Secure communication between the proxy server and other backend servers
Use this feature to establish secure communication between the proxy server and the backend object storage servers.
By default object-server, object-server-sof, container-server, and account-server do not have
authentication for the requests that they are serving. Processes, including the proxy-server
connecting to these servers over their listening ports, can send requests which can result into
updating the database and altering the object data on disk. Additional security between these
servers can be enabled. Requesting process signs a request with a secret key kept in swift.conf.
This key is verified by the serving object, container, or account server. To enable this feature,
set:
mmobj config change --ccrfile swift.conf --section node_communication --property secure --value true
The
signing middleware is added to proxy-server and the validating middleware is added to object-server,
object-server-sof, container-server, and account-server. If the secret key is not present in
swift.conf, it is randomly chosen and set to key secure_communication_secret under
node_communication section. In a multi-region environment, this key must be reset and kept common in
all the clusters. To revert to the original configuration,
set:
mmobj config change --ccrfile swift.conf --section node_communication --property secure --value false
Note: Disable SSH access on the protocol nodes on the IBM Spectrum Scale™ cluster for the users having the same UID and
GID as the local swift user.