Uploaded image for project: 'Couchbase Documentation'
  1. Couchbase Documentation
  2. DOC-9946

Add to SCRAM-SHA protocol info for XDCR Half-Secure Replications

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • Major
    • None
    • 6.6.0, 7.0.0, Neo
    • xdcr
    • None
    • DOC-2022-S8
    • 1

    Description

      We've had support issues with SCRAM-SHA authentication when using Half-Secure XDCR replication – an example is CBSE-10032.   The issues are caused by customer's monitoring software capturing the "401" responses (that are normal part of the SCRAM-SHA protocol) from the XDCR target nodes, and thinking that the 401's are part of an attack, resetting or killing good connections being used by XDCR.

      So, need to document that monitoring software or firewall software may see these 401 responses when half-secure replication is being used, and that they should be allowed as normal.   The documentation should be updated in these places (or updated in one place and referenced):

      1) Enable Half-Secure Replications (Understanding Half-Secure Replications)

      https://docs.couchbase.com/server/current/manage/manage-xdcr/enable-half-secure-replication.html#understanding-half-secure-replications

      2) Managing XDCR Data Encryption (Configuring XDCR with data encryption)

      https://docs.couchbase.com/server/current/rest-api/rest-xdcr-data-encrypt.html#configuring-xdcr-with-data-encryption

      3) Cross Data Center Replication (XDCR) (XDCR Security) 

      https://docs.couchbase.com/server/current/learn/clusters-and-availability/xdcr-overview.html#xdcr-security

      The additional info about SCRAM-SHA and half-secure XDCR replication should convey the info below:

      SCRAM-SHA is a multi-request protocol. The first request from the client (XDCR source to XDCR target) is responded to with a 401; the subsequent request completes the protocol. Therefore, when using half-secure replication, external monitoring or firewall software should allow these 401 responses (i.e. ignore them) since they are part of the normal SCRAM-SHA protocol.   If the monitoring or the firewall software acts on these 401 responses by resetting or killing connections, you will see SCRAM-SHA errors on the XDCR source cluster.  If you are using half-secure replication and seeing SCRAM-SHA errors on the XDCR source cluster, please check with your network monitoring or firewall administrators.  If the monitoring or the firewall software interferes with the XDCR connections, even though the XDCR replication will attempt to reconnect and continue to work through the connection interruptions, you may see various issues arising from the continued interruptions, including XDCR possibly having to restart replications from sequence 0.  Please note that because various XDCR processes periodically (frequently) make calls to the target to monitor for changes in topology and collection manifest, you can expect that the 401 responses associated with SCRAM-SHA multi-request protocol will be seen by the external monitoring or firewall software continuously while the replication is in progress.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            tony.hillman Tony Hillman (Inactive)
            hyun-ju.vega Hyun-Ju Vega
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty