NetApp ONTAP 9.8 – S3 is GA!

ONTAP 9.8 now has an S3 front-end available for production use. This solution is complementary to StorageGRID and is good for smaller S3 requirements where you have excess ONTAP capacity that don’t need a full S3 ILM feature set. In ONTAP, you can serve S3 with other protocols in the same SVM, however the S3 buckets can only be served over the S3 protocol. To explain, there is no multi-protocol NAS/S3 to the same data set. Also, S3 buckets are created as FlexGroups behind the scenes. A data logical interface (LIF) can serve NAS and S3 protocols to clients over the same IP address/DNS name.

  • GA in 9.8
    • TLS 1.2 added
    • Adjustable ports
    • Multi-part upload
    • System Manager integration
    • Bucket access policies
    • Mutiple buckets per volume
    • S3 can co-exist with other protocols in the same SVM

This blog will show setup of S3 in ONTAP 9.8 on my 2-node VSIM with https and certificates. The cluster name is “cmode-prod” and the S3 SVM is called “S3“. The example below is all CLI but most can also be done in REST and the System Manager GUI. My next blog will show how to setup FabricPools to tier from ONTAP aggregates (all HDD or all SSD) to ONTAP S3. ONTAP 9.8 also added HDD support for FabricPools, but note that FlashPool (SSD accelerated hybrid HDD aggregates) are not supported. FabricPool tiering to ONTAP will be available for up to 300TB of tiered capacity with no license needed. For 300TB+ capacity tiering, StorageGRID is the recommended solution for on-prem S3 with no additional licenses. For a great technical report by TME John Lantz, please see https://www.netapp.com/us/media/tr-4814.pdf

1.1      Create an S3 SVM

vserver create -vserver S3 -subtype default -rootvolume S3_root -rootvolume-security-style unix

vserver show -vserver S3

1.2      Create an S3 LIF Service Policy

-Setting wide open, but you could lock down to a subnet or hosts

network interface service-policy create -vserver S3 -policy S3 -allowed-addresses 0.0.0.0/0 -services data-core,data-s3-server,data-cifs,data-nfs

network interface service-policy show -services data-s3-server

1.3      Create an S3 LIF with the Service Policy

-the same LIF can also serve NFS and SMB protocols

network interface create -vserver S3 -lif lif1 -service-policy S3 -role data -address 192.168.150.141 -netmask 255.255.255.0 -home-node cmode-prod-01 -home-port e0c

net int show -vserver S3

1.4      Create a host entry for FQDN

  • For FabricPools in the next blog, we need to use a FQDN and here we will make a manual entry here to not have to rely on DNS.  This is not best practice, but easier practice for a lab to provide name resolution
    • Alternatively, you can create a DNS A record

vserver services name-service dns hosts create -vserver cmode-prod -address 192.168.150.141 -hostname s3.lab2.local

vserver services name-service dns hosts show

vserver services ns-switch show -vserver cmode-prod -database hosts

net ping -node cmode-prod-01 -destination s3.lab2.local

1.5      Default Route

route create -vserver S3 -destination 0.0.0.0/0 -gateway 192.168.150.2

route show -vserver S3

1.6      DNS Client

dns create -vserver S3 -domains lab2.local -name-servers 192.168.150.12

dns show -vserver S3

1.7      Generate and install a Server certificate on the S3 SVM CA

  • Create vserver CA certificate
  • Create a server certificate that matches the name of the FQDN s3.lab2.local
  • On the S3 client, you will need to create a server-ca certificate using the public-key (.crt file if using openssl or public-cert in the ONTAP output) below.  This will be shown next in the FabricPool lab
  • The example below creates the server certificate in ONTAP

cmode-prod

Show Certificates (there is one server certificate)

security certificate show -vserver S3

Vserver    Serial Number   Certificate Name                       Type

———- ————— ————————————– ————

S3         160AA43A5D674CB4 3.cert.1588262389                     server

    Certificate Authority: 3.cert.1588262389

          Expiration Date: Fri Apr 30 08:59:49 2021

Create a CA certificate on the S3 SVM (this will create 3 certs, root-ca, client-ca and server-ca)

security certificate create -vserver S3 -type root-ca -common-name SVM_CA

The certificate’s generated name for reference: SVM_CA_160AA4596B7767A0_SVM_CA 

security certificate show -vserver S3 -common-name SVM_CA

Vserver    Serial Number   Certificate Name                       Type

———- ————— ————————————– ————

S3         160AA4596B7767A0 SVM_CA_160AA44E38972249_SVM_CA        root-ca

    Certificate Authority: SVM_CA

          Expiration Date: Fri Apr 30 09:01:14 2021

S3         160AA4596B7767A0 SVM_CA_160AA44E38972249               client-ca

    Certificate Authority: SVM_CA

          Expiration Date: Fri Apr 30 09:01:14 2021

S3         160AA4596B7767A0 SVM_CA                                server-ca

    Certificate Authority: SVM_CA

          Expiration Date: Fri Apr 30 09:01:14 2021

3 entries were displayed.

