Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-44361

Support for multiple trusted root certificates

    XMLWordPrintable

Details

    • 1

    Description

      Problem: Currently there is one cluster root CA + one root cert for ldap server + one root ca for remote xdcr server. In all those cases it would be super useful or even absolutely necessary to be able to specify at least 2 root certs in order to do seamless cert rotation (on local cluster or remote ldap or xdcr clusters).

      Suggested solution: ns_server should maintain a single list of all trusted CAs that will include all the root certs that couchbase server should trust, including ldap servers, xdcr server and so on. There should be no difference between cluster root cert, xdcr root cert or ldap root cert. All these trusted certs will be used for all outgoing TLS connections (node2node encryption, xdcr, ldap).

      Customers should be able to manage (view, add, remove) the list of trusted certificates via UI and CLI.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-50033 XDCR mTLS Appears Broken

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. DOC-8715 Multiple Root CA Certs

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. MB-47172 Multiple Root CA Certs management (couchbase-cli)

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47174 [CBBS] Multiple Root CA Certs

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47179 Multiple Root CA Certs - Analytics

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-48210 [CLI Tools] Multiple Root CA Certs

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. K8S-2287 Multiple Root CA Certs - CAO

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47171 Multiple Root CA Certs - KV

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47173 Multiple Root CA Certs - XDCR

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47175 Multiple Root CA Certs - Query

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47176 Multiple Root CA Certs - Index

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47177 Multiple Root CA Certs - FTS

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47178 Multiple Root CA Certs - Eventing

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47180 Multiple Root CA Certs - Views

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-47181 Multiple Root CA Certs - UI

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Multiple CA & Encrypted Private Key Design

          For Gerrit Dashboard: MB-44361
          # Subject Branch Project Status CR V
          162873,4 MB-44361 : Enable passing of ca.pem to eventing master ns_server Status: NEW +2 +1
          158779,11 MB-44361: Multiple CA support core changes and refactoring master ns_server Status: MERGED +2 +1
          158780,9 MB-44361: Switch ssl_dist_opts to new cert files master ns_server Status: MERGED +2 +1
          158781,9 MB-44361: Switch LDAP code to use multi CA master ns_server Status: MERGED +2 +1
          158784,62 MB-44361: Pass ca file to eventing master ns_server Status: MERGED +2 +1
          158785,9 MB-44361: Temporarily save separate cert file for erlang master ns_server Status: MERGED +2 +1
          158787,11 MB-44361: Add cluster's CA to the list of trusted certs on ... master ns_server Status: MERGED +2 +1
          158788,11 MB-44361: Add audit for load CAs API master ns_server Status: MERGED +2 +1
          158789,11 MB-44361: Adjust cert warnings calculation master ns_server Status: MERGED +2 +1
          158790,12 MB-44361: Backward compat for GET /pools/default/certificate master ns_server Status: MERGED +2 +1
          158791,15 MB-44361: Update /controller/uploadClusterCA master ns_server Status: MERGED +2 +1
          158792,15 MB-44361: Upgrade code for certs master ns_server Status: MERGED +2 +1
          158845,14 MB-44361: Temporarily generate cert file in old format... master ns_server Status: MERGED +2 +1
          159178,15 MB-44361: Push TLS settings to memcached using ifconfig cmd master ns_server Status: MERGED +2 +1
          160241,3 MB-44361: Fix GET /pools/default/certificate/node/<node> master ns_server Status: MERGED +2 +1
          160364,2 MB-44361: Rename loadCAcertificates -> loadTrustedCAs master ns_server Status: MERGED +2 +1
          160830,4 MB-44361: Pass ca file to analytics master ns_server Status: MERGED +2 +1
          161127,5 MB-44361: Add GET /pools/default/trustedCAs master ns_server Status: MERGED +2 +1
          161433,2 MB-44361: Enable passing of ca.pem to query master ns_server Status: MERGED +2 +1
          161508,7 MB-44361: Add DELETE /pools/default/trustedCAs/<id> master ns_server Status: MERGED +2 +1
          161509,8 MB-44361: Add audit for CA removing master ns_server Status: MERGED +2 +1
          161571,6 MB-44361: Add 'nodes' field in GET /trustedCAs... master ns_server Status: MERGED +2 +1
          162128,14 MB-44361: Fix /regenerateCertificates endpoint master ns_server Status: MERGED +2 +1
          162130,18 MB-38457: MB-44361: Pass encr pkey and ca file to indexer master ns_server Status: MERGED +2 +1
          162428,5 MB-44361: Allow cert regeneration when n2n encr is enabled master ns_server Status: MERGED +2 +1
          162429,10 MB-44361: Migrate cert_and_pkey to chronicle master ns_server Status: MERGED +2 +1
          162488,10 MB-44361: Add newly generated CA to trusted CA list in txn master ns_server Status: MERGED +2 +1
          162751,16 MB-46868: Revert "MB-44361: Temporarily save separate cert file.." master ns_server Status: MERGED +2 +1
          162962,5 MB-44361: Introduce GET /pools/default/certificates master ns_server Status: MERGED +2 +1
          162963,5 MB-44361: Show warnings for node certs in API master ns_server Status: MERGED +2 +1
          163411,4 Revert "MB-44361: Temporarily generate cert file in old format..." master ns_server Status: MERGED +2 +1

          Activity

            People

              sumedh.basarkod Sumedh Basarkod (Inactive)
              timofey.barmin Timofey Barmin
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There is 1 open Gerrit change

                  PagerDuty