Secure communication between the proxy server and other backend servers

Use this feature to establish secure communication between the proxy server and the backend object storage servers.

By default object-server, object-server-sof, container-server, and account-server do not have authentication for the requests that they are serving. Processes, including the proxy-server connecting to these servers over their listening ports, can send requests which can result into updating the database and altering the object data on disk. Additional security between these servers can be enabled. Requesting process signs a request with a secret key kept in swift.conf. This key is verified by the serving object, container, or account server. To enable this feature, set:
mmobj config change --ccrfile swift.conf --section node_communication --property secure --value true
The signing middleware is added to proxy-server and the validating middleware is added to object-server, object-server-sof, container-server, and account-server. If the secret key is not present in swift.conf, it is randomly chosen and set to key secure_communication_secret under node_communication section. In a multi-region environment, this key must be reset and kept common in all the clusters.
To revert to the original configuration, set:
mmobj config change --ccrfile swift.conf --section node_communication --property secure --value false
Note: Disable SSH access on the protocol nodes on the IBM Spectrum Scale™ cluster for the users having the same UID and GID as the local swift user.
Parent topic: Object storage support overview