Encryption on the Wire

While an administrative console is typically protected via an HTTPS connection, the new administrative access on port 18091 allows connection to the Couchbase Web Console over SSL/TLS, which is enabled by default.

To talk over SSL/TLS to the Couchbase Web Console, connect to the following URL with your web browser: https://couchbase_server:18091

To verify which certificate your cluster is currently using:

1. Select Security > Root Certificate.
   Note: Only the Full Administrator role can see the Root Certificate tab in the Couchbase Web Console UI.

   

2. The Root Certificate link shows that a self-signed certificate has been deployed across the cluster. This certificate can be regenerated or replaced using Encryption On-the-Wire API or CLI commands for managing certificates.

1. Connect to Couchbase Server through an encrypted port to communicate on a secure channel (18091 for REST HTTP or 18092 for CAPI HTTP).
2. Log in with the Full Administrator's name and password.
3. Once you are logged in, the URL shows a secure connection.

The following section shows an example URL of a secure connection using the Safari web browser.

If you would like to force Administrators to log in to the UI over an encrypted channel, you can disable the UI over the 8091 HTTP port, so that administrators can only access the administrative web console over port 18091.

curl -X POST -u Administrator:password http://127.0.0.1:8091/diag/eval \
            -d 'ns_config:set(disable_ui_over_http, true)'

curl -X POST -u Administrator:password http://127.0.0.1:8091/diag/eval \
            -d 'ns_config:set(disable_ui_over_http, false)'

Couchbase Server client libraries support client-side encryption using the SSL/TLS protocol by encrypting data in-flight between the client and the server. For Couchbase clients released after version 2.0, Couchbase Server provides secure client-server communication that does not require configuration.

When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message are passed (RFC 5246). First, the client sends a cipher suite list, a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client cipher suite list. Check whether your clients support TLS.

The key-exchange algorithms like RSA and Elliptic Curve Cryptography (ECC) govern the way the server and client will determine which symmetric keys to use during a TLS session. The TLS protocol supports both RSA and ECC, however for Couchbase Server, it supports only RSA keys.

To enable SSL/TLS on the client side, you need to get a certificate from Couchbase Server and then follow the steps appropriate to the client you are using.

You can obtain a self-signed, server -generated certificate using the Couchbase Web Console. Navigate to Settings > Certificate > Show certificate and copy the certificate.

The following clients support SSL/TLS: Java, .NET, Node.js, PHP, Python, C, and Go.

A new port 18092 is established for view access: https://couchbase_server:18092

You can override this selection by setting the environment variable before starting Couchbase as follows:

COUCHBASE_SSL_CIPHER_LIST= <list of ciphers to accept>

Set the variable to COUCHBASE_SSL_CIPHER_LIST= MEDIUM, HIGH to include only medium- and high-security ciphers for your installation.

• SEED-SHA
• AES256-SHA
• AES128-SHA
• DES-CBC3-SHA
• RC4-SHA
• RC4-MD5