Configuring an object client

Edit online

Configure an S3 client as an object client to the IBM® Storage Protect server. This step is part of a configuration procedure that will enable the S3 client to send data to the IBM Storage Protect server.

Procedure

Complete the following steps:

Log in by using an instance user ID.
Set up an object client and obtain the required credentials for connecting the object client to the object agent.

Tip: If you attempt to create an object client before creating the corresponding object agent, the Add Client wizard forces the creation of the object agent.
1. On the Operations Center menu bar, click Clients.
2. In the Clients table, click +Client.
3. Select Object Client and follow the instructions in the Add Client wizard.
After you complete the wizard, it provides you with the endpoint for communicating with the object agent on the server, and the access key ID, secret access key, and certificate for connecting securely. When an S3 client is used as an object client, it must direct its requests to the endpoint, and must use the access key ID, secret access key, and certificate.
Important: Ensure that a copy of each credential is saved to a secure location.

Certificates can be obtained from the Operations Center by navigating to the following pane: Server > Object Agent > Agent Certificate. In this pane, the certificate is available to view and copy.

The IBM Storage Protect object agent uses the Transport Layer Security (TLS) protocol. Each object client must have a unique access key ID and secret access key and must connect securely. With S3 client applications, it might be necessary to import this certificate. For example, if you are using an application that uses the S3 Java™ application programming interface (API), the certificate must be imported into the Java KeyStore. The logistics of importing the object agent's certificate are determined by your client application. For instructions about importing certificates, see your S3 vendor documentation.

Tip: Alternatively, use the REGISTER NODE command in the Operations Center command builder or server administrative command line to create an object client. Specify TYPE=OBJECTCLIENT. If the policy domain is defined as an object policy domain, the DOMAIN parameter is also required. You are provided the access key ID, secret access key, and certificate for connecting securely. Retrieve the certificate by finding the IBM Storage Protect instance home directory. The certificate is typically in a subdirectory with the same name as the associated object agent.

For example, if the instance home directory is /home/tsminst1/tsminst1/ and the object agent was defined with the name S3AGENT, the certificate file is in the IBM Storage Protect server's file system:
/home/tsminst1/tsminst1/S3AGENT/agentcert.crt
.
For example, if the instance home directory is H:\tsminst1 and the object agent was defined with the name S3AGENT, the certificate file is in the IBM Storage Protect server's file system:
H:\tsminst1\S3AGENT\agentcert.crt

What to do next

Verify that your object client can connect to the IBM Storage Protect object agent:

Review the following guidelines:
- The default port number for the object agent is 9000. However, you can configure any available TCP/IP port for the object agent.
- If you are using a port number in the range 0 - 1024, the object agent must be run with the root user ID. If you use a port in that range, you must start the object agent manually by following the instructions in technote 6357941.
- If there are any firewalls between the object client and agent, configure the object agent to access the appropriate port through the firewall.
Only one object agent is allowed on each IBM Storage Protect server. Multiple object clients can be registered to each object agent.
Start the object agent. After it starts, clients can establish a connection to the object agent. Clients use the object agent certificate to verify the security of the TLS connection.