Skip to main content

Create the ONTAP S3 object store server

Contributors netapp-dbagwell netapp-forry netapp-mwallis netapp-aherbin netapp-ahibbard netapp-lenida johnlantz netapp-manini

The ONTAP object store server manages data as S3 objects, as opposed to file or block storage provided by ONTAP NAS and SAN servers.

Before you begin

You should be prepared to enter the S3 server name as a Fully Qualified Domain Name (FQDN), which clients will use for S3 access. The FQDN must not begin with a bucket name. When accessing buckets using virtual-hosted-style, the server name will be used as mydomain.com. For example, bucketname.mydomain.com.

You should have a self-signed CA certificate (created in previous steps) or a certificate signed by an external CA vendor. A CA certificate is not necessary for a local tiering use case, where IP traffic is going over cluster LIFs only.

About this task

When an object store server is created, a root user with UID 0 is created. No access key or secret key is generated for this root user. The ONTAP administrator must run the object-store-server users regenerate-keys command to set the access key and secret key for this user.

Note

As a NetApp best practice, do not use this root user. Any client application that uses the access key or secret key of the root user has full access to all buckets and objects in the object store.

See the vserver object-store-server man pages for additional configuration and display options.

Example 1. Steps
System Manager

Use this procedure if you are adding an S3 server to an existing storage VM. To add an S3 server to a new storage VM, see Create a storage SVM for S3.

You should be prepared to enter IP addresses for interface role Data.

  1. Enable S3 on an existing storage VM.

    1. Select the storage VM: click Storage > Storage VMs, select a storage VM, click Settings, and then click Actions icon under S3.

    2. Click Enable S3, then enter the S3 Server Name.

    3. Select the certificate type.

      Whether you select system-generated certificate or one of your own, it will be required for client access.

    4. Enter the network interfaces.

  2. If you selected the system-generated certificate, you see the certificate information when the new storage VM creation is confirmed. Click Download and save it for client access.

    • The secret key will not be displayed again.

    • If you need the certificate information again: click Storage > Storage VMs, select the storage VM, and click Settings.

CLI
  1. Create the S3 server:

    vserver object-store-server create -vserver svm_name -object-store-server s3_server_fqdn -certificate-name server_certificate_name -comment text [additional_options]

    You can specify additional options when creating the S3 server or at any time later.

    • If you are configuring local tiering, the SVM name can either be a data SVM or system SVM (cluster) name.

    • The certificate name should be the name of the server certificate (end user or leaf certificate), and not server CA certificate (intermediate or root CA certificate).

    • HTTPS is enabled by default on port 443. You can change the port number with the -secure-listener-port option.

      When HTTPS is enabled, CA certificates are required for correct integration with SSL/TLS. Beginning with ONTAP 9.15.1, TLS 1.3 is supported with S3 object storage.

    • HTTP is disabled by default. When enabled, the server listens on port 80. You can enable it with the -is-http-enabled option, or change the port number with the -listener-port option.

      When HTTP is enabled, the request and responses are sent over the network in clear text.

  2. Verify that S3 is configured:

    vserver object-store-server show

Example

This command verifies the configuration values of all object storage servers:

cluster1::> vserver object-store-server show

            Vserver: vs1

                      Object Store Server Name: s3.example.com
                          Administrative State: up
                        Listener Port For HTTP: 80
                Secure Listener Port For HTTPS: 443
                                  HTTP Enabled: false
                                 HTTPS Enabled: true
             Certificate for HTTPS Connections: svm1_ca
                                       Comment: Server comment