards Andi Christiansen > On April 1, 2020 11:52 AM Smita J Raut <[email protected]> wrote: > > > Hi Andi, > > For object SSL configuration you need to reconfigure auth after "mmobj > swift base". Instructions are here- > > https://www.ibm.com/support/knowledgecenter/STXKQY_5.0.4/com.ibm.spectrum.scale.v5r04.doc/bl1adm_configlocalauthssl.htm > > https://www.ibm.com/support/knowledgecenter/STXKQY_5.0.4/com.ibm.spectrum.scale.v5r04.doc/bl1adm_configlocalauthssl.htm > > Some more info on object auth configuration- > > https://www.slideshare.net/SmitaRaut/ibm-spectrum-scale-authentication-for-object-deep-dive > > https://www.slideshare.net/SmitaRaut/ibm-spectrum-scale-authentication-for-object-deep-dive > (Check slide 26) > > Thanks, > Smita > > > > From: Andi Christiansen <[email protected]> > To: "[email protected]" > <[email protected]> > Date: 04/01/2020 02:35 PM > Subject: [EXTERNAL] [gpfsug-discuss] Enabling SSL/HTTPS/ on > Object S3. > Sent by: [email protected] > > --------------------------------------------- > > > > Hi, > > We are trying to enable S3 on the object protocol within scale but there > seem to be little to no documentation to enable https endpoints for the S3 > protocol? > > According to the documentation enabling S3 for the keystone server is > possible with the mmuserauth command but when i try to run it as IBM have > documented, it says that Object protocol is not correctly installed.. And yes > it hasnt been configured yet.. > > The "mmobj swift base" command which is used to configure Object/S3 > automatically includes the "mmuserauth" command without the ssl option > enabled.. and then all endpoints will start with http:// > > > I hope that anyone out there have a guide to do this ? or is able to > explain how to set it up? > > > Basically all i need is this: > > https://s3.something.com:8080 https://s3.something.com:8080 which points > to the WAN ip of the CES cluster (already configured and ready) > > and endpoints like this: > > None | keystone | identity | True | public | https://cluster_domain:5000/ > https://cluster_domain:5000/ > RegionOne | swift | object-store | True | public | > https://cluster_domain:443/v1/AUTH_%(tenant_id)s > RegionOne | swift | object-store | True | public | > https://cluster_domain:8080/v1/AUTH_%(tenant_id)s > > if i manually add those endpoints and put my certificates in /etc/swift/ > and update the config it says (SSL: Wrong_Version_Number). Here is output: > > C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN > https://WAN :443 s3 ls > SSL validation failed for https://WAN_IP/DOMAIN:443/ > https://WAN_IP/DOMAIN:443/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate > verify failed: self signed certificate (_ssl.c:1076) > C:\Users\Andi Christiansen>aws --endpoint-url https://WAN_IP/DOMAIN:8080 > https://WAN_IP/DOMAIN:8080 s3 ls > SSL validation failed for https://WAN_IP/DOMAIN:8080/ > https://WAN_IP/DOMAIN:8080/ [SSL: WRONG_VERSION_NUMBER] wrong version number > (_ssl.c:1076) > > > its only port 8080 and 5000 that is allowed through the firewall, so i > only tested with 443 to see if it gave another error as it is not allowed > through and it did.. > > > It works just fine when "mmobj swift base" is run normally and i only > have http endpoints, then it is reachable from local network or WAN with no > issues.. > > > > Thanks in advance! > > > Best Regards > Andi Christiansen _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > > > >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
