Configuring https endpoints in Ozone S3 Gateway to work with AWS CLI

For Ozone S3 Gateway to work with Amazon Web Services (AWS) command-line interface (CLI), you must perform specific configurations, especially if the S3 Gateway has https endpoints.

You must export the CA certificate required on all the client nodes for running the shell commands, and convert the certificate to PEM format because the Python SSL supported with AWS CLI honors certificates in the PEM format.
  1. Run keytool to view the associated CA certificate and determine the srcalias from the output of the command.
    /usr/java/default/bin/keytool -list -v -keystore <ssl.client.truststore.location>
  2. Export the CA certificate to PEM format.
    keytool -export -alias <alias> -file <s3g-ca.crt> -keystore <ssl.client.truststore.location>
    openssl x509 -inform DER -outform PEM -in <s3g-ca.crt> -out /tmp/s3gca.pem
  3. Run the ozone s3 getsecret command for the values of the access key and secret key.
    ozone s3 getsecret --om-service-id=<ozone service id>
  4. Run the aws configure command to configure the access key and the secret key.
    aws configure accesskey/secret
You can pass the certificate in PEM file format to the aws s3api command and perform various tasks, such as managing buckets, keys, and so on. The following example shows how you can create a bucket using the aws s3api command:
aws s3api --endpoint --ca-bundle "/tmp/s3gca.pem" create-bucket --bucket=wordcount