Configure and validate HTTPS for S3 reverse proxy and endpoint servers using your own self-signed or CA-trusted certificates to ensure encrypted communication and protect API access from unauthorized clients.
Important
- When using Reverse Proxy: Configure HTTPS only on the reverse proxy nodes. Clients connect to the reverse proxy, which then distributes traffic to backend endpoints.
- When NOT using Reverse Proxy: Configure HTTPS directly on S3 endpoint servers for direct client access.
Configure HTTPS for S3 Reverse Proxy
Enable HTTPS on reverse proxy nodes that load balance traffic to S3 endpoints. Uses a different configuration method (CVFWD) than endpoints.
Configure Reverse Proxy HTTPS
-
Log in to the reverse proxy server.
-
Source the Commvault profile:
source cvprofile -
Navigate to the base directory and import the certificate:
./cvfwd -vm Instance001 -impcert <certificate_path> -
Restart Commvault services:
commvault restart -
Configure DNS to resolve your chosen FQDN (for example,
s3.yourcompany.com) to the reverse proxy servers, then verify DNS resolution:nslookup s3.yourcompany.com
Validate Reverse Proxy HTTPS
Test the S3 reverse proxy is accessible over HTTPS. Use the appropriate endpoint URL based on your deployment:
- SaaS Reverse Proxy (Metallic):
https://<fqdn>:443 - Software Reverse Proxy:
https://<fqdn>:8403
For Self-Signed Certificates:
curl -v https://<fqdn>:<port>
For CA-Trusted Certificates:
curl --cacert /path/to/certificate.pem https://<fqdn>:<port>
A valid HTTP response confirms successful HTTPS access.
Configure Endpoint HTTPS
Note
Only configure HTTPS on endpoint servers when NOT using Reverse Proxy. When using Reverse Proxy, clients connect to the reverse proxy, not directly to endpoints.
Alternative method: Use the provided script instead of manual registry configuration for S3 endpoint servers.
-
Log in to the endpoint server and navigate to the base directory.
-
Run the certificate configuration script:
sh CVConfigureCertForPlatformService.sh <localhost_ip/0.0.0.0> <certificate_path.pfx> -
Restart Commvault services:
commvault restart
Validate Endpoint HTTPS
Test the S3 endpoint server is accessible over HTTPS:
For Self-Signed Certificates:
curl -v https://<fqdn>:5012
For CA-Trusted Certificates:
curl --cacert /path/to/certificate.pem https://<fqdn>:5012
A valid HTTP response confirms successful HTTPS access.