Ensuring secure and reliable backup storage is critical for enterprise environments. IBM Storage Fusion provides robust backup and restore capabilities, and integrating it with IBM Storage Scale CES S3 offers a scalable, high-performance solution. However, when using self-signed SSL/TLS certificates, additional configuration is required to establish trust between the systems.

In this guide, I walk through the step-by-step process of setting up IBM Storage Scale CES S3 as a backup and restore target for IBM Storage Fusion using self-signed SSL/TLS certificates. This includes:

• Generating and deploying self-signed certificates for CES S3

• Configuring IBM Storage Fusion to trust these certificates

• Setting up a secure and reliable backup storage location

Whether you're currently implementing this setup or evaluating IBM Storage Scale CES S3 as a backup target, this guide will serve as a useful reference. Let’s dive in!

To establish secure communication between the IBM Storage Scale CES S3 service and IBM Storage Fusion's backup and restore functionality using self-signed SSL/TLS certificates, follow these steps:​

1. Generate a Self-Signed SSL/TLS Certificate:

• Create a Subject Alternative Name (SAN) Configuration File:

Create a file named san.cnf with the following content, replacing placeholders with your actual domain and IP address:

[req]

req_extensions = req_ext

distinguished_name = req_distinguished_name

[req_distinguished_name]

CN = localhost

[req_ext]

subjectAltName = DNS:localhost,DNS:your-domain.com,IP:your-server-ip

This configuration ensures the certificate is valid for the specified domain names and IP addresses.

• Generate the TLS Key, Certificate Signing Request (CSR), and Certificate:

Use OpenSSL to generate the necessary files:

openssl genpkey -algorithm RSA -out tls.key

openssl req -new -key tls.key -out tls.csr -config san.cnf -subj "/CN=localhost"

openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt -extfile san.cnf -extensions req_ext

These commands create a private key (tls.key), a CSR (tls.csr), and a self-signed certificate (tls.crt) valid for one year.

2. Deploy the Certificate to IBM Storage Scale CES S3 Service:

• Locate the CES Shared Root Path:

On a CES node, determine the cesSharedRoot path by running:

mmlsconfig | grep cesSharedRoot

• Move the Certificate and Key to the Appropriate Directory:

Transfer the tls.key and tls.crt files to the CES S3 configuration directory:

mv tls.key /path/to/cesSharedRoot/ces/s3-config/certificates/

mv tls.crt /path/to/cesSharedRoot/ces/s3-config/certificates/

Replace /path/to/cesSharedRoot with the actual path obtained from the previous step.

• Restart the S3 Service on All CES Nodes:

Execute the following commands to apply the new certificate:

mmces service stop s3 -a

mmces service start s3 -a

This restarts the S3 service across all CES nodes, ensuring the new certificate is in use.

Verify the Subject Alternative Name (SAN) correctly updated in the cert

openssl x509 -in /ibm/fs1/ces/s3-config/certificates/tls.crt -text -noout | grep -A2 "Subject Alternative Name"

            X509v3 Subject Alternative Name:

                DNS:scale-vm.ocpinstall.gym.lan, DNS:scale-vm-ces-vip.ocpinstall.gym.lan, IP Address:192.168.252.150

            X509v3 Subject Key Identifier:

3. Create a Secret in IBM Storage Fusion for the Self-Signed Certificate:

Before configuring the backup storage location, create a secret to store the self-signed certificate:

oc create secret generic s3-cert-secret --from-file=cert.pem=path/to/tls.crt -n ibm-spectrum-fusion-ns

Replace path/to/tls.crt with the actual path to your certificate file.

4. Configure the Backup Storage Location in IBM Storage Fusion:

After creating the secret, add the backup storage location:

• Access the IBM Storage Fusion Interface:

Log in to the IBM Storage Fusion user interface.

• Navigate to Backup & Restore Locations:

Go to Backup & restore > Locations and click Add location.

• Enter Backup Location Details:

Provide the following information:

• Location Name: A descriptive name for the backup location.
• Location Type: Select S3Compliant.
• Endpoint: The URL of your S3 service (e.g., https://your-server-ip:6443).
• Bucket: The name of the S3 bucket to use for backups.
• Access Key and Secret Key: Credentials for accessing the S3 service.
• Certificate Secret Name: Enter the name of the secret created earlier (s3-cert-secret).

This configuration ensures that IBM Storage Fusion recognizes and trusts the self-signed certificate when communicating with the S3 service.

• Finalize the Configuration:

Click Add to complete the setup.

By following these steps, you establish a secure, trusted connection between the IBM Storage Scale CES S3 service and IBM Storage Fusion's backup and restore functionality using a self-signed SSL/TLS certificate.​

5. Screenshots

• Scale S3 bucket added to fusion backup and restore Object storage location
  

• Backup successfully completed to the Object storage location (Scale S3 bucket)