Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AFT - Enhance AFT S3 Adapter code to use the default provider chain

ssokal
Staff
Staff
‎22-06-22 11:48 AM
Status: Under Consideration

Parent Ticket - AWD-42901


Add the ability for AFT to communicate with S3 using the native EC2 profile rather than specific keys configured in the aftservice.properties file. Ticket AWDPS-1656 has a code version available to do so by using a flag in the properties file named s3aftadapter.useDefaultProvider. This removes the need to have a system user in AWS specifically for AFT. This was originally identified as part of the SS&C Cloud Security Review.

A review needs to take place to determine whether the communication protocol has been in the design up to now.  The fact that this has had to be developed by PS states it hasn’t been. 

Description on the Dev ticket AWDPS-1656 :-

We have an issue that occurs every time AWS make a change to their certificate chain for secure connectivity to S3.  We currently use the S3 AFT Adapter provided by base product and its approach assumes the AFT is installed on client site and is connecting remotely to S3, therefore requires all the AWS Certificate chain for S3 connectivity to be loaded into the Java Trust store.

This means any time there is a change to the certificate chain we get connectivity issues, most commonly AWS make intermittent changes deep in the chain, which then manifest as intermittent connectivity issues to S3.

We have had this on several occasions, once with Vitaity and very recently with LV and these result in Level 2 incidents that are challenging to diagnose and resolve.

However we are deployed into AWS and the EC2 instance has a default provider chain on the machine that enables access to S3 using IAM config as AWS level, so we should just be able to utilise the machine level access privileges to talk to S3 and this will remove the fragility/risk that comes about when loading certificate chains into the Java Trust store.

Moving to the EC2 level authentication also removes installation, upgrade and certificate maintenance complexity.

See the following link as an outline of how the AWS Java SDK can leverage the default certificate chain.

https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html

Steps to Recreate-
Try to use AFT with S3 using the native EC2 profile fails

Component - AWD|File Transfer (AFT)
Affects Version - AFT 6.0

Preview file
23 KB
Preview file
23 KB