With this behavior enabled, you can specify details about the Origin Server to apply related optimizations to the property configuration.
If you're using Adaptive Media Delivery (AMD), Download Delivery, or Object Delivery, this behavior is required in the Default Rule. What you set here defines how various preset best practices are applied and optimized.
Select the location of the origin server, based on its Origin Type:
NetStorage. Select Unknown if you're using Akamai NetStorage as your origin.
Your Own Origin. Select the geographic location of your origin server. If you aren't sure about your server location, select Unknown.
Select the authentication method to use. The options available, and the appropriate settings, depend on the product in use:
Akamai Origins - Auto, Others - None
This is the default and applies to you if your origin doesn't have any external authentication requirements, or if you're using NetStorage as your origin.
Akamai Signature Authentication (AMD, only)
Select this if your AMD property has been set up to use our shared certificate hostname for secure delivery to your custom origin.
Akamai Media Services Live (AMD, only)
Select this if you're using this AMD property in association with the Media Services Live product to deliver live-streaming media. This case is covered in the Media Services Live user documentation.
Interoperability Google Cloud Storage
Select this if you're authenticating with Google Cloud Storage (GCS) as your origin server. Edge servers use the signature version 4 signing process to authenticate your requests to this third-party cloud provider. See V4 signing process in Google Cloud Storage. Once selected, provide the following details:
Amazon Web Services
Select this if you're authenticating with this third-party cloud provider as your origin server. Edge servers use the signature version 4 signing process to authenticate your requests to this third-party cloud provider. See V4 signing process in AWS. Once selected, provide the following details:
Pay attention to these points when using GCS or AWS:
You can check your authentication details in the file you saved when creating your access key. If you didn't download the file, or if you lost it, you may need to delete the existing access key and add a new one. See Managing HMAC keys in GCS or Managing Access Keys (console) in AWS.
You may be eligible to streamline client authentication by using Cloud Access Manager. See Use Cloud Access Manager (recommended) for details.
Use a property with an akamaized hostname. This lets you either retrieve objects from the origin, or for read-only bucket operations. This is because we're currently limited to storing cloud provider access keys in clear text. This doesn't carry the level of protection you might expect for the transmission of personally identifiable information (PII).
Consider using two separate sets of cloud provider access keys. Dedicate one to GET operations and another for POST, PUT, or DELETE operations. For all GET operations, set them up to use a property via Property Manager; for POST, PUT, and DELETE operations, you should use the APIs or SDKs offered by the associated cloud provider.
Regularly rotate the cloud provider access keys. This reduces the likelihood of unauthorized diversion of confidential information.
Authorizationheader is supported (AWS, only). If you're using query string parameters with this authentication, each query parameter in the incoming client request must be sorted alphabetically, and URL encoded.
If you're using a third-party cloud provider for your origin serverCHAR_DADSH_LONGGCS or AWS—consider using Akamai's Cloud Access Manager to streamline client authentication.
In a typical transaction, you need to include a signature in the request so your third-party cloud provider authenticates a requesting client. This signature contains an access key you get from your cloud provider. This key is made up of a unique access identifier and a secret access key. Typically, you'd need to include both of these values when setting up the Authentication Method here in the Origin Characteristics behavior. When receiving the request, the third-party cloud provider calculates the signature and compares it to the one sent in the client request. If they match, the request is considered authentic. If they don't match, the request is denied. While this standard method works, it has some drawbacks:
You need to set up the mechanism to inject the signature into a client request.
Requests need to proxy through your origin, which can delay the request.
The access identifier and secret access key are openly visible to anyone that can see your property in Akamai Control Center.
Cloud Access Manager is a separate application that lets you privately create and name your access keys. You just add an access key to your property using its name, so the access identifier and secret key are hidden. Cloud Access Manager uses the Akamai Intelligent Platform to route origin requests directly to your third-party cloud provider. Akamai edge servers inject access key authentication on the forward origin path for you. This can decrease cost, bandwidth requirements, and the number of hits to your origin during peak times.
Once Cloud Access Manager is enabled, the secret access key is encrypted and isn't visible to anyone, including Akamai. This may affect the way Akamai works with you to troubleshoot issues.
Start by getting authentication details from your cloud provider.
Use Cloud Access Manager to create an access key.
Configure settings here in the Origin Characteristics behavior to sign requests with your access key:
Origin Location. Select the geographical location of your origin server to optimize access to it. If you aren't sure about your server location, you can leave it as Unknown.
Authentication Method. Select the third-party cloud provider that you use as your origin, either Amazon Web Services or Interoperability Google Cloud Storage.
Encrypted Storage. With this option set to Yes, you can refer to access keys you created that are securely stored in Cloud Access Manager. If you disable this option, the Origin Characteristics behavior stores the authentication details unencrypted.
Access Key. Select the access key that you want to use to sign requests to a cloud origin. This field lists only active access keys that you created in Cloud Access Manager that match your property's authentication method selected in the Origin Characteristics behavior.
Region (Amazon Web Services, only). Enter the code of the AWS region that houses your AWS service.
Service Endpoint (Amazon Web Services, only). Enter the code of your AWS service. This is the segment or its part that precedes
amazonaws.comor a region code in your the AWS service endpoint. For example,
s3is the service code for this service endpoint:
https:// account-id.s3-control.eu-north-1.amazonaws.com. See AWS Service Endpoints and Service Endpoints and Quotas.
For complete details, see the Cloud Access Manager documentation.
You can define the Origin Characteristics behavior for different use cases within a single property to simplify the configuration process. Apart from applying the Origin Characteristics behavior to all requests in the Default Rule, you can also include it in another rule and apply different match criteria to have separate requests use different origin characteristics optimizations.
For example, you can configure a single property to connect to separate origins that use different authentication methods.
Updated 5 months ago