Creating an S3 storage device

S3 storage devices can be configured with an Advanced Storage Area.

Before you begin

Before you create an S3 device, you must do the following tasks:

Obtain credentials for connecting to the S3 object storage provider.
To create an S3 storage device for IBM Cloud Object Store, you need to first create the HMAC credentials in IBM Cloud console. HMAC credentials consist of an Access Key and Secret Key paired for use with S3-compatible tools and libraries that require authentication. See the following IBM Cloud topic for more details: Using HMAC credentials
When you view the user credentials, the following section represents the HMAC credential and includes the S3 access key ID and S3 secret access key you need to create the S3 advanced storage device:
```
cos_hmac_keys:{
             access_key_id: 7exampledonotusea6440da12685eee02
             secret_access_key: 8not8ed850cddbece407exampledonotuse43r2d2586 
}
```
Determine the device connection URL to the S3 storage.
Create an S3 bucket where the FileNet® P8 content will be stored.
Note: You are responsible for configuring the S3 bucket and its related attributes outside of Content Platform Engine. You must pursue any issues that are related to configuration and set-up with the storage vendor.
Determine whether an SSL connection will be used between the Content Platform Engine and the S3 storage.

Tip: The Content Platform Engine S3 Advanced Storage connector does not use the S3 versioning feature. It is recommended that versioning not be configured on the S3 bucket used by the Content Platform Engine. However, the Content Platform Engine can tolerate any S3 bucket version setting, but be aware that using version enabled or version suspended settings on your S3 bucket can complicate content deletion. In these cases, to make sure content is really deleted from your S3 bucket, set the Advanced.S3.DeleteSpecificVersion property to True, either in the FileNet.properties file or as a JVM argument. To delete a specific version of a document you need the additional S3 permissions: s3:DeleteObjectVersion DELETE Object

For IBM Cloud Object Storage, only TLS v1.2 HTTPS protocols are supported. To ensure that the correct HTTPS protocols are used, add the following JVM argument:

-Dhttps.protocols=TLSv1.2

How you configure authentication might be different depending on the application server that you're using:

If your Content Platform Engine is running on WebSphere® Application Server, you must deploy the S3 client certificate directly in the WebSphere Application Server Administrative Console. For details, see Deploying a client certificate on WebSphere.
If your Content Platform Engine is running on Oracle WebLogic Server, you can export the certificate from the region's host, for example, https://s3-us-west-1.amazonaws.com/, and then import the WebLogic JRE as a signer certificate.

Procedure

To create an S3 storage device:

Start the New S3 Device wizard in the administration console:
1. In the tree view, click the Object Store > object store name to open the object store that uses the device.
2. In the object store tree view, right-click the Administrative > Storage > Advanced Storage > Advanced Storage Devices folder and click New S3 Device.

Complete the wizard.

The values that you enter into the wizard fields can differ depending on what kind of S3 storage device you are creating.

Table 1. S3 Storage Device Wizard values
Field	Value
Device connection URL	The URL value defines the endpoint for the storage device to access the S3 bucket. The value can be a path-style access URL, which must include the bucket name, or a hosted-style access URL. For an S3 device, the URL value might look like one of the following examples: Path-style access `https://s3.us-west-1.amazonaws.com/mybucket` Virtual hosted-style access `https://mybucket.s3.us-west-1.amazonaws.com/mybucket` Amazon recommends using virtual hosted-style access. For information about support plans, see Amazon S3 Path Deprecation Plan. For an IBM Cloud Object Storage device, the URL value might look like one of the following examples: Path-style access `https://s3.us-east.cloud-object-storage.appdomain.cloud/mybucket` Virtual hosted-style access `https://mybucket.s3.us-east.cloud-object-storage.appdomain.cloud` The endpoint, `s3.us-east.cloud-object-storage.appdomain.cloud` in this example, can be found in the IBM Cloud console by checking the Endpoints section under the Bucket Configuration.
S3 Access Key Id	Enter the AWS access key ID for the AWS account or for an AWS Identity and Access Management (IAM) created user.
S3 Secret Key	Enter the S3 secret access key.
S3 bucket name	Note that the S3 storage device implementation does not create the bucket automatically if the specified bucket does not exist. Without a value for an existing bucket, the wizard will not complete.
S3 region name	When you specify an S3 Region Name for an Amazon S3 storage device, use a value from the Region column in the following table instead of a value from the Region Name column: http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region For IBM Cloud Object Storage devices, set the S3 region name value to `us-standard`.
HTTPS certificate validation	All S3 regions support both HTTP and HTTPS connections. To use an HTTPS connection, a valid SSL certificate must be installed on each Content Platform Engine server.