1.8      Generate a Certificate Signing Request

  • The Common name parameter will be the dns name of the S3 Server.
    • Use this name to create the S3 Server as well as when configuring Client side
  • Copy the output of this command and save it. The information will be used in subsequent commands

security certificate generate-csr -common-name s3.lab2.local -size 2048 -country US

Certificate Signing Request :

—–BEGIN CERTIFICATE REQUEST—–

MIICqjCCAZICAQAwJTEWMBQGA1UEAxMNczMubGFiMi5sb2NhbDELMAkGA1UEBhMC

VVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC10qaq6uYpxHmSYMB2

WKSNQHeEjH+oE7csQ8/l4Wf7V0HNLHmXigwNXr4T95fCU8xhuX2uR+E9+5lgCSyj

flRVapI1hsD2PNjElkjX6/529HJygwCywKkF3CzkgL/Agg3JwwlpoNB+rMHUTHzJ

YwEV475sdIiVy6z/ISQYYMeURZhe+IWFdo0g7ExboS/eX6s8eqT7KLiD4JAYRpZW

sDr2m/MzAuX8UnNOjbw5Ezi9XxgRNUyNLcFbIFLs81eosBsj3xZ8BC9QlV+IkuEU

2K6nbenil1Mkojbg53Yuvh1OrUq2eCI9Dpd0VSHmlYMvPFslMDZG70xxDFQ7XMrx

qpu5AgMBAAGgQDA+BgkqhkiG9w0BCQ4xMTAvMA4GA1UdDwEB/wQEAwIFoDAdBgNV

HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAJIN

hF3bazWzcVxU97Ulsj9/QFc9wOnu7iFUUOl83MOfVG34LwJQtZSXZYMMOPIcB3pk

lxatYZ0ePMKsHX3Wkylgx237bDcZUWJgVGk5MpyQ2i2rbtEc+PbMH0Y7gs0mwfnY

+ENo4TiTUt9uj382olYSNvckkXir94uQerqyw9rshzmJsmWZ5QQSOkuLZJJP3gnq

4oGrN0+QcdeA6B0yQSls7ZEgJdAukCMCKgPPFk+6YNk2QWFcgZX306INRwrr2Iob

vWb6D64lCYddM+U4avadmDeSRFFNsXwTDOVl3rlt+0c0FMb9zPo4LFbd5AfsaRgD

bTX4Z9bifBmoSUw/JDY=

—–END CERTIFICATE REQUEST—–

Private Key :

