Enabling trust between the server and the object storage

Some configurations require using an encrypted HTTPS connection to the object storage. In such cases, we recommend that you enable the trust between the agent, the server, and the object storage to increase both the security and the performance of the connectivity.

Related topic

Securing-network-communication

Important

When working with a cloud object storage such as Amazon S3, Google, and Microsoft Azure, it is likely that your server is already configured to trust their public CA. If so, skip to step 5.

If you are working with an on-premises storage device, it is assumed that the target object storage certificate was already signed with the organizational certificate authority (CA). You must add that CA to the trusted certificate authorities file.

To enable trust between the server and the object storage

  1. Upload the organizational CA certificate file to the management server in PEM format.

  2. Clone a truststore from within the container by using this command: 

    docker cp model9-v2.x.x:/opt/java/openjdk/lib/security/cacerts $MODEL9_HOME/keys/cacerts

  3. Import the storage certificate into the truststore as a trusted certificate. 

    keytool -import -trustcacerts -keystore /data/model9/keys/cacerts -storepass changeit -noprompt -alias rootCA -file '/path/root CA file'

    If you are asked the question Trust this certificate? answer YES.

  4.  Edit the model9.env file. To the EXTRA_JVM_ARGS parameter, add -Djavax.net.ssl.trustStore=/model9/keys/cacerts .

    Example

    If the current value of this parameter is EXTRA_JVM_ARGS=-Xmx2048m, the new parameter should be EXTRA_JVM_ARGS=-Xmx2048m -Djavax.net.ssl.trustStore=/model9/keys/cacerts

  5.  Add the following to the model9-local.yml file: 

    model9.objstore.endpoint.no.verify.ssl: false

  6. Stop and remove the container: 

    docker stop model9.v<v.r.m>
    docker rm model9.v<v.r.m>
  7. Start the container by using the docker run command located in the Installing the management server topic.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*