How endpoints are specified

An endpoint is specified using a set of fields that identify the external resource that the endpoint represents, and that establish how that resource is accessed. You can create an endpoint using either the Tenant Management API or the Tenant Manager.

StorageGRID Webscale validates endpoints as you create them, so you must ensure that the resource specified in the endpoint exists and is reachable before creating the endpoint.

When creating an endpoint using the Tenant Management API, you include the following information in the endpoint JSON. When creating an endpoint using the Tenant Manager, you enter the following information in a dialog box.

Field Description
Display Name A name that briefly describes the endpoint and its purpose.

The type of platform service that the endpoint supports is shown beside the endpoint name when it is listed on the Endpoints page, so that information does not need to be included in the name.

URI The Unique Resource Identifier (URI) of the endpoint.
Specify the endpoint URI in one of the following formats:
  • https://host:port
  • http://host:port

If you do not specify a port, by default port 443 is used for HTTPS URIs and port 80 is used for HTTP URIs.

For example, an endpoint for a bucket hosted on StorageGRID Webscale might have a URI of the form https://api-gateway-node.storagegrid.example.com:8082 while the URI for a bucket hosted on AWS might be https://s3-aws-region.amazonaws.com

URN The Unique Resource Name (URN) of the endpoint. You use the URN to reference this endpoint when you create configuration XML for a platform service. The URN for each endpoint must be unique.

Required elements

The third element of the URN specifies the type of platform service, and the last element of the URN identifies the specific target resource at the destination URI.
Service Type Specific resource
CloudMirror replication s3 bucket-name
Notifications sns sns-topic-name
Search integration es domain-name/index-name/type-name
Note: You must create the Elasticsearch index before you create the endpoint. Endpoint validation is done using the Elasticsearch index. The type will be dynamically created when object metadata is first sent to the destination.

URNs for services hosted on AWS

For AWS entities, the complete URN is a valid AWS ARN:
  • arn:aws:s3:::bucket-name
  • arn:aws:sns:region:account-id:topic-name
  • arn:aws:es:region:account-ID:domain/domain-name/index-name/type-name
Note: For an AWS search integration endpoint, the domain-name must include the literal string domain/, as shown here.

URNs for locally-hosted services

For locally-hosted services, you can specify the URN in any way that creates a valid and unique URN, as long as the URN includes the required elements in the third and final positions. You can leave the elements indicated by optional blank, or you can specify them in any way that helps you identify the resource and make the URN unique:
  • urn:mysite:s3:optional:optional:bucket-name
  • urn:mysite:sns:optional:optional:sns-topic-name
  • urn:mysite:es:optional:optional:domain-name/index-name/type-name
Note: For locally-hosted search integration endpoints, the domain-name element can be any string as long as the URN of the endpoint is unique.
For a CloudMirror endpoint hosted on StorageGRID Webscale, you can specify a valid URN that begins with urn:sgws.
  • urn:sgws:s3:optional:optional:bucket-name
Access Key Id The Access Key Identifier for the destination service, formatted as an AWS access key.

For anonymous access to the destination, omit both the Access Key Identifier and the Secret Access Key.

Secret Access Key The Secret Access Key for the destination service, formatted as an AWS secret access key.

For anonymous access to the destination, omit both the Access Key Identifier and the Secret Access Key.

Certificate Validation The method of validating the certificate used for TLS connections to the endpoint resource:
  • Use operating system CA certificate.

    If you select this option, StorageGRID Webscale uses its default operating system certificate to verify the connection to the endpoint resource. This option is equivalent to submitting a 'null' certificate using the Endpoint API.

  • Use custom CA certificate.

    If you prefer to use a custom certificate to verify the TLS connection to the endpoint resource, select this option. A text box opens to allow you to add the custom CA certificate in PEM format.

  • Do not verify certificate.

    Selecting this option means that the certificate used for the TLS connection is not verified. It corresponds to the 'insecureTLS' option in the Endpoint API.

CA Certificate A text field that you can use to add a custom CA cert in PEM format to use for endpoint verification when using TLS.