—–BEGIN PRIVATE KEY—–

MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC10qaq6uYpxHmS

YMB2WKSNQHeEjH+oE7csQ8/l4Wf7V0HNLHmXigwNXr4T95fCU8xhuX2uR+E9+5lg

CSyjflRVapI1hsD2PNjElkjX6/529HJygwCywKkF3CzkgL/Agg3JwwlpoNB+rMHU

THzJYwEV475sdIiVy6z/ISQYYMeURZhe+IWFdo0g7ExboS/eX6s8eqT7KLiD4JAY

RpZWsDr2m/MzAuX8UnNOjbw5Ezi9XxgRNUyNLcFbIFLs81eosBsj3xZ8BC9QlV+I

kuEU2K6nbenil1Mkojbg53Yuvh1OrUq2eCI9Dpd0VSHmlYMvPFslMDZG70xxDFQ7

XMrxqpu5AgMBAAECggEAKasDzQmWA55mKfiIQtbfpwtOGI9GNhOGl9tWip0UglIl

30pA90yIpIvAzbyhB8TCgubKeaU5ZkYBiTOxCirKUuTgaund0NBy8OJsASexIju0

+q8w+sYSNiiWFSu4RfrIBCPxRUa4YT9gEDITKufIeOa/XgV6w7FwjOtgZUHQmxbQ

jYKDVQXSA02/lO6z/Ulhm3lBPbHasbSGeL0+3pd+zvzTJmg9dlKIZQisCXF6895v

gosZxbWeRpI7SNpde7WcoxFB519BMpz718exjZcN2iP/LuUzUF15eHF8grkSyQxF

e+u7CRwGM1k8x5gVOZo8pl+TUEjYmUUc8yjbEKYzDQKBgQDuGcvY0nPBlY+162xc

rPuBqIrheAZBik0hx9bKfkwvKP/vdNVn/3mHxjxT2S5M3QaMlpu2u1UV24V/XwEa

kqwp4ISgmCahogyuARMOd51OTUAsesiU51kseolP010CTcljjJQeRbIqgszKW/Jr

BLcSFtHDZwzxF9qoIB0pcUpMQwKBgQDDfcwQ2NTS7Duf2kXjb+Ok895dlWNmXQwX

CfXLVjG9QE/fNhmnZctBNVvFGQvLYep6c4QNSrkwGx2MKxLfzAnEFQJ1D6sokpgP

c6H1VIY7FqGxJuS17cYNUORHQBjk1QhEorPYyzaY5XlohXUtlH/CKwSTS/KAITSz

23gdSo92UwKBgQCTdY51vgDKx2G1fRQjYU5yQnugn8DgHlMetLElv4pXOsEm/+ia

+/G8UN1T4JF4MPq5Xx0Y0nQjkUzgUWpRlrzhQpdhDln+iGnp6ehvcU0PDXDNG03W

SmFD1q/rrC9SGfK7oHirNubcxR0nxkIgXU8z+MX4in3NYsSckyb8X5lwGQKBgA57

aD2rQoDpnTUnX1wM8ulKY6O9KGLx665dP4czuHWTqRcZE+dxxA/tmwHL7DLB6zPt

ENBHQ9bLe3Hh0wEfRW3wPIFdislzqq4iW9In09XWxF2ySukrVyuvXWnl1rJFEdq7

zuT1kPLctRTIJjkdMiW5OBqNWsahLx1P2eMZne0fAoGBAOgwwdQEjqYo8I9bmMIx

F6LXK6Lggm4U12bIyrxkHF3mQBucOnqvCIK6phSgPzoRXGD+BuHpoHTySCzgoAA7

5rd2jkVZcFXZl66Vf6WeEIMVT6DpszCRziW5IgWXmCwctPq4GBYqHhXhjgvhSzlt

LgDpJQSFTrdG48oXLaZ/YcSP

—–END PRIVATE KEY—–

Note: Please keep a copy of your certificate request and private key for future reference.

1.9      Generate the S3 SVM Server Certificate by signing the CSR using the SVM_CA

  • The ca-serial is pasted from the SVM_CA above from section 4.1 and displayed below to copy/paste from your lab
  • You will paste the public key output from generate-csr output above in section 4.2
    • Take the CSR generated in the previous step in section 4.2 and copy it below
  • We will paste the public key to generate the signed certificate

security certificate show -vserver S3 -type root-ca -fields ca,serial,common-name,cert-name

vserver common-name serial           ca     type    subtype cert-name

——- ———– —————- —— ——- ——- ——————————

S3      SVM_CA      160AA4596B7767A0 SVM_CA root-ca –       SVM_CA_160AA44E38972249_SVM_CA

security certificate sign -vserver S3 -ca SVM_CA -ca-serial 160AA4596B7767A0 -expire-days 360

Please enter Certificate Signing Request(CSR): Press <Enter> when done

—–BEGIN CERTIFICATE REQUEST—–

MIICqjCCAZICAQAwJTEWMBQGA1UEAxMNczMubGFiMi5sb2NhbDELMAkGA1UEBhMC

VVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC10qaq6uYpxHmSYMB2

WKSNQHeEjH+oE7csQ8/l4Wf7V0HNLHmXigwNXr4T95fCU8xhuX2uR+E9+5lgCSyj

flRVapI1hsD2PNjElkjX6/529HJygwCywKkF3CzkgL/Agg3JwwlpoNB+rMHUTHzJ

YwEV475sdIiVy6z/ISQYYMeURZhe+IWFdo0g7ExboS/eX6s8eqT7KLiD4JAYRpZW

sDr2m/MzAuX8UnNOjbw5Ezi9XxgRNUyNLcFbIFLs81eosBsj3xZ8BC9QlV+IkuEU

2K6nbenil1Mkojbg53Yuvh1OrUq2eCI9Dpd0VSHmlYMvPFslMDZG70xxDFQ7XMrx

qpu5AgMBAAGgQDA+BgkqhkiG9w0BCQ4xMTAvMA4GA1UdDwEB/wQEAwIFoDAdBgNV

HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAJIN

hF3bazWzcVxU97Ulsj9/QFc9wOnu7iFUUOl83MOfVG34LwJQtZSXZYMMOPIcB3pk

lxatYZ0ePMKsHX3Wkylgx237bDcZUWJgVGk5MpyQ2i2rbtEc+PbMH0Y7gs0mwfnY

+ENo4TiTUt9uj382olYSNvckkXir94uQerqyw9rshzmJsmWZ5QQSOkuLZJJP3gnq

4oGrN0+QcdeA6B0yQSls7ZEgJdAukCMCKgPPFk+6YNk2QWFcgZX306INRwrr2Iob

vWb6D64lCYddM+U4avadmDeSRFFNsXwTDOVl3rlt+0c0FMb9zPo4LFbd5AfsaRgD

bTX4Z9bifBmoSUw/JDY=

—–END CERTIFICATE REQUEST—–

Signed Certificate : (SUPPLIED BY ONTAP)

