Uploaded image for project: 'Couchbase Documentation'
  1. Couchbase Documentation
  2. DOC-5046

Sync Gateway: Incomplete documentation on Certificate Based Authentication

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • Mobile 2.1
    • Mobile 2.1
    • sync-gateway
    • None
    • DOC-2019-S18-Sep06, DOC-2019-S19-Sep20
    • 1

    Description

      Documentation page : https://docs.couchbase.com/sync-gateway/2.1/security.html#x-509-certificates

      Problem:

      The Sync Gateway Security page, section "Connection to Couchbase Server" talks about enabling Certificate Based Authentication between Sync Gateway and Couchbase server.

      However, if the user follows the exact same steps as follows

      1. Create x.509 certificates for Couchbase Server. See instructions steps 1 - 10.
      2. Configure each Couchbase Server node in the cluster. See instructions steps 11 - 12.
      3. Enable Client Certificate Authentication. See instructions step 13.

      One ends up in configuring only server side certificate and not client-side with RBAC role encoded.

      Update: instructions have been updated on Server docs (same links as above) and SG docs accordingly.

      Solution:

      So if the clientCertAuth JSON for parsing RBAC user is as follows:

      '{"state": "enable","prefixes": [{"path": "subject.cn","prefix": "user-","delimiter": "@"}]}'
      Please set the ${USERNAME} as in the following command:
      

      One can follow all the exact same steps mentioned in the above link, the only alteration being in Step 9 for configuring server-side-certificates where we need to set ${USERNAME} as follows:

      openssl req -new -key ${NODE}.key -out ${NODE}.csr \
      -subj "/C=UA/O=MyCompany/CN=user-abhishekjindal@couchbase.com"
      

      This extracts and uses "abhishekjindal" as RBAC username.
      The resultant chain certificate now need to be copied over to the client side after being signed by Intermediate and CA certificate in Step 9 and 10 above.

      This explanation need to be specified in the documentation page.

      Attachments

        Issue Links

          Activity

            People

              jamiltz James Nocentini
              abhishek.jindal Abhishek Jindal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty