Adding a backup storage location

You can add new location from the Backup & restore page of the IBM Fusion user interface.

Before you begin

If you plan to use a certificate for a S3 compliant backup storage location, then create a secret with the certificate as a prerequisite. For the procedure to create a secret, see Creating a secret.

About this task

Create the backup storage location in the specified sequence. High-level steps to dd a backup storage location:

Go to Backup & restore > Locations, and click Add location.
Enter Location name, type of object storage, and credentials for the storage.
If applicable, enter the certificate's secret name for S3 compliant storage locations.
Click Add.

Note: IBM does not support the creation of two backup storage locations that have both identical endpoint and bucket names.

Procedure

Log in to IBM Fusion user interface.
From the menu, click Backup & restore > Locations.
In the Locations page, click Add location.
The Add backup location wizard page is displayed.
In the Add backup location, enter the Location name.
Select the type of object storage backup location. The different location types are Azure (Microsoft Object Storage), IBM Cloud (IBM Object Storage), AWS (Amazon Object Storage), MCG/NooBaa (Red Hat Object Storage), S3Compliant (Any Object Storage), and Storage Protect.
For the procedure to add MCG/NooBaa location, see Using MCG or Noobaa as a backup storage location. For the procedure to add Storage Protect location, see Using IBM Storage Protect as a backup storage location.
Note: S3 buckets must not enable expiration policies. For more information about this known issue, see S3 buckets must not enable expiration policies. Also, the bucket must not have an archive rule set.
Click Next.
In the Login credentials section, enter the following credentials to connect IBM Fusion to your backup location: Endpoint, Bucket, Access key, Secret key. If the location is Azure (Microsoft Object Storage), then enter the Account name and Account key instead of Access key and Secret key. If the location is Amazon AWS, then you must also enter the Region.
Example for AWS endpoint:
```
https://s3.us-west-1.amazonaws.com
```
In the Certificate settings (optional) section, enter the Secret name for the certificate.
Note:
- This setting is applicable only when you create an S3 compliant backup storage location type.
- The endpoint URL must be an HTTPS protocol with a trusted connection. If the endpoint URL contains the HTTPS protocol, then you need to enter the name of the secret that contains the SSL certificate.
- If you did not create a secret before you create the backup storage location, then you cannot complete further steps. Ensure that you cancel the operation and go back to the create secret step. For the procedure to create a secret, see Creating a secret.
- If you plan to use a S3 location, check whether your permissions are valid with the cloud provider for that particular endpoint and bucket or equivalent.
  For certificates, run the following openssl command to check whether a Subject Alternative Name (SAN) exists:
  openssl x509 -in <filepath> -text
  The output displays a SAN field. This SAN field must match the endpoint host of the S3 bucket.
- Do not use "wildcard + self-signed certificate" as it is a major security risk. If installed system-wide, then on exposure, all encrypted communication can be decrypted.
Warning: For security reasons, HTTP connections to S3 backup storage locations are disabled by default. Enable HTTP access only in non‑production environments. IBM strongly recommends avoiding this option whenever possible. To allow insecure connections, set the allowInsecureS3 property to true in the DataProtectionAgent custom resource.
For example:
```
apiVersion: dataprotectionagent.idp.ibm.com/v1
kind: DataProtectionAgent
metadata:
  name: dpagent
  namespace: ibm-backup-restore
spec:
  transactionManager:
    allowInsecureS3: 'true'
```
Click Add.
A success message gets displayed after adding the location.