Create the ONTAP S3 object store server
The ONTAP object store server manages data as S3 objects, as opposed to file or block storage provided by ONTAP NAS and SAN servers.
You should be prepared to enter the S3 server name as a Fully Qualified Domain Name (FQDN), which clients will use for S3 access. The FQDN must not begin with a bucket name. When accessing buckets using virtual-hosted-style, the server name will be used as mydomain.com
. For example, bucketname.mydomain.com
.
You should have a self-signed CA certificate (created in previous steps) or a certificate signed by an external CA vendor. A CA certificate is not necessary for a local tiering use case, where IP traffic is going over cluster LIFs only.
When an object store server is created, a root user with UID 0 is created. No access key or secret key is generated for this root user. The ONTAP administrator must run the object-store-server users regenerate-keys
command to set the access key and secret key for this user.
As a NetApp best practice, do not use this root user. Any client application that uses the access key or secret key of the root user has full access to all buckets and objects in the object store. |
See the vserver object-store-server
man pages for additional configuration and display options.
Use this procedure if you are adding an S3 server to an existing storage VM. To add an S3 server to a new storage VM, see Create a storage SVM for S3.
You should be prepared to enter IP addresses for interface role Data.
-
Enable S3 on an existing storage VM.
-
Select the storage VM: click Storage > Storage VMs, select a storage VM, click Settings, and then click under S3.
-
Click Enable S3, then enter the S3 Server Name.
-
Select the certificate type.
Whether you select system-generated certificate or one of your own, it will be required for client access.
-
Enter the network interfaces.
-
-
If you selected the system-generated certificate, you see the certificate information when the new storage VM creation is confirmed. Click Download and save it for client access.
-
The secret key will not be displayed again.
-
If you need the certificate information again: click Storage > Storage VMs, select the storage VM, and click Settings.
-
-
Create the S3 server:
vserver object-store-server create -vserver svm_name -object-store-server s3_server_fqdn -certificate-name server_certificate_name -comment text [additional_options]
You can specify additional options when creating the S3 server or at any time later.
-
If you are configuring local tiering, the SVM name can either be a data SVM or system SVM (cluster) name.
-
The certificate name should be the name of the server certificate (end user or leaf certificate), and not server CA certificate (intermediate or root CA certificate).
-
HTTPS is enabled by default on port 443. You can change the port number with the
-secure-listener-port
option.When HTTPS is enabled, CA certificates are required for correct integration with SSL/TLS. Beginning with ONTAP 9.15.1, TLS 1.3 is supported with S3 object storage.
-
HTTP is disabled by default. When enabled, the server listens on port 80. You can enable it with the
-is-http-enabled
option, or change the port number with the-listener-port
option.When HTTP is enabled, the request and responses are sent over the network in clear text.
-
-
Verify that S3 is configured:
vserver object-store-server show
This command verifies the configuration values of all object storage servers:
cluster1::> vserver object-store-server show Vserver: vs1 Object Store Server Name: s3.example.com Administrative State: up Listener Port For HTTP: 80 Secure Listener Port For HTTPS: 443 HTTP Enabled: false HTTPS Enabled: true Certificate for HTTPS Connections: svm1_ca Comment: Server comment