Getting Started with the Blobstore Service

Creating a Blobstore Service Instance

You must create a Blobstore service instance before you can attach an application.

About This Task

Complete the following tasks from your browser.
Note: If you are registered on the Predix Azure domain, you must use the command-line instructions to create your service.

Procedure

  1. Sign into your Predix account at https://www.predix.io.
  2. Navigate to Catalog > Data Management, then click the Blobstore tile.
  3. Choose the plan, then click Subscribe.
  4. On the New Service Instance page, enter the information for the Blobstore service instance, and click Create Service.
    • Org – Select your org.
    • Space – Select the space for your application.
    • Service instance name – Enter a unique name for this Blobstore service instance.
      Note: Use only alphanumeric characters, underscores (_), and hyphens (-) for your service instance name.
    • Service plan – Select a plan.

Creating a Blobstore Instance Using the Command Line

You can create a new service instance from the Cloud Foundry command line. Alternatively, you can create the service by using Predix Console from the New Service Instance page.

About This Task

When you create a new service instance from the Cloud Foundry command line, you can use a default Blobstore bucket name, or specify a custom bucket name. You can enable external non-Predix access and AES encryption at the time you create a new instance, or configure these options later on.

Procedure

Note: If you are registered on the Predix Azure domain, you must use the command-line instructions to create your service.

  1. To create a new instance of the predix-blobstore service with a default Blobstore bucket name, enter the following command:
    cf create-service predix-blobstore <plan> <my_blobstore_instance>

    Where:

    • <plan> is the selected plan option for the service.
    • <my_blobstore_instance> is a unique name for this Blobstore service instance.
    Note: Use only alphanumeric characters, underscores (_), and hyphens (-) for your service instance name.
  2. Optionally, to create a new Blobstore instance with a custom bucket name, enter the following command:
    $cf create-service predix-blobstore <plan> <my_blobstore_instance> -c '{"bucket_name":"<String>"}'

    Where the <String> value of bucket_name is:

    • A unique name for the bucket that is 3 to 63 characters long and complies with DNS naming conventions.
    • In a sequence of one or more labels composed of lowercase letters, numbers, and hyphens, with adjacent labels separated by a single period (.). Each label must start and end with a lowercase letter or a number (for example, calif.noam.reskit.com).
    • Not an IP address. (for example, 172.195.25.255).
  3. Optionally, to create a new Blobstore instance and enable external non-Predix application access, enter the following command:
    $cf create-service predix-blobstore <plan> <my_blobstore_instance> -c '{"enable_external":"<Boolean>"}'
    where the <Boolean> value of enable_external is:
    • True: Blobstore is accessible to applications external to the Predix network.
    • False (default): Blobstore is not accessible to applications external to the Predix network.
  4. Optionally, to create a new Blobstore instance and enable server-side 256-bit AES encryption, enter the following command:
    cf create-service predix-blobstore <plan> <my_blobstore_instance> -c ‘{“data_encryption”:”SSE”}’
    After you run this command, you must edit the manifest.yml file. For details, see Configuring Access and Sample Applications.
    Note: Blobstore provides 256-bit Advanced Encryption Standard (AES-256) only for server-side encryption.
  5. Optionally, to create a new Blobstore instance with a custom bucket name that has external access and AES server-side encryption enabled, run the following command:
    cf create-service predix-blobstore <plan> <my_blobstore_instance> -c '{"enable_external”:”<Boolean>”,”data_encryption":"SSE"}'

Configuring Access and Sample Applications

Blobstore allows both internal and external application access.

Before You Begin

The following sample applications use the S3 API client SDK. Making REST API calls directly from your code can be cumbersome. It requires you to write the necessary code to calculate a valid signature to authenticate your requests. Alternately, you can use one of these three applications that are based on the S3 API client SDK.
Application Version Encryption
Java AWSaws-java-sdk-s3 v1.11.14Supports AES256
Go (v1.75)aws-go-sdk v.-s3 version v1.4.3Supports AES256
JCloudjclouds-blobstore version 2.0.0Not supported

About This Task

The following steps illustrate how to integrate a Go sample application with Blobstore. The sample app has a simple web interface that allows you to do the following:
  • Add a new object (single object or multi-part upload).
  • List all objects in the store.
  • Download objects.
  • Delete objects.
  • Configure or disable external access to Blobstore.
These steps also illustrate how to configure Blobstore for external access. When configuring for external access, be sure to do the following:
  • Use a generated set of key credentials to allow external access to Blobstore.
  • Close the application when not accessing Blobstore.
  • Generate a new set of service key credentials for each external device.
  • Recycle the keys when your tasks are complete.

Procedure

  1. If needed, create a new instance of the predix-blobstore service.
    For details, see Creating a Blobstore Service Instance or Creating a Blobstore Instance Using the Command Line.
  2. To update an existing Blobstore instance to enable external non-Predix application access: 
     cf update-service <my_blobstore_instance> -c '{"enable_external":"<Boolean>"}'
    where the <Boolean> value of enable_external is:
    • True: Blobstore is accessible to applications external to the Predix network.
    • False (default): Blobstore is not accessible to applications external to the Predix network.
  3. Clone the sample project.
    git clone http://github.com/PredixDev/blobstore-samples.git
  4. Change to the blobstore-go-sample subdirectory.
    cd blobstore-samples/blobstore/blobstore-go-sample
  5. Edit the manifest.yml file.
    • Enter the name of your Blobstore application.
    • Update the BROKER-SERVICE_NAME value with your Blobstore instance name.
    • Update the ENABLE_SERVICE_SIDE_ENCRYPTION value to enable or disable encryption.
    • Add your Blobstore instance to the services section and enable server-side encryption: 
      applications:
  - name: blobstore-go-sample
    memory: 256M
    instances: 1
    timeout: 180
    buildpack: https://github.com/cloudfoundry/go-buildpack.git
    env:
     BROKER_SERVICE_NAME: <my-blobstore-instance>
     ENABLE_SERVER_SIDE_ENCRYPTION: False
    services:
     - <my-blobstore-instance>
    Note: Blobstore provides 256-bit Advanced Encryption Standard (AES-256) only for server-side encryption.

Enabling Data at Rest Encryption

Applications using Blobstore can enable encryption for their data at rest.

Server side encryption of your data at rest can be added by adding a header for each object pull request.
The sample application declares the type of encryption as follows:
  • The Go sample application header with AES256 support.
    uploadInput.ServerSideEncryption = AES256
  • The AWS sample application header with AES256 support. 
    objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
Additional notes on encrypting data at rest.
  • Blobstore uses 256-bit Advanced Encryption Standard (AES-256) to encrypt data at rest.
  • Amazon tracks the key and encrypts the key with a regularly rotated master key.
  • Encryption is invisible to the end user.
  • The user does not have to worry about key management or security. When data is retrieved from Blobstore, AWS automatically decrypts the data for the user.
  • If the ENABLE_SERVER_SIDE_ENCRYPTION environment variable is changed, use cf restart to instantiate the change.
Note: Client side encryption is also achieved using your keys and encrypting your data before uploading and before upgrading to Blobstore.