Details
-
Bug
-
Resolution: Fixed
-
Major
-
Mobile 2.1
-
None
-
DOC-2019-S18-Sep06, DOC-2019-S19-Sep20
-
1
Description
Documentation page : https://docs.couchbase.com/sync-gateway/2.1/security.html#x-509-certificates
Problem:
The Sync Gateway Security page, section "Connection to Couchbase Server" talks about enabling Certificate Based Authentication between Sync Gateway and Couchbase server.
However, if the user follows the exact same steps as follows
1. Create x.509 certificates for Couchbase Server. See instructions steps 1 - 10.
2. Configure each Couchbase Server node in the cluster. See instructions steps 11 - 12.
3. Enable Client Certificate Authentication. See instructions step 13.
One ends up in configuring only server side certificate and not client-side with RBAC role encoded.
Update: instructions have been updated on Server docs (same links as above) and SG docs accordingly.
—
Solution:
So if the clientCertAuth JSON for parsing RBAC user is as follows:
'{"state": "enable","prefixes": [{"path": "subject.cn","prefix": "user-","delimiter": "@"}]}'
|
Please set the ${USERNAME} as in the following command:
|
One can follow all the exact same steps mentioned in the above link, the only alteration being in Step 9 for configuring server-side-certificates where we need to set ${USERNAME} as follows:
openssl req -new -key ${NODE}.key -out ${NODE}.csr \
|
-subj "/C=UA/O=MyCompany/CN=user-abhishekjindal@couchbase.com"
|
This extracts and uses "abhishekjindal" as RBAC username.
The resultant chain certificate now need to be copied over to the client side after being signed by Intermediate and CA certificate in Step 9 and 10 above.
This explanation need to be specified in the documentation page.
