Enabling HTTPS for the S3 Endpoint ensures encrypted communication and protects API access from unauthorized clients. This applies to both production and non-production environments.

Certificate Configuration Options

Commvault supports two modes of HTTPS setup:

1. CA-Trusted Certificate (Recommended for Production)

Use Case:
Secure communication using certificates issued by a trusted Certificate Authority (CA), accepted by default in all major operating systems and browsers.

Requirements: - CA-issued certificate in .crt or .pem format - Private key in .key or .pem format - Optional: Intermediate CA bundle

Procedure:

1. Convert certificate and key to .pfx format:

   openssl pkcs12 -export -inkey your.key -in your.crt -certfile CA-bundle.crt -out certificate.pfx
   

2. Add the Required Registry Keys

   Add the following registry keys to configure HTTPS:

   • CVContainer/DotNet/httpsHostName: Host name of the endpoint.

   • CVContainer/DotNet/certPath: Path to the .pfx certificate file.

   • CVContainer/DotNet/certPassword: Certificate password.

     The certificate must be issued for the host name set in httpsHostName.

3. Update the Commvault configuration file:

   File:
   /etc/CommVaultRegistry/Galaxy/Instance001/CVContainer/DotNet/.properties

   Add or update the following lines:

   httpsHostName   <FQDN>
   certPath   /root/s3certs/certificate.pfx
   

4. Restart the Commvault Platform Service:

   commvault -instance Instance001 restart -service CVPlatformService
   

2. Self-Signed Certificate (For Development or Test Only)

Use Case:
Suitable for internal or isolated environments where CA issuance is not required.

Requirements: - OpenSSL installed - Linux system with Commvault Platform Service - A valid fully qualified domain name (FQDN)

Procedure:

1. Create a file v3.ext with the following content:

   [req]
   distinguished_name = req_distinguished_name
   req_extensions = v3_req
   prompt = no
   
   [req_distinguished_name]
   C = <country>
   ST = <state>
   L = <location>
   O = Commvault
   OU = <department>
   CN = <machine-name>
   
       [v3_req]
       # make it a CA so RHEL/CentOS will happily trust it
       basicConstraints = critical, CA:TRUE, pathlen:0
       keyUsage         = critical, keyCertSign, cRLSign, digitalSignature, keyEncipherment
       extendedKeyUsage = serverAuth
       subjectAltName   = @alt_names
   
   
   [alt_names]
   DNS.1 = <machine-name>
   

2. Generate key, certificate signing request (CSR), certificate, and PFX:

   openssl genrsa -out key.pem 2048
   openssl req -new -sha256 -key key.pem -out csr.csr -config v3.ext
       openssl x509 -req  -in csr.csr  -signkey key.pem  -out certificate.pem  -days 365  -extensions v3_req  -extfile v3.ext
   openssl pkcs12 -export -inkey key.pem -in certificate.pem -out certificate.pfx
       openssl x509 -in certificate.pem -out certificate.crt
   

3. Add the Required Registry Keys

   Add the following registry keys to configure HTTPS:

   • CVContainer/DotNet/httpsHostName: Host name of the endpoint.

   • CVContainer/DotNet/certPath: Path to the .pfx certificate file.

   • CVContainer/DotNet/certPassword: Certificate password.

     The certificate must be issued for the host name set in httpsHostName.

4. Update the Commvault configuration file:

   File:
   /etc/CommVaultRegistry/Galaxy/Instance001/CVContainer/DotNet/.properties

   Add or update the following lines:

   httpsHostName = <FQDN>
   certPath = /root/s3certs/certificate.pfx
   

5. Restart the Commvault Platform Service:

   commvault -instance Instance001 restart -service CVPlatformService
   

HTTPS Validation

To validate that the HTTPS endpoint is reachable and functioning on port 5005:

For Self-Signed Certificates:

curl -k https://<machine-name>:5005/s3

For CA-Trusted Certificates:

curl --cacert /path/to/certificate.pem https://<machine-name>:5005/s3

A valid HTTP response code confirms successful HTTPS access.