How to access S3 storage with self-signed certificates with Platform Extension Framework (PXF)
search cancel

How to access S3 storage with self-signed certificates with Platform Extension Framework (PXF)

book

Article ID: 296487

calendar_today

Updated On:

Products

VMware Tanzu Greenplum VMware Tanzu Greenplum / Gemfire

Issue/Introduction

How to setup Platform Extension Framework (PXF) when accessing a private S3 object storage cluster with a self-signed certificate.

The PXF servers will need to recognize the self-signed certificate. This article covers how to configure PXF to store and recognize the self-signed certificate.

Resolution

Create a keystore of the certificate

Create a keystore of the certificate in file in directory $PXF_BASE/conf, for example $PXF_BASE/conf/cacerts. This can be located elsewhere in the $PXF_BASE directory, specifically, in a directory that will get sync'd with pxf cluster sync.

Otherwise, you will need to manually copy it to the segment servers if or when it changes. Use the command below.  Replace "<myAlias>" and "<root.crt>" with the appropriate values:

keytool -import -trustcacerts -keystore ${PXF_BASE}/conf/cacerts -alias <myAlias> -file <root.crt>

Modify pxf-env.sh file

Edit the file: $PXF_BASE/conf/pxf-env.sh.

Add the line:

export PXF_JVM_OPTS="-Xmx2g -Xms1g -Djavax.net.ssl.trustStore=${PXF_BASE}/conf/cacerts 

Enable SSL for S3 server

The property "fs.s3a.connection.ssl.enabled" should be set to true in the server's s3-site.xml file.

Synchronize the PXF configuration

pxf cluster sync

Restart PXF

pxf cluster stop
pxf cluster start
Powered by Wolken Software