Idea Details

AXA - Enhance AFT S3 Adapter code to use the default provider chain

Last activity 4 days ago
Sonali Sokal's profile image
By: Sonali Sokal
06-22-2022 11:48

Parent Ticket - AWD-42901


Add the ability for AFT to communicate with S3 using the native EC2 profile rather than specific keys configured in the aftservice.properties file. Ticket AWDPS-1656 has a code version available to do so by using a flag in the properties file named s3aftadapter.useDefaultProvider. This removes the need to have a system user in AWS specifically for AFT. This was originally identified as part of the SS&C Cloud Security Review.

A review needs to take place to determine whether the communication protocol has been in the design up to now.  The fact that this has had to be developed by PS states it hasn’t been. 

Description on the Dev ticket AWDPS-1656 :-

We have an issue that occurs every time AWS make a change to their certificate chain for secure connectivity to S3.  We currently use the S3 AFT Adapter provided by base product and its approach assumes the AFT is installed on client site and is connecting remotely to S3, therefore requires all the AWS Certificate chain for S3 connectivity to be loaded into the Java Trust store.

This means any time there is a change to the certificate chain we get connectivity issues, most commonly AWS make intermittent changes deep in the chain, which then manifest as intermittent connectivity issues to S3.

We have had this on several occasions, once with Vitaity and very recently with LV and these result in Level 2 incidents that are challenging to diagnose and resolve.

However we are deployed into AWS and the EC2 instance has a default provider chain on the machine that enables access to S3 using IAM config as AWS level, so we should just be able to utilise the machine level access privileges to talk to S3 and this will remove the fragility/risk that comes about when loading certificate chains into the Java Trust store.

Moving to the EC2 level authentication also removes installation, upgrade and certificate maintenance complexity.

See the following link as an outline of how the AWS Java SDK can leverage the default certificate chain.

https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html

Steps to Recreate-
Try to use AFT with S3 using the native EC2 profile fails

Component - AWD|File Transfer (AFT)
Affects Version - AFT 6.0
Client - AXA China Region


Ideas Portal

If you like this idea – vote! Ideas with over 20 votes will be highlighted to our Product review teams.
• Discussion is healthy! If you have a question or comment, don’t be afraid to jump in and start a discussion in the comments section below.
• Community collaboration is key!
New
This idea is new to the community and hasn’t been reviewed yet. While in the New stage, an idea is open for voting and comments to further the discussion around this idea.
Duplicate
This idea already exists! A change to the Duplicate status will always include a comment linking to the existing idea, so all voting and feedback can be collected in one place.
Need More Info
We’ve reviewed this idea, and determined we need a bit more info before deciding on how to move forward. An update to the Need More Info status will always be accompanied by a comment explaining which additional details are needed. Ideas are still open for voting and comments while in the Need More Info stage.
Under Consideration
We have all the info we need and are currently considering the feasibility of implementing this idea. Ideas in the Under Consideration status are still open to community voting and discussion.
Not Planned
We’ve reviewed this idea, and determined that it’s not feasible to implement right now. Ideas in the Not Planned status are no longer open for voting.
Coming Soon!
We’ve reviewed this idea and have determined that it will be delivered in the near future. Ideas in the Coming Soon! status are not attached to a binding timeline, but there is a concrete plan to implement this idea. Therefore we will have status does not allow for voting.
Delivered
Congrats! Your idea has been accepted by the team and is now in production! Give yourself a pat on the back – you contributed to the improvement of one of Blue Prism’s products or services!