Tether your HSTS node to Aspera on Cloud

Edit online

Once you have completed the preceding configuration steps, you can add your IBM Aspera HSTS node to your Aspera on Cloud organization.

This is step 8 in tethering a node

Before you begin step 8, be sure you have completed the previous steps.

ssl certs firewall HTTPs proxy configure node nginx transfer user optional for HA cluster add node mark remote storage alee and aejd backup and restore
Note: Adding a node to AoC requires an access key and secret. It is simplest to generate them when you add the node with the AoC Web UI. But you can also generate them on the node (server) itself from the command line in advance, and then enter them in the Web UI. For information about command-line usage, see IBM Aspera High-Speed Transfer Server Admin Guide: Access Key Authentication.

Prerequisites

Important: Before you can add your transfer server to AoC, you must complete the previous configuration steps. Refer to the process map diagram above.

To complete this procedure, you need the following information:

  • Node URL.
  • Node SSH fingerprint. Aspera recommends that you secure transfers with the SSH fingerprint from the transfer node (but it is not required). For information about retrieving the node fingerprint, see Securing Your SSH Server in the IBM Aspera High-Speed Transfer Server Admin Guide.
  • To use an existing access key for the node (that you created on the transfer server), you need the access key ID and secret.
  • To create a new access key in the process of adding the transfer server (node) to your organization, you need the Node user name and password, and information about the storage you are using.

    For local storage, this is simply the path on the node. For cloud storage you need to know the details of that storage (for IBM Cloud, Amazon S3, Microsoft Azure Blob, or Microsoft Azure Files). For example, for Amazon S3, you need the storage class, IAM Assume role credentials, endpoint, bucket, and path.

Add the node

This is the procedure that actually tethers the node you've configured to your Aspera on Cloud organization.

Important: If you have multiple Aspera on Cloud organizations that use the same storage, you must use separate access keys for each organization.
  1. In the Admin application, go to Nodes > Create new.
  2. Enter the name that you want to use for this node.
  3. Enter the node's URL and asperanoded port.

    For example: https://www.example.com:443.

    Note: Be sure to use the asperanoded port as configured for your tethered-node server. See Configure monitoring and metering for your tethered node.
  4. Optionally, enter the node SSH fingerprint.
  5. To apply a configured network policy to this node, click the downward caret in the Network Policy field and select the intended policy; see Creating Network Policies.
  6. To apply a configured node configuration policy to this node, click the downward caret in the Configuration Policy field and select the intended policy; see Creating Node Configuration Policies.
  7. To apply a file deletion policy to help manage storage usage, click the field and select the intended policy; see "Configure file deletion policies" in Managing storage usage.
  8. Provide an access key/secret pair.
    • If you have already created a key/secret pair for this node on your transfer server, click Use existing and enter the node access key and secret. Then click Save, and you are done with this procedure.
    • Otherwise, click Create new access key and proceed with the following steps.
  9. Enter the Node user name.
  10. Enter the Node user password.
  11. Select the storage type, and configure storage details with data relevant to this storage type.
    • Local
      Local Term Local Definition
      Path The absolute path on the storage.
    • Amazon S3
      Amazon S3 Term Amazon S3 Definition
      Storage class Select a storage class. Select from:
      Standard, Standard Infrequent Access, Intelligent Tiering, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, One Zone Infrequent Access. For important details on AoC functionality in specific storage classes, see Attach an AWS S3 bucket.
      Server-side encryption Select to configure encryption on the server in AWS:
      None, AES-256, AWS KMS.

      KMS key ID ARN

      or

      KMS key alias ARN

      		 If using AWS KMS server-side encryption:

      The AWS Key Management Service key ID, in the format arn:aws:kms:<region>:<account_number>:key/<encryption_key_id>.

      KMS key ID example: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab".

      or

      The AWS Key Management Service key alias, in the format arn:aws:kms:<region>:<account_number>:alias/<encryption_key_alias>.

      KMS key alias example: "arn:aws:kms:us-west-2:111122223333:alias/my_key_alias"

      Note: Be sure to include the AWS bucket region in the ARN.
      IAM Role ARN The Amazon Resource Name (ARN) of the IAM role to assume.
      External ID The unique identifier used by third parties when assuming roles in their customers' accounts. The storage account holder sets this ID. To find it, go to the AWS management console, then click Roles > yourRole > Trust Relationship. Find your trust relationship in the list, and see the External ID listed in the 'Conditions' column for that relationship. If your trust relationship does not include an external ID, you can edit the trust relationship to add one as required. For more information on External ID, see "How to use an external ID when granting access to your AWS resources to a third party."
      Session name The role session name that uniquely identifies a session when the same role is assumed by different principals or for different reasons.
      Bucket The bucket name.
      Endpoint The URL that is the entry point to the storage for a web service. Example: s3.amazon.com.
      Path The relative path under the bucket.
    • IBM Cloud
      IBM Cloud Term IBM Cloud Definition
      Access key ID The ID of the access key for the IBM Cloud.
      Secret access key The secret that matches the key.
      Bucket The bucket name.
      Endpoint The URL that is the entry point to the storage for a web service. Example: s3.us.cloud-object-storage.appdomain.cloud.
      Path The relative path under the bucket.
    • Microsoft Azure Blob
      MS Azure Blob Term MS Azure Blob Definition
      API type Select as appropriate: (1) Block, or (2) Page.
      Storage credentials The access key for SAS URL for the storage.
      Storage account The storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Azure Storage blob endpoint forms the base address for the objects in your storage account.
      Access key The key ID associated with the storage account.
      Container he name of the container that organizes a set of blobs. A container is similar to a directory in a file system.
      Path The relative path in the container.
    • Microsoft Azure Files
      MS Azure Files Term MS Azure Files Definition
      API type Select as appropriate: (1) Block, or (2) Page.
      Storage account The storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Azure Storage blob endpoint forms the base address for the objects in your storage account.
      Password The password to the storage account.
      Path The relative path on the storage.
  12. Click Save.
  13. Click Download Access Key Pair.
  14. Download or copy and save the Aspera on Cloud access key and secret according to local site practice. These credentials allow you to access this node for content management and configuration activities. If you download, Aspera generates a text file with the default name KeySecret.txt. Aspera recommends that you rename this file to make it easier to track and manage. You must download or copy these credentials to proceed.
    Important: Store the key and secret in a secure and accessible location according to local site security practices. Aspera on Cloud does not store the secret. Once you complete this step, you can no longer retrieve the secret.
  15. Click OK.
  16. To protect content on this node with Aspera encryption at rest, do one of the following:
  17. Click Save.
Note: For user-managed nodes (on-premises or cloud-based), schedule backups of the Redis database on your node. The Redis database contains your file IDs, permissions, access keys, and other node data. If it is corrupted and you do not have a backup, you must manually recreate your workspace. For instructions on creating backups, see Backing up and restoring a tethered node database.

Updating node status

Aspera on Cloud polls the transfer node for node settings every five minutes; configuration changes you make to the node (for example, changes to aspera.conf) are propagated to Aspera on Cloud at that polling interval. If necessary, you can initiate an immediate poll from Aspera on Cloud to the node so that node configuration changes are reflected immediately in Aspera on Cloud behaviors.

  1. Go to Nodes and storage > Nodes.
  2. Filter, search, or browse for the intended node in the node list.
  3. Double-click the node row and select Update Status, then click OK to confirm.

Next step in tethering a node

You've added your tethered node to your AoC organization. For step 9 in tethering the HSTS node to your AoC organization, go to Mark remote storage attached to your tethered node as mount points.