Managing XDCR Data Encryption

Managing XDCR Data Encryption

XDCR data encryption provides SSL encryption for data replication. Enterprise Edition only.

Description

The process for configuring XDCR with data encryption involves configuring the XDCR cluster reference with data encryption enabled, providing the SSL certificate, and configuring replication.

HTTP method and URI

The following summarizes the HTTP methods used for defining XDCR data encryption:

HTTP method URI path Description
GET /pools/default/remoteClusters Gets the destination cluster reference
POST /pools/default/remoteClusters Creates a reference to the destination cluster
POST /pools/default/remoteClusters/[Name] Modifies the destination cluster reference
DELETE /pools/default/remoteClusters/[Name] Deletes the reference to the destination cluster.

Retrieving certificates

To retrieve the SSL certificate from the destination cluster to the source cluster use the following HTTP method and URI:

HTTP method and URI

GET /pools/default/certificate

Syntax

curl http://[remoteHost]:[port]/pools/default/certificate

Example

curl http://remoteHost:8091/pools/default/certificate > ./remoteCert.pem

Regenerating certificates

To regenerate a certificate on a destination cluster, use the following HTTP method and URI:

HTTP method and URI

POST /controller/regenerateCertificate

Example

curl -X POST http://Administrator:asdasd@remoteHost:8091/controller/regenerateCertificate

Configuring XDCR with data encryption

A POST to /pools/default/remoteClusters creates the XDCR cluster reference from the source cluster to the destination cluster. Setting the demandEncryption parameter to one (1) and providing the certificate name and location enables data encryption.

HTTP method and URI

The following HTTP method and URI modifies the destination cluster reference.

PUT /pools/default/remoteClusters

Syntax

curl -X POST  -u Admin:myPassword
  http://localHost:port/pools/default/remoteClusters 
  -d name=<clusterName>             // Remote cluster name
  -d hostname=<host>:<port>       // FQDN of the remote host.
  -d username=<adminName>           // Remote cluster Admin name
  -d password=<adminPassword>       // Remote cluster Admin password
  -d demandEncryption=[0|1] --data-urlencