Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-62434

Support both client cert authentication and n2n encryption at the same time for FTS scan connections

    XMLWordPrintable

Details

    • 0

    Description

      In Morpheus, Query now supports client certificate authentication and node-to-node (n2n) encryption at the same time.

      ns_server provides an internal client certificate. For all internal encrypted communication, this certificate must be presented for client authentication when:

      1. N2N encryption is set to "All" or "Strict" 

      and

      2. Client Certificate Authentication set to "Mandatory”

       

      When Query is notified by cbauth about TLS configuration changes, the datastore.ConnectionSecurityConfig  object will be appropriately modified and passed to FTS indexers and FTS client.

       

      Here are some necessary details about fields ( in bold ) in the datastore.ConnectionSecurityConfig struct:

      1. InternalClientCertFile: path of internal client certificate
      2. InternalClientKeyFile: path of the internal client certificate's private key
      3. TLSConfig.ClientPrivateKeyPassphrase: passphrase of the private key

      4. When n2n encryption is enabled, ClusterEncryptionConfig.EncryptData will be set to true.
      5. When client cert authentication is mandatory, TLSConfig.ClientAuthType is set to  tls.RequireAndVerifyClientCert.

      The internal client certificate must be used for internal encrypted communication when points 4. and 5. are satisfied.

       

      The requirements from Query are for the connections used for FTS index scans - in the scenario of n2n encryption being enabled and client cert authentication being mandatory:

      1. FTS to use the internal client certificate for client auth when establishing encrypted connections for index scans.

      2. When TLS configuration changes are made, in-use connections ( i.e TLS handshake has completed and connection established ) that are currently serving index scans must not be closed. This is because it is not ideal for ongoing scans to be broken.

       

      Currently, ( in the scenario of n2n encryption enabled and client auth being mandatory)  when executing queries that are served by FTS indexes the following error occurs:

      "errors": [
      		 
              {
      		 
                  "code": 5000,
      		 
                  "msg": "n1fty: search failed - cause: rpc error: code = Unavailable desc = connection error: desc = \"error reading server preface: remote error: tls: certificate required\""
      		 
              }
      		 
          ]

       

       

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. MB-52102 [Query] Support both client certificate auth and n2n encryption at the same time

          • Major - Major loss of function.
          • Resolved
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              likith.b Likith B
              dhanya.gowrish Dhanya Gowrish
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty