Details
-
Task
-
Resolution: Unresolved
-
Major
-
None
-
6.6.0, 7.0.0, Neo
-
None
-
DOC-2022-S8
-
1
Description
We've had support issues with SCRAM-SHA authentication when using Half-Secure XDCR replication – an example is CBSE-10032. The issues are caused by customer's monitoring software capturing the "401" responses (that are normal part of the SCRAM-SHA protocol) from the XDCR target nodes, and thinking that the 401's are part of an attack, resetting or killing good connections being used by XDCR.
So, need to document that monitoring software or firewall software may see these 401 responses when half-secure replication is being used, and that they should be allowed as normal. The documentation should be updated in these places (or updated in one place and referenced):
1) Enable Half-Secure Replications (Understanding Half-Secure Replications)
2) Managing XDCR Data Encryption (Configuring XDCR with data encryption)
3) Cross Data Center Replication (XDCR) (XDCR Security)
The additional info about SCRAM-SHA and half-secure XDCR replication should convey the info below:
SCRAM-SHA is a multi-request protocol. The first request from the client (XDCR source to XDCR target) is responded to with a 401; the subsequent request completes the protocol. Therefore, when using half-secure replication, external monitoring or firewall software should allow these 401 responses (i.e. ignore them) since they are part of the normal SCRAM-SHA protocol. If the monitoring or the firewall software acts on these 401 responses by resetting or killing connections, you will see SCRAM-SHA errors on the XDCR source cluster. If you are using half-secure replication and seeing SCRAM-SHA errors on the XDCR source cluster, please check with your network monitoring or firewall administrators. If the monitoring or the firewall software interferes with the XDCR connections, even though the XDCR replication will attempt to reconnect and continue to work through the connection interruptions, you may see various issues arising from the continued interruptions, including XDCR possibly having to restart replications from sequence 0. Please note that because various XDCR processes periodically (frequently) make calls to the target to monitor for changes in topology and collection manifest, you can expect that the 401 responses associated with SCRAM-SHA multi-request protocol will be seen by the external monitoring or firewall software continuously while the replication is in progress.
|