—–BEGIN CERTIFICATE—–

MIIDQTCCAimgAwIBAgIIFgqklFxRsY4wDQYJKoZIhvcNAQELBQAwHjEPMA0GA1UE

AxQGU1ZNX0NBMQswCQYDVQQGEwJVUzAeFw0yMDA0MzAxNjA2MTVaFw0yMTA0MjUx

NjA2MTVaMCUxFjAUBgNVBAMTDXMzLmxhYjIubG9jYWwxCzAJBgNVBAYTAlVTMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdKmqurmKcR5kmDAdlikjUB3

hIx/qBO3LEPP5eFn+1dBzSx5l4oMDV6+E/eXwlPMYbl9rkfhPfuZYAkso35UVWqS

NYbA9jzYxJZI1+v+dvRycoMAssCpBdws5IC/wIINycMJaaDQfqzB1Ex8yWMBFeO+

bHSIlcus/yEkGGDHlEWYXviFhXaNIOxMW6Ev3l+rPHqk+yi4g+CQGEaWVrA69pvz

MwLl/FJzTo28ORM4vV8YETVMjS3BWyBS7PNXqLAbI98WfAQvUJVfiJLhFNiup23p

4pdTJKI24Od2Lr4dTq1KtngiPQ6XdFUh5pWDLzxbJTA2Ru9McQxUO1zK8aqbuQID

AQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG

AQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFk8TwJioU9LKYLky1rcXoZ4XvpY

MB8GA1UdIwQYMBaAFKDPZZJHZJs+VsIz0FT2Dwqf+ZRmMA0GCSqGSIb3DQEBCwUA

A4IBAQB25slAZ+niVDivqJ7ebaqpuzt05Jg75wDiN/J8nDLWaBUjcbqco8YnrAna

wr9CJr+wj0lONtE79gNNI7K2ZVrbUELFgUQIO+sOb6EavvEZnG0HYUnkAI2I/fh5

Oh6U0C1lPX5L501ATVfK190KyWDmYphL6Zee7fzomDQ20G9j5PtSu7dFA1iG7rPD

vyAnywEtEU4k1iu7QPL5I/MRdqnggpmp+wK+OCQ1tm0pHUiZUzJm6N7pJ/IVwToY

zPyTJ13gmc+FF0P8nbeQknQ3kK9K5Q/S88gq1BTExltUxa8V4K7nhsqOrHeC+L9e

xKLSZpc7/V2+h0khcGtycUj0K+mE

—–END CERTIFICATE—–

1.10      Install the S3 Server Certificate on the SVM that will serve S3

  • Install the certificate (generated in the previous step) on the vserver on which the S3 server will be configured
  • The private key is the one which was generated in step Generate a Certificate Signing Request’

security certificate install -type server -vserver S3

Please enter Certificate: Press <Enter> when done

—–BEGIN CERTIFICATE—–

MIIDQTCCAimgAwIBAgIIFgqklFxRsY4wDQYJKoZIhvcNAQELBQAwHjEPMA0GA1UE

AxQGU1ZNX0NBMQswCQYDVQQGEwJVUzAeFw0yMDA0MzAxNjA2MTVaFw0yMTA0MjUx

NjA2MTVaMCUxFjAUBgNVBAMTDXMzLmxhYjIubG9jYWwxCzAJBgNVBAYTAlVTMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdKmqurmKcR5kmDAdlikjUB3

hIx/qBO3LEPP5eFn+1dBzSx5l4oMDV6+E/eXwlPMYbl9rkfhPfuZYAkso35UVWqS

NYbA9jzYxJZI1+v+dvRycoMAssCpBdws5IC/wIINycMJaaDQfqzB1Ex8yWMBFeO+

bHSIlcus/yEkGGDHlEWYXviFhXaNIOxMW6Ev3l+rPHqk+yi4g+CQGEaWVrA69pvz

MwLl/FJzTo28ORM4vV8YETVMjS3BWyBS7PNXqLAbI98WfAQvUJVfiJLhFNiup23p

4pdTJKI24Od2Lr4dTq1KtngiPQ6XdFUh5pWDLzxbJTA2Ru9McQxUO1zK8aqbuQID

AQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG

AQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFk8TwJioU9LKYLky1rcXoZ4XvpY

MB8GA1UdIwQYMBaAFKDPZZJHZJs+VsIz0FT2Dwqf+ZRmMA0GCSqGSIb3DQEBCwUA

A4IBAQB25slAZ+niVDivqJ7ebaqpuzt05Jg75wDiN/J8nDLWaBUjcbqco8YnrAna

wr9CJr+wj0lONtE79gNNI7K2ZVrbUELFgUQIO+sOb6EavvEZnG0HYUnkAI2I/fh5

Oh6U0C1lPX5L501ATVfK190KyWDmYphL6Zee7fzomDQ20G9j5PtSu7dFA1iG7rPD

vyAnywEtEU4k1iu7QPL5I/MRdqnggpmp+wK+OCQ1tm0pHUiZUzJm6N7pJ/IVwToY

zPyTJ13gmc+FF0P8nbeQknQ3kK9K5Q/S88gq1BTExltUxa8V4K7nhsqOrHeC+L9e

xKLSZpc7/V2+h0khcGtycUj0K+mE

—–END CERTIFICATE—–

Please enter Private Key: Press <Enter> when done

—–BEGIN PRIVATE KEY—–

MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC10qaq6uYpxHmS

YMB2WKSNQHeEjH+oE7csQ8/l4Wf7V0HNLHmXigwNXr4T95fCU8xhuX2uR+E9+5lg

CSyjflRVapI1hsD2PNjElkjX6/529HJygwCywKkF3CzkgL/Agg3JwwlpoNB+rMHU

THzJYwEV475sdIiVy6z/ISQYYMeURZhe+IWFdo0g7ExboS/eX6s8eqT7KLiD4JAY

RpZWsDr2m/MzAuX8UnNOjbw5Ezi9XxgRNUyNLcFbIFLs81eosBsj3xZ8BC9QlV+I

kuEU2K6nbenil1Mkojbg53Yuvh1OrUq2eCI9Dpd0VSHmlYMvPFslMDZG70xxDFQ7

XMrxqpu5AgMBAAECggEAKasDzQmWA55mKfiIQtbfpwtOGI9GNhOGl9tWip0UglIl

30pA90yIpIvAzbyhB8TCgubKeaU5ZkYBiTOxCirKUuTgaund0NBy8OJsASexIju0

+q8w+sYSNiiWFSu4RfrIBCPxRUa4YT9gEDITKufIeOa/XgV6w7FwjOtgZUHQmxbQ

jYKDVQXSA02/lO6z/Ulhm3lBPbHasbSGeL0+3pd+zvzTJmg9dlKIZQisCXF6895v

gosZxbWeRpI7SNpde7WcoxFB519BMpz718exjZcN2iP/LuUzUF15eHF8grkSyQxF

e+u7CRwGM1k8x5gVOZo8pl+TUEjYmUUc8yjbEKYzDQKBgQDuGcvY0nPBlY+162xc

rPuBqIrheAZBik0hx9bKfkwvKP/vdNVn/3mHxjxT2S5M3QaMlpu2u1UV24V/XwEa

kqwp4ISgmCahogyuARMOd51OTUAsesiU51kseolP010CTcljjJQeRbIqgszKW/Jr

BLcSFtHDZwzxF9qoIB0pcUpMQwKBgQDDfcwQ2NTS7Duf2kXjb+Ok895dlWNmXQwX

CfXLVjG9QE/fNhmnZctBNVvFGQvLYep6c4QNSrkwGx2MKxLfzAnEFQJ1D6sokpgP

c6H1VIY7FqGxJuS17cYNUORHQBjk1QhEorPYyzaY5XlohXUtlH/CKwSTS/KAITSz

23gdSo92UwKBgQCTdY51vgDKx2G1fRQjYU5yQnugn8DgHlMetLElv4pXOsEm/+ia

+/G8UN1T4JF4MPq5Xx0Y0nQjkUzgUWpRlrzhQpdhDln+iGnp6ehvcU0PDXDNG03W

SmFD1q/rrC9SGfK7oHirNubcxR0nxkIgXU8z+MX4in3NYsSckyb8X5lwGQKBgA57

aD2rQoDpnTUnX1wM8ulKY6O9KGLx665dP4czuHWTqRcZE+dxxA/tmwHL7DLB6zPt

ENBHQ9bLe3Hh0wEfRW3wPIFdislzqq4iW9In09XWxF2ySukrVyuvXWnl1rJFEdq7

zuT1kPLctRTIJjkdMiW5OBqNWsahLx1P2eMZne0fAoGBAOgwwdQEjqYo8I9bmMIx

F6LXK6Lggm4U12bIyrxkHF3mQBucOnqvCIK6phSgPzoRXGD+BuHpoHTySCzgoAA7

5rd2jkVZcFXZl66Vf6WeEIMVT6DpszCRziW5IgWXmCwctPq4GBYqHhXhjgvhSzlt

LgDpJQSFTrdG48oXLaZ/YcSP

—–END PRIVATE KEY—–

Enter certificates of certification authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA

certificate of the server certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: n

You should keep a copy of the private key and the CA-signed digital certificate for future reference.

The installed certificate’s CA and serial number for reference:

CA: SVM_CA

serial: 160AA4945C51B18E

The certificate’s generated name for reference: s3.lab2.local

1.11      Get the public certificate of SVM_CA and save it for Client-side configuration

  • This will be installed on the “cmode-prod” admin (cluster) SVM in the next lab for FabricPool connectivity from the cluster to the S3 SVM

security certificate show -vserver S3 -common-name SVM_CA -type root-ca  -instance

                             Vserver: S3

                    Certificate Name: SVM_CA_160AA4596B7767A0_SVM_CA

          FQDN or Custom Common Name: SVM_CA

        Serial Number of Certificate: 160AA4596B7767A0

               Certificate Authority: SVM_CA

                 Type of Certificate: root-ca

 Size of Requested Certificate(bits): 2048

              Certificate Start Date: Thu Apr 30 09:02:02 2020

         Certificate Expiration Date: Fri Apr 30 09:02:02 2021

              Public Key Certificate: —–BEGIN CERTIFICATE—–

                                      MIIDUTCCAjmgAwIBAgIIFgqkWWt3Z6AwDQYJKoZIhvcNAQELBQAwHjEPMA0GA1UE

                                      AxQGU1ZNX0NBMQswCQYDVQQGEwJVUzAeFw0yMDA0MzAxNjAyMDJaFw0yMTA0MzAx

                                      NjAyMDJaMB4xDzANBgNVBAMUBlNWTV9DQTELMAkGA1UEBhMCVVMwggEiMA0GCSqG

                                      SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDw9WuyZOUUInxU0EZKp34yQpctDFbtHAgu

                                      tvoyhwzCd7rhQjH4WIqmkcl3f8TAkdOe6ExMgq7+fT6B8jHKDWfu6sXrmoXg61Bk

                                      q09uD8TDXzNg07HQPglJV0FWwIhnG5965Dx7/hvkKXas59lk2XwSrIGXbp1/K32A

                                      s1/ywUr3vRYWkMLq/p3RBgIK0bszyXgS26XXIgPSZUdMgCiZxf7ErVfPZMLnT196

                                      Ff0KFrqsjVleGyMQpULt4H8aHtYPnqjhi1ofvng5/8uhl6FhSF66tVVeSE1xjdMf

                                      3xOy5eKteySWn+52fpcLGjvWjea+Z5ZR7MaWw0150fp19uDlGV4PAgMBAAGjgZIw

                                      gY8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFKDP

                                      ZZJHZJs+VsIz0FT2Dwqf+ZRmME0GA1UdIwRGMESAFKDPZZJHZJs+VsIz0FT2Dwqf

                                      +ZRmoSKkIDAeMQ8wDQYDVQQDFAZTVk1fQ0ExCzAJBgNVBAYTAlVTgggWCqRZa3dn

                                      oDANBgkqhkiG9w0BAQsFAAOCAQEAk7mHgpW4HZcod6DdOua4EB8GdsSM5vQkgP3X

                                      aq7Hie8SRjL8vOgZ2OIGre+LXudpVS1jZMCb0igbD0ncbGn36ycLqoNq+lrAPfj6

                                      yzk9DoTuWZU62/D4gTSieNm3BMB6NMptthFOsApEe08MLQk1/qefDQb9FvfTStSQ

                                      2THEFaHKzIs20UHER+a0B8h8oV2cCu/A7a14k4mkQAIfDK/xfNXW5J/BE8TkKHV5

                                      VXCnuPIQR41PwC8HvUKmKITQpx/KTMxqSLTQomyc3r4xZdKQr7yOQP69Z9XPW2pM

                                      5KMSsJPnCoad+ZGR5mYUtOwFfuM96fvqHC/I+uRbfi3HG2UhtQ==

                                      —–END CERTIFICATE—–

        Country Name (2 letter code): US

  State or Province Name (full name):

           Locality Name (e.g. city):

    Organization Name (e.g. company):

    Organization Unit (e.g. section):

        Email Address (Contact Name):

                            Protocol: SSL

                    Hashing Function: SHA256

                             Subtype: –

1.12      Create an Object Store Server

Create an HTTPS (and http) Object Store Server

vserver object-store-server create -vserver S3 -object-store-server s3.lab2.local -status-admin up -is-http-enabled true -is-https-enabled true -certificate-name s3.lab2.local

object-store-server show

ONTAP 9.7 (http only)

vserver object-store-server create -vserver S3 -object-store-server s3.lab2.local -status-admin up -listener-port 80 -comment “”

object-store-server show

1.13      Create Two Buckets (a FlexGroup Volume is created)

ONTAP 9.8 allows multiple buckets per FlexGroup

vserver object-store-server bucket create -vserver S3 -bucket s3ontap1 -size 100GB -aggr-list cmode_prod_01_aggr2_FP,cmode_prod_02_aggr2_FP

vserver object-store-server bucket create -vserver S3 -bucket s3ontap2 -size 100GB -aggr-list cmode_prod_01_aggr2_FP,cmode_prod_02_aggr2_FP

object-store-server bucket show

Vserver     Bucket          Volume            Size       Encryption

———– ————— —————– ———- ———-

S3          s3ontap1        fg_oss_1585321366 100GB      true

S3          s3ontap2        fg_oss_1585321198 100GB      true

2 entries were displayed.

