Enable S3 protocol access to NAS data
Enabling S3 protocol access consists of ensuring that a NAS-enabled SVM meets the same requirements as an S3-enabled server, including adding an object store server, and verifying networking and authentication requirements.
For new ONTAP installations, it is recommended that you enable S3 protocol access to an SVM after configuring it to serve NAS data to clients. To learn about NAS protocol configuration, see:
The following must be configured before enabling the S3 protocol:
-
The S3 protocol and the desired NAS protocols - NFS, SMB, or both - are licensed.
-
An SVM is configured for the desired NAS protocols.
-
NFS and/or SMB servers exist.
-
DNS and any other required services are configured.
-
NAS data is being exported or shared to client systems.
A Certificate Authority (CA) certificate is required to enable HTTPS traffic from S3 clients to the S3-enabled SVM. CA certificates from three sources can be used:
-
A new ONTAP self-signed certificate on the SVM.
-
An existing ONTAP self-signed certificate on the SVM.
-
A third-party certificate.
You can use the same data LIFs for the S3/NAS bucket that you use for serving NAS data. If specific IP addresses are required, see Create data LIFs. An S3 service data policy is required to enable S3 data traffic on LIFs; you can modify the SVM’s existing service policy to include S3.
When you create the S3 object server, you should be prepared to enter the S3 server name as a Fully Qualified Domain Name (FQDN), which clients will use for S3 access. The S3 server FQDN must not begin with a bucket name.
-
Enable S3 on a storage VM with NAS protocols configured.
-
Click Storage > Storage VMs, select a NAS-ready storage VM, click Settings, and then click under S3.
-
Select the certificate type. Whether you select system-generated certificate or one of your own, it will be required for client access.
-
Enter the network interfaces.
-
-
If you selected the system-generated certificate, you see the certificate information when the new storage VM creation is confirmed. Click Download and save it for client access.
-
The secret key will not be displayed again.
-
If you need the certificate information again: click Storage > Storage VMs, select the storage VM, and click Settings.
-
-
Verify that the S3 protocol is allowed on the SVM:
vserver show -fields allowed-protocols
-
Record the public key certificate for this SVM.
If a new ONTAP self-signed certificate is needed, see Create and install a CA certificate on the SVM. -
Update the service data policy
-
Display the service data policy for the SVM
network interface service-policy show -vserver svm_name
-
Add the
data-core
anddata-s3-server services
if they are not present.
network interface service-policy add-service -vserver svm_name -policy policy_name -service data-core,data-s3-server
-
-
Verify that the data LIFs on the SVM meet your requirements:
network interface show -vserver svm_name
-
Create the S3 server:
vserver object-store-server create -vserver svm_name -object-store-server s3_server_fqdn -certificate-name ca_cert_name -comment text [additional_options]
You can specify additional options when creating the S3 server or at any time later.
-
HTTPS is enabled by default on port 443. You can change the port number with the -secure-listener-port option.
When HTTPS is enabled, CA certificates are required for proper integration with SSL/TLS. Beginning with ONTAP 9.15.1, TLS 1.3 is supported with S3 object storage. -
HTTP is disabled by default; when enabled, the server listens on port 80. You can enable it with the -is-http-enabled option or change the port number with the -listener-port option.
When HTTP is enabled, all the request and responses are sent over the network in clear text.
-
Verify that S3 is configured as desired:
vserver object-store-server show
Example
The following command verifies the configuration values of all object storage servers:
cluster1::> vserver object-store-server show
Vserver: vs1 Object Store Server Name: s3.example.com Administrative State: up Listener Port For HTTP: 80 Secure Listener Port For HTTPS: 443 HTTP Enabled: false HTTPS Enabled: true Certificate for HTTPS Connections: svm1_ca Comment: Server comment