Enabling HTTPS for the S3 Endpoint

Configure and validate HTTPS for S3 reverse proxy and endpoint servers using your own self-signed or CA-trusted certificates to ensure encrypted communication and protect API access from unauthorized clients.

Important

  • When using Reverse Proxy: Configure HTTPS only on the reverse proxy nodes. Clients connect to the reverse proxy, which then distributes traffic to backend endpoints.
  • When NOT using Reverse Proxy: Configure HTTPS directly on S3 endpoint servers for direct client access.

Configure HTTPS for S3 Reverse Proxy

Enable HTTPS on reverse proxy nodes that load balance traffic to S3 endpoints. Uses a different configuration method (CVFWD) than endpoints.

Configure Reverse Proxy HTTPS

  1. Log in to the reverse proxy server.

  2. Source the Commvault profile:

    source cvprofile
    
  3. Navigate to the base directory and import the certificate:

    ./cvfwd -vm Instance001 -impcert <certificate_path>
    
  4. Restart Commvault services:

    commvault restart
    
  5. Configure DNS to resolve your chosen FQDN (for example, s3.yourcompany.com) to the reverse proxy servers, then verify DNS resolution:

    nslookup s3.yourcompany.com
    

Validate Reverse Proxy HTTPS

Test the S3 reverse proxy is accessible over HTTPS. Use the appropriate endpoint URL based on your deployment:

  • SaaS Reverse Proxy (Metallic): https://<fqdn>:443
  • Software Reverse Proxy: https://<fqdn>:8403

For Self-Signed Certificates:

curl -v https://<fqdn>:<port>

For CA-Trusted Certificates:

curl --cacert /path/to/certificate.pem https://<fqdn>:<port>

A valid HTTP response confirms successful HTTPS access.

Configure Endpoint HTTPS

Note

Only configure HTTPS on endpoint servers when NOT using Reverse Proxy. When using Reverse Proxy, clients connect to the reverse proxy, not directly to endpoints.

Alternative method: Use the provided script instead of manual registry configuration for S3 endpoint servers.

  1. Log in to the endpoint server and navigate to the base directory.

  2. Run the certificate configuration script:

    sh CVConfigureCertForPlatformService.sh <localhost_ip/0.0.0.0> <certificate_path.pfx>
    
  3. Restart Commvault services:

    commvault restart
    

Validate Endpoint HTTPS

Test the S3 endpoint server is accessible over HTTPS:

For Self-Signed Certificates:

curl -v https://<fqdn>:5012

For CA-Trusted Certificates:

curl --cacert /path/to/certificate.pem https://<fqdn>:5012

A valid HTTP response confirms successful HTTPS access.

×

Loading...