vol show -vserver S3

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

——— ———— ———— ———- —- ———- ———- —–

S3        S3_root      cmode_prod_02_aggr2_FP online RW   20MB    18.55MB    2%

S3        fg_oss_1585321366 –       online     RW        100GB    94.54GB    0%

S3        fg_oss_1585321198 –       online     RW        100GB    94.77GB    0%

3 entries were displayed.

vol show -vserver S3 -is-constituent true

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

——— ———— ———— ———- —- ———- ———- —–

S3        fg_oss_1585321366__0001 cmode_prod_01_aggr2_FP online RW 12.50GB 11.81GB  0%

S3        fg_oss_1585321366__0002 cmode_prod_02_aggr2_FP online RW 12.50GB 11.81GB  0%

S3        fg_oss_1585321366__0003 cmode_prod_01_aggr2_FP online RW 12.50GB 11.81GB  0%

S3        fg_oss_1585321366__0004 cmode_prod_02_aggr2_FP online RW 12.50GB 11.82GB  0%

S3        fg_oss_1585321366__0005 cmode_prod_01_aggr2_FP online RW 12.50GB 11.82GB  0%

S3        fg_oss_1585321366__0006 cmode_prod_02_aggr2_FP online RW 12.50GB 11.82GB  0%

S3        fg_oss_1585321366__0007 cmode_prod_01_aggr2_FP online RW 12.50GB 11.82GB  0%

S3        fg_oss_1585321366__0008 cmode_prod_02_aggr2_FP online RW 12.50GB 11.82GB  0%

S3        fg_oss_1585321198__0001 cmode_prod_01_aggr2_FP online RW 12.50GB 11.84GB  0%

S3        fg_oss_1585321198__0002 cmode_prod_02_aggr2_FP online RW 12.50GB 11.84GB  0%

S3        fg_oss_1585321198__0003 cmode_prod_01_aggr2_FP online RW 12.50GB 11.84GB  0%

S3        fg_oss_1585321198__0004 cmode_prod_02_aggr2_FP online RW 12.50GB 11.85GB  0%

S3        fg_oss_1585321198__0005 cmode_prod_01_aggr2_FP online RW 12.50GB 11.85GB  0%

S3        fg_oss_1585321198__0006 cmode_prod_02_aggr2_FP online RW 12.50GB 11.85GB  0%

S3        fg_oss_1585321198__0007 cmode_prod_01_aggr2_FP online RW 12.50GB 11.85GB  0%

S3        fg_oss_1585321198__0008 cmode_prod_02_aggr2_FP online RW 12.50GB 11.85GB  0%

16 entries were displayed.

1.14      Create a Bucket Policy with Access to Everyone for the Two Buckets

Create the policy for both Buckets

vserver object-store-server bucket policy show

vserver object-store-server bucket policy add-statement -bucket s3ontap1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal – -resource s3ontap1,s3ontap1/*

vserver object-store-server bucket policy add-statement -bucket s3ontap2 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal – -resource s3ontap2,s3ontap2/*

vserver object-store-server bucket policy show

1.15      Create an s3admin User

  • ONTAP 9.7 has no users
  • ONTAP 9.8 has a default root user with no key.  
    • Create root keys for S3 connectivity
  • ONTAP 9.8 adds group support
  • Note that S3 clients do not use a user name and only the access and secret keys
  • The Secret Key will be visible only in advanced/diagnostic mode)

object-store-server user show            # 9.8 adds a default root user with no keys

vserver object-store-server user create -vserver S3 -user s3admin

set diag                                               y  (to show the secret key along with access key)

object-store-server user show -user s3admin

Vserver     User            ID        Access Key          Secret Key

———– ————— ——— ——————- ——————-

S3          s3admin         1         3jj9_wnPs7IG0X1d57o83_193g_SOTsT2QKCg3_Kj27qM7x3JrP_bWUA_A02N8QZPmHc_Xk7PB48Vcg7vWAAtsN5B8P_4P2_5Ln5KAIUxA_S9ry7Xk324PsDZ0DMppME

2APh4pW_3SnY2cAqnsg3d22A4ylG6zx_93vpN6cN4g0sBgSrJ9BfPsgwZ_p93Q8cTBsQ97__e6l6WZql3rfY5V3QMeJT61CZh5f3Jzk0A38Nk4Hz7Hz6AX_5dssA0C0S

set adv

1.16      Bucket Permissions Examples (Users, Allow/Deny Policies (bucket/group), Groups, Conditions)

Create 4x additional users

vserver object-store-server user create -user s3user1

vserver object-store-server user create -user s3user2

vserver object-store-server user create -user s3user3

vserver object-store-server user create -user s3user4

object-store-server user show

Create a test bucket

vserver object-store-server bucket create -vserver S3 -bucket test-bucket -size 100GB -aggr-list cmode_prod_01_aggr2_FP,cmode_prod_02_aggr2_FP

object-store-server bucket show

Create a bucket policy which provide access to s3 users “s3user1” and “s3user2” to all the resources

vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal s3user1,s3user2 -resource test-bucket,test-bucket/* -index 1

Create a bucket policy which denies access to s3 resources to s3 user “s3user4’

vserver object-store-server bucket policy add-statement -bucket test-bucket -effect deny -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal s3user4 -resource test-bucket,test-bucket/* -index 2

Show Bucket Policies

vserver object-store-server bucket policy show

Create a Group Policy

vserver object-store-server policy create -policy policy1

vserver object-store-server policy show

Associate a policy statement with the policy – ‘policy1’

vserver object-store-server policy add-statement -policy policy1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -resource test-bucket,test-bucket/*

vserver object-store-server policy show

vserver object-store-server policy show-statements

Create a group with 2x s3 users and a policy

vserver object-store-server group create -name group1 -users s3user1,s3user2 -policies policy1

vserver object-store-server group show

Create bucket policy which allows access to public users (principal = “*”)

vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal * -resource test-bucket,test-bucket/* -index 3

vserver object-store-server bucket policy show

Create bucket policy conditions by user and subnet

vserver object-store-server bucket policy-statement-condition create -bucket test-bucket -operator string-equals -index 1 -usernames s3user1 

vserver object-store-server bucket policy-statement-condition create -bucket test-bucket -operator ip-address -index 1 -source-ips 192.168.150.0/24

vserver object-store-server bucket policy-statement-condition show

1.17      Regenerate User Keys

  • To regenerate the access key and secret key for this user s3admin (you won’t use the username from external, only the access and secret key)
  • Generate the keys for the root user
  • Note that we won’t use s3admin since we did not add allow permissions and root does not need these added for the FabricPool lab

object-store-server user show

object-store-server user regenerate-keys -vserver S3 -user s3admin

object-store-server user regenerate-keys -vserver S3 -user root

object-store-server user show -user s3admin,root

Vserver     User            ID        Access Key          Secret Key

———– ————— ——— ——————- ——————-

S3          root            0         dy5ErHDEqr5pYsldqAsH3_0gQ5T8N98QhC__9N_6TZUrEiq0CEPD8aehNd_YuY_8ipDPQ_t9XDJh3x_O9j2rDb63IE7d_C5n895Hc8p2jj3gPh8T6AnAsUHrO3jHfPg3

DO670LG4xqc__pN9_P66ciCjY__20hsshXqRPZlq5aH_Wb_CC_y_5k93qgQ39CXH_R564_24Nf_C4Ae0Ny6Sd01_Zc3zX4x_H9c0X131JtTo5xBcPOpxXAie6X88zC7a

   Comment: Root User

S3          s3admin         1         ggd1DrNc8_uCp_x6B3313_14py_9xx29yrITbej8_fGLNZO0Za6h6pDZgRQ_C__jNsXCk80BdQTwx_2u0pRRZ_h67xZa003aSgNc_P2_sYav74998l95AP14wyAbOXP9

rqNFN6tu_6_nLWWrKA_946U_8f3TvpYmt7W15Tt1qA9rGnCBTHZCFCQAqkPXYIv4WX9_szjsLJU_5AcAi9ubs5dVicZ631_zeLPV7yV2tG_ahaSOpK46bccjbmE4nzYr

2 entries were displayed.

1.18      S3 Browser

  • You can use the S3 Browser from Amazon installed on on the Windows Desktop VM
  • Use the “root” account to enumerate the buckets

Windows Server  S3 Browser

  • Enter “ONTAP-S3” for account name
  • Choose  “S3 Compatible Storage
  • REST Endpoint: “192.168.150.141
  • Access Key ID:       paste from output (your own will be different than above) for root
  • Secret Access Key: paste from output (your own will be different than above) for root
  • Leave “Use secure transfer (SSL/TLS)” checked (9.8+)
  • Click the “Advanced S3-compatible storage settings” link on the bottom left
  • Change Signature version to “Signature V4” and click the “Close” button
  • Click the “Add new account” button
  • The S3browser will enumerate the two ONTAP buckets s3ontap1 and s3ontap2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s