Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-52103

[xdcr] Support both client certificate auth and n2n encryption at the same time

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • Morpheus
    • Morpheus
    • XDCR
    • None
    • Untriaged
    • 1
    • Unknown

    Description

      As part of MB-47905 ns_server now can provide access to an internal client certificate that can be used for the case when client cert auth is enabled and internal TLS connection needs to be established (connection inside CB cluster, but this cert actually can be used when connecting to external CB clusters as well - but that needs to be discussed separately).
      This usually happens when:
      1) Node-to-node encryption is set 'full' or 'strict'
      AND
      2) Client cert auth is set to 'mandatory'

      As part of this ticket please:
      1) Let ns_server team know (by a comment in this ticket) if your service establishes such connections (in other words if you would like to use this internal client certificate), and if so how you would like ns_server to pass your service the path to the client certificate.
      2) Add support for internal client certificates in your service. Note: if you are establishing a tls connection to memcached, regular authentication (auth cmd) will need to be done anyway.

      Note: We will support encrypted internal private keys. The key passphrase will be passed to services via cbauth (similar to node key passphrase) but that is not implemented yet. More details will follow.

      UPDATE:
      Client key passphrase can be encrypted.
      Passphrase is passed via cbauth (similar to node key passphrase) in the ClientPrivateKeyPassphrase field of the TLSConfig struct.
      When client cert or passphrase changes, TLSRefreshCallback is called with the CFG_CHANGE_CLIENT_CERTS_TLSCONFIG flag set.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            lilei.chen Lilei Chen added a comment -

            Abhijeeth Nuthan Yes, I will make the changes to accept these on start up.

            lilei.chen Lilei Chen added a comment - Abhijeeth Nuthan Yes, I will make the changes to accept these on start up.

            Build couchbase-server-7.2.0-1279 contains goxdcr commit 6867016 with commit message:
            MB-52103: Accept clientCertFile and clientKeyFile on start up

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.2.0-1279 contains goxdcr commit 6867016 with commit message: MB-52103 : Accept clientCertFile and clientKeyFile on start up

            Build couchbase-server-8.0.0-1008 contains goxdcr commit 6867016 with commit message:
            MB-52103: Accept clientCertFile and clientKeyFile on start up

            build-team Couchbase Build Team added a comment - Build couchbase-server-8.0.0-1008 contains goxdcr commit 6867016 with commit message: MB-52103 : Accept clientCertFile and clientKeyFile on start up

            People

              lilei.chen Lilei Chen
              timofey.barmin Timofey Barmin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty