ssl-manage

ssl-manage

Data encryption with Secure Socket Layer (SSL) authentication is used with the Couchbase Server's self-signed or X.509 certificates.

Syntax

To manage a cluster certificate use:

couchbase-cli ssl-manage -c [host]:8091 -u [admin] -p [password] [options]

To manage a node certificate use:

couchbase-cli ssl-manage -c <node-name>:8091 -u [admin] -p [password] [options]

Description

Retrieving an SSL certificate for XDCR data encryption, should be done in a secure manner, such as with ssh and scp. For example:

  1. Use a secure method to log in to a node on the destination cluster. For example: ssh.
  2. Retrieve the certificate with the couchbase-cli ssl-manage command.
  3. Use a secure method to transfer the certificate from the destination cluster to the source cluster. For example: scp.
  4. Proceed with setting up XDCR with SSL data encryption.

Options

The following are the command options:

Table 1. ssl-manage command options
Option Description
--cluster-cert-info Prints the current cluster certificate information.
--node-cert-info Prints the current node certificate information.
--retrieve-cert=CERTIFICATE Retrieves a cluster certificate and saves it to a .pem file.

For example, --retrieve-cert=./newCert.pem.

--regenerate-cert=CERTIFICATE Regenerates a cluster certificate and saves it to a .pem file.

For example, --regenerate-cert=./newRegen.pem.

--set-node-certificate Sets the new node certificate.
--upload-cluster-ca=[path to pem-encoded root certificate] Uploads a new cluster certificate to the location where there is an existing pem-encoded certificate.

Examples

CLI for Managing Self-Signed Certificates
Retrieve an existing certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 -u Administrator -p password \
       --retrieve-cert=./newCert.pem  

An example output from a successful certificate retrieval:

SUCCESS: retrieve certificate to './newCert.pem' 
      Certificate matches what is seen on GUI 
Regenerate a certificate
couchbase-cli ssl-manage  -c 192.168.0.1:8091 -u Administrator -p password \
       --regenerate-cert=./newRegen.pem 

An example output from a successful certificate regeneration:

SUCCESS: regenerate certificate to './newRegen.pem' 
Regenerate AND download a cluster certificate:
couchbase-cli ssl-manage -c 192.168.0.1:8091 -u Administrator -p password \
       --regenerate-cert=/tmp/test.pem 
SUCCESS: regenerate certificate to '/tmp/test.pem'
If you configured Couchbase Cluster to use X.509 certificates, and you want to go back to the self-signed certificates, you can do this by regenerating the self-signed cluster certificate test.pem.
CLI for Managing X.509 Certificates
Upload a cluster CA certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091:8091 -u Administrator -p password \
        --upload-cluster-ca=./root/ca.pem  
Retrieve a cluster certificate and view it
couchbase-cli ssl-manage -c 192.168.0.1:8091 -u Administrator -p password \
        --retrieve-cert=/tmp/test.pem 
couchbase-cli ssl-manage -c testNode:8091 -u Administrator -p password \          
        --cluster-cert-info        
View the extended cluster certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 -u Administrator -p password \
        --cluster-cert-info --extended 
{
     "cert": {
      "pem": "-----BEGIN CERTIFICATE-----\nMIIDAjCCAeqgAwIBAgIIFE972Xk2MOUwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE\
      nAxMZQ291Y2hiYXNlIFNlcnZlciA2MGVlYjM2ZjAeFw0xMzAxMDEwMDAwMDBaFw00\nOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNv
      dWNoYmFzZSBTZXJ2ZXIgNjBlZWIz\nNmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC49++dHXn3P/GaZdtH\nUWR7q+
      SNe8ovPpOCEJfFYu301ZL/K8gaPepPFfp1QwHs4ytEkPHwltufSiVo/oJt\nO8FbM7P4hMUC4tsWh5+Uh0kzUk6b1mEMIE6EjljUvVf
      kS0T+wNaYi4FMSOirfmFI\nq6oXboXuZAFHxg3UhqK58Ap3vIbr+XUBxcT4l3Yh5HuMzeW1lULsly6T99MbCi8X\nE4nfCeC9J7WtJ
      XMnAfTaY93ob9SvLmXZh03SaUzjFDYG1WeRynlXUG4QY9hr57OX\nsVxN/83RQpgdSdvx+lB6Ap6uXU8JHvGK8j7HUuYKkGMwpL0RYo
      /KKPFK0+0S+Zhv\nXlOvAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD\nATAPBgNVHRMBAf8EBTAD
      AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCP1WvsSYFAfeBC\nH4iwrZsDCTxw0nuqzoHOI+kU3TzgW75gabTFa5RKXP1anceNHbLBIUUg
      gOwB5Ns/\nlq4zkDeFrQEsR0kytqSzkAypHsKVCNMDfZvqyR22OVtCY9f4I2Dl+ZjUjUTnAe+C\nb39Ei+4B/oVD6w7K/tgo/iku3W
      T777rpZhuiNtU/IFIvlYtMu5+H4Fa6k46eUvav\nulUEyTbqdEcikVR6Vq1WMHR0GB2Ju6AYxTF6pkQHYVZjHcEwVOiTDyNI0MFjFS3
      Z\nzQE2dZw5tkTBVNynHNqTbwgLyj/b9UZxCT3SE14lO2Xky2HWhSgI3wkck6919doK\nL4PK3qn8\n-----END CERTIFICATE-----\n", 
       "type": "generated"
              }, 
              "warnings": []
              }
            
Set the new node certificate
couchbase-cli ssl-manage -c testNode:8091 -u Administrator -p password \
         --set-node-certificate 

The node certificate can be set only after a cluster certificate was set.

View the current node certificate
couchbase-cli ssl-manage -c testNode:8091 -u Administrator -p password \
        --node-cert-info