Configuring Windchill File Vaults to Use Amazon S3
This section explains the configurations required in Windchill and Amazon Web Services (AWS) to allow the use of Amazon S3 when Windchill is running in AWS.
|
The configurations described in this section must be performed again after you have updated or upgraded your existing Windchill version.
|
AWS Configuration
Configurations required to be performed in AWS include adding policies and setting up access control. You must configure permissions and set access on AWS for Windchill to successfully work with AWS.
Before You Begin
Create the following entities on AWS before configuring AWS for Windchill:
• S3 Bucket
• Access Key
• Secret Access Key
• IAM Role
• KMS Key — This entity is optional and must be created if you are planning to use KMS Encryption.
Adding Policy for an IAM User Account
You must configure the required permissions by adding a policy for an IAM user account. Perform the following steps to add the policy:
1. Log in to your AWS account.
2. Click > . The Welcome to Identity and Access Management page opens.
3. Under the Users tab, select the user, to whom you wish to grant the permission from the User name column. The Summary page opens.
4. Add the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<bucket_name>"
"arn:aws:s3:::<bucket_name>/*",
]
}
]
}
Adding Policy for KMS Encryption (Optional)
Add the policy for KMS encryption only if you plan to use this encryption type. Perform the steps from “Adding Policy for an IAM User Account” section and add the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:<region>:<ARN>:key/<KMS_Key_Name>",
]
}
]
}
Configuring Access Control
A prerequisite to providing the required access is the creation of Windchill bucket and Amazon S3 account corresponding to the Windchill AWS user. You must provide List Objects, Write Objects and Read bucket permissions to the Windchill account in AWS.
Perform the following steps to set the permissions:
1. Log in to your AWS account and navigate to > . The Amazon S3 page opens.
2. Open the bucket for Windchill account from the Bucket name column.
3. Click the Permissions tab.
4. Click the account name for Windchill AWS user from the Account column.
A pop-up window opens.
5. Select List Objects, Write objects and Read bucket permissions.
|
You can select Write bucket permissions too, although it is not mandatory.
|
6. Click Save for the permissions to take effect.
Windchill Configurations
You can configure Amazon S3 using command line tool.
Before you begin
This command line tool consists of configuration fields. Press ENTER to skip a specific configuration. The command line tool displays the existing configuration. The configuration is broadcasted to all the registered Fileservers that is, replica sites, automatically.
Run the following command at the Windchill shell to configure Amazon S3 cloud service:
windchill com.ptc.windchill.objectstorage.amazons3.tools.S3ConfigurationTool configure -u <username> -p <password>.
|
In case of a Windchill cluster environment, run the above command from every node in the cluster.
|
Perform the following steps to configure the account:
1. Authentication Strategy – Type the authentication strategy that is used for making Amazon S3 requests. Options are SECURITY_CREDENTIALS and IAM_ROLE.
2. AWS Access Key ID — Type the access Key ID for your Amazon S3 account. Applicable if authentication strategy is SECURITY_CREDENTIALS.
3. AWS Secret Access Key — Type the secret access key for your Amazon S3 account. Applicable if authentication strategy is SECURITY_CREDENTIALS.
4. AWS Partition Name — Type the partition name for your Amazon S3 account. The default partition name is aws.
5. S3 Encryption Configurator Delegate Name —
|
You must skip the S3 Encryption Configurator Delegate Name configuration, if you are using S3 encryption as the encryption type.
|
Type the delegate name to choose the encryption type. The encryption type is used to encrypt the content stored on Amazon S3.
6. SSEKMSKeyProvider Delegate Name —
|
You must skip the SSEKMSKeyProvider Delegate Name configuration if you have chosen S3 encryption or Customer Key encryption.
|
Type the delegate name to choose the KMS Key ID. The KMS Key ID is used to encrypt the content stored on Amazon S3.
7. SSECSecKeyGenerator Delegate Name —
|
You must skip the SSECSecKeyGenerator Delegate Name configuration if you have chosen S3 encryption or KMS key.
|
Type the delegate name to manage the Secret Keys. The Secret Key returned by the delegate is used for encrypting the content stored on Amazon S3.
For more details on encryption, refer to the topic
Encryption customization for Amazon S3 Mounts.
|
If the configuration related to delegate names is changed, restart the master and replica servers, for the configuration to take effect.
|