Secure communication between the proxy server and other backend servers

Use this feature to establish secure communication between the proxy server and the backend Swift Object Storage servers.

By default, object-server, object-server-sof, container-server, and account-server do not have authentication for the requests that they are serving. Processes, including the proxy-server that are connecting to these servers over their listening ports, can send requests that can result into updating the database and altering the object data on disk. Extra security between these servers can be enabled. Requesting process signs a request with a secret key kept in swift.conf. This key is verified by the serving object, container, or account server. To enable this feature, set:

mmobj config change --ccrfile swift.conf --section node_communication --property secure --value true

The signing middleware is added to proxy-server and the validating middleware is added to object-server, object-server-sof, container-server, and account-server. If the secret key is not present in swift.conf, it is randomly chosen and set to key secure_communication_secret under node_communication section. In a multi-region environment, this key must be reset and kept common in all the clusters.

To revert to the original configuration, set:

mmobj config change --ccrfile swift.conf --section node_communication --property secure --value false

Note: Disable SSH access on the protocol nodes on the IBM Storage Scale cluster for the users that have the same UID and GID as the local swift user.