Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-47905

Support both client certificate auth and n2n encryption at the same time

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • Morpheus
    • 6.5.0
    • ns_server
    • None
    • 1

    Description

      Currently, when node to node encryption is set to "all" or "strict", the services may connect to other services including ns_server using the node certificates passed to them. However, in the case where client certificate authentication is enabled the usage of node certificates by the services to connect as clients possess the problem of not being able to authenticate the user.
      Per doc, https://docs.couchbase.com/server/current/manage/manage-security/enable-client-certificate-handling.html.

      A current limitation is that client certificate authentication cannot be set to mandatory if node-to-node encryption is set to all. See Node-to-Node Encryption.

      Unfortunately this not limited to mandatory but also extends to enabled state of client certificate authentication.

      We need to be able to support both client certificate auth and node to node encryption at the same time.

      Docs:
      Design draft

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. MB-51776 [CLI] server-add should provide an option to use client certificate for authentication

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MB-52103 [xdcr] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-51771 [UI] No need to ask for user/password when client certs are used during node addition

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52097 [indexer] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52099 [cbas] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52102 [Query] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52104 [eventing] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52182 [CLI] Support client cert reload

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-52100 [backup] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-61232 eventing error: flag provided but not defined: -clientcertfile

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. MB-50939 Replace internal authentication basic auth with mutual authentication

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. MB-48188 Support client certificate in n2n encryption

          • Major - Major loss of function.
          • Closed
          For Gerrit Dashboard: MB-47905
          # Subject Branch Project Status CR V
          160375,1 MB-47905: [WIP] PoC master ns_server Status: ABANDONED -1 0
          170994,10 MB-47905: [generate_cert] Add --client and --san-emails args master ns_server Status: MERGED +2 +1
          170995,12 MB-47905: Generate client certs automatically master ns_server Status: MERGED +2 +1
          170996,14 MB-47905: [cb_dist]: Add client cert verification master ns_server Status: MERGED +2 +1
          172011,12 MB-47905: Provision node-to-be-added with autogenerated client cert master ns_server Status: MERGED +2 +1
          172013,12 MB-47905: Don't allow removing the CA if there is at least... master ns_server Status: MERGED +2 +1
          172306,11 MB-47905: Add POST /node/controller/reloadClientCertificate master ns_server Status: MERGED +2 +1
          172625,12 MB-47905: Recognize internal user extracted from client certificate master ns_server Status: MERGED +2 +1
          172817,11 MB-47905: Add generate_client_cert script master ns_server Status: MERGED +2 +1
          173121,6 MB-47905: Use client cert for all tls connections... master ns_server Status: MERGED +2 +1
          173122,6 MB-47905: Enable client cert auth with full n2n encryption master ns_server Status: MERGED +2 +1
          173123,6 MB-47905: Don't perform auth when client cert auth is used master ns_server Status: MERGED +2 +1
          173307,5 MB-47905: Make sure the CA for all client certs is trusted... master ns_server Status: MERGED +2 +1
          173383,3 MB-47905: Don't show unused warning for CA that issued... master ns_server Status: MERGED +2 +1
          173593,4 MB-47905: Adjust client certs related error messages master ns_server Status: MERGED +2 +1
          173747,4 MB-47905: Don't restart web servers when client certs change master ns_server Status: MERGED +2 +1
          173748,4 MB-47905: Regenerate client certs automatically master ns_server Status: MERGED +2 +1
          174773,6 MB-47905: MB-52125: Use client cert in pluggableUI proxy calls... master ns_server Status: MERGED +2 +1
          174814,6 MB-47905: Support for encrypted client private key master ns_server Status: MERGED +2 +1
          174815,6 MB-47905: Teach cb_dist to work with encrypted client pkey master ns_server Status: MERGED +2 +1
          174901,3 MB-47905: Call TLSRefreshCallback when client cert change master cbauth Status: MERGED +2 +1
          174903,5 MB-47905: Pass client pkey pass to services in UpdateDB master ns_server Status: MERGED +2 +1
          175529,3 MB-47905: Pass client cert path to services master ns_server Status: MERGED +2 +1
          185215,9 MB-47905: Don't add any CA's and don't overwrite custom certs... master ns_server Status: MERGED +2 +1
          185294,8 MB-47905: [cb_dist] Handle client cert auth in ensure_config... master ns_server Status: MERGED +2 +1
          185295,9 MB-47905: Change default value for n2n client cert auth... master ns_server Status: MERGED +2 +1
          185300,9 MB-47905: Fix check of CA cert presence when... master ns_server Status: MERGED +2 +1

          Activity

            People

              timofey.barmin Timofey Barmin
              Abhijeeth.Nuthan Abhijeeth Nuthan
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty