Configuring S3 interface for MSDP on MSDP build-your-own (BYO) server
After MSDP is configured, you can configure S3 interface for MSDP using the NetBackup web UI or using s3srv_config.sh script.
To configure S3 interface for MSDP using the NetBackup web UI, see Configuring an MSDP object store topic of the NetBackup Web UI Administrator's Guide.
To configure S3 server using s3srv_config.sh script
- If you want to use NBCA or ECA type certificates in S3 interface for MSDP, run the following command:
/usr/openv/pdde/vxs3/cfg/script/s3srv_config.sh --catype=<type> [--port=<port>] [--loglevel=<0-4>]
If you want to use your certificates in S3 interface for MSDP, run the following command:
/usr/openv/pdde/vxs3/cfg/script/s3srv_config.sh --cert=<certfile> --key=<keypath> [--port=<port>] [--loglevel=<0-4>]
--catype=<type> | Certificate Authority type. NBCA: 1 or ECA: 2. |
--cert=<certfile> | Certificate file for HTTPS. |
--key=<keypath> | Private key for HTTPS. |
--port=<port> | S3 server port. Default port is 8443. |
--loglevel=<0-4> | S3 server log level.
|
--help|-h | Print the usage. |
S3 service is HTTPS service. Default port is 8443.
This script can run with the root user directly. With other service user, run this command in the following format:
sudo -E /usr/openv/pdde/pdcr/bin/msdpcmdrun /usr/openv/pdde/vxs3/cfg/script/s3srv_config.sh <arguments>
If multiple certificates exist under
/usr/openv/var/vxss/credentials, you may see the following configuration error:Too many ca files under /usr/openv/var/vxss/credentials/keystore
You can use option --cert and --key to specify which certificate is used.
You can enable HTTPS with the certificate, which is not signed by Certificate Authority in S3 interface for MSDP. If S3 interface for MSDP is configured with NBCA as SSL certificate, CA certificate is
/usr/openv/var/webtruststore/cacert.pemunder S3 server host. When you use AWS CLI to connect S3 interface for MSDP, there are two options --ca-bundle and --no-verify-ssl. Option --ca-bundle verifies SSL certificates with corresponding CA certificate bundle. Option --no-verify-ssl overrides verifying SSL certificates in AWS CLI command. You can ignore the following warning message.urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'xxxx.xxxx.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Only PEM format of certificate and secret key is supported. Please convert other format of certificate and secret key to PEM format.
After configuring S3 server, you can check S3 server status.
Root user: systemctl status pdde-s3srv
Other service users: sudo -E /usr/openv/pdde/pdcr/bin/msdpcmdrun /usr/openv/pdde/vxs3/cfg/script/s3srv_adm.sh status
After configuring S3 server, you can stop or start S3 server.
Root user: systemctl stop/start pdde-s3srv
Other service users: sudo -E /usr/openv/pdde/pdcr/bin/msdpcmdrun /usr/openv/pdde/vxs3/cfg/script/s3srv_adm.sh stop|start
NGINX configurations about S3 server are saved at
/etc/<nginx path>/conf.d/s3srvbyo.confand/etc/<nginx path>/locations/s3srv.conf. If you have modified the configuration files, you must modify them again after the upgrade.