About d.ecs storage manager
Prerequisites
Licensing
Open Documentation Menu
d.ecs storage manager S3
With the module d.ecs storage manager S3, d.ecs storage manager can store documents on an S3-compatible data storage device. The S3 data storage itself can be provided by the customer.
Currently supported systems:
Standard S3 (without revision security)
DELL EMC/ECS
d.velop cloud storage OTC
S3 Object Lock Governance/Compliance
more systems upon request
The documents can optionally be protected against unauthorized viewing with AES256 encryption. When storing data with an Internet S3 provider, enabling encryption is recommended.
The operation of d.ecs storage manager S3 requires an installed .NET Core Runtime in version 3.1.5 or higher. This is installed during the installation of d.ecs storage manager.
Note
The d.ecs storage manager S3 module is only to be used in conjunction with on-premises storage solutions. For use with Amazon S3 or Open Telekom Cloud, d.velop cloud storage (AWS) or d.velop storage service (OTC) can be booked with d.velop AG. If you want to use the S3 module with other S3 cloud systems, you must license the d.ecs storage manager S3 for cloud module.
Configuration
The configuration of an S3 system in d.ecs storage manager consists of three sections: access data, encryption and proxy settings. The individual sections are explained below.
Access data
Access key: Enter the access key with which access to the S3 memory is possible.
Secret access key: Enter the secret access key with which access to the S3 memory is possible.
Bucket: Enter the name of the target bucket here.
Endpoint: Enter the service endpoint address of your S3 memory here.
Region: Specify the region to use in your S3 memory.
Tenant ID (optional): A tenant ID (max. 32 characters) can be specified here. This specification is optional and only necessary if several clients are to be stored in the same bucket. Specifying a tenant ID causes the client data to be divided into different subdirectories below the root directory of the target bucket.
Test connection: Tests the connection to the specified service endpoint and displays information about the configured encryption.
Encryption
The setup of the encryption is described in more detail in the subchapter Encryption.
Proxy
It is possible to use a proxy server to communicate with the S3 memory. Enter the login credentials for the proxy server available in your network in the corresponding fields. The username and password are optional fields and only need to be filled if you are using a proxy server with user authentication.
New functions
Some S3 storage systems support advanced S3 features such as the use of retention periods for data objects. This functions can be enabled optionally.
Activate the advanced functions and select the type of the connected storage system.
Note
If only standard S3 is to be used, then this must be explicitly confirmed. In this case, documents are not stored in an audit-proof manner (no protection by setting retention periods).
Miscellaneous
Under the section Miscellaneous there are various options that are important for one or the other S3-based system.
Force "path style": Depending on how a bucket is addressed in the addressed system, path style or host style (default) must be used.
Disable SSL checking: Disables the validity check of SSL certificates.
Chunk size in MB: Specifies the chunk size for uploading data objects. Minimum is 5 MB, maximum is 100 MB.
Connection timeout: Specifies the maximum time in seconds for a connection attempt. The default value is 5 seconds.
Read/write timeout: Specifies the maximum time in seconds for a read or write attempt. The default value is 300 seconds.
Number of trials: Specifies the maximum attempts for an S3 API call. The default value is 2.
Encryption
On the Encryption configuration page, you can activate the encryption of the data objects so that the objects are stored encrypted in the S3 memory.
Depending on the extent to which the encryption is already configured and initialized on your system, different configuration views may be displayed when you switch to the configuration page.
Initializing and activating the encryption function
To enable the encryption of the data objects, you must first generate a security ID.
The movement of the mouse is taken into account during generation, resulting in an even more random key.
Click Start to begin with the generation.
Click on the button again after a few seconds to stop the generation. So that the mouse is not necessarily at the position of the button, the button can also be operated by pressing the space bar.
Then, you must print the generated security ID. He printout contains a confirmation code that you must enter in the Confirmation section.
Encryption can be activated only once the security ID has been entered correctly.
It may take some time to activate encryption (approximately 15 to 20 seconds).
After successful enabling of the encryption, the message "The encryption is active" appears.
The encryption has now been enabled and d.ecs storage manager can store the documents/data objects encrypted in the connected S3 memory.
Activating encryption when the encryption function has already been initialized
If the encryption has already been initialized, it can simply be enabled for another bucket.
Click Enable to activate it.
It may take some time to enable the encryption (approximately 2 to 5 seconds).
After successful enabling of the encryption, the message "The encryption is active" appears.
The encryption has now been enabled and d.ecs storage manager can store the documents/data objects encrypted in the connected S3 memory.
Renewed initialization of the encryption function after the master key was lost
If the initialization of the encryption function is lost, e.g. as a result of a clean installation of the operating system, a server migration or changed hardware, the encryption function must be enabled again.
This is done using the security key on the printed copy generated at the time of initializing the encryption.
Enter the security key that appears on the printed copy.
Click Re-enable.
It may take some time to activate encryption (approximately 15 to 20 seconds).
After successful enabling of the encryption, the message "The encryption is active" appears.
The encryption has now been enabled and d.ecs storage manager can store the documents/data objects encrypted in the connected S3 memory.
More information about supported storage systems
d.velop cloud storage OTC
Notes on storage and deletion of data objects
The data objects stored in d.velop cloud storage OTC each have a retention period. This retention period is given by the leading system when the data objects are stored. The retention period is taken into account during a deletion process and the deletion is stopped if the retention period has not yet expired.
Documents that can be deleted due to an expired retention period are deleted directly during a deletion process. This deletion process cannot be undone. Deleted data objects cannot be restored.
During configuration, note that the endpoint is set to "https://obs.eu-de.otc.t-systems.com" and the region is set to "eu-de". The accessibility of the endpoint may have to be enabled in the existing firewall. Furthermore, the accessibility of the end point "https://otc-storage.service.d-velop.cloud" must be guaranteed.
DELL/EMC ECS
If you are using d.ecs storage manager S3 in conjunction with an ECS (Elastic Cloud Storage), then you must enable the Enforce path style option on the Miscellaneous tab.
S3 Object Lock
The following S3-compatible systems were successfully tested with the Object Lock option activated:
System | Version | Object Lock mode | Tested on |
|---|---|---|---|
Hitachi Content Platform (HCP) | 9.6.0.214 | Governance | 13.10.2023 |
Hitachi Content Platform (HCP) | 9.6.0.214 | Compliance | 13.10.2023 |
iTernity iCAS FS | 1.14.0 | Governance | 11.01.1024 |
iTernity iCAS FS | 1.14.0 | Compliance | 11.01.2024 |
NetApp Storage Grid | 11.6.0 | Compliance | 06.01.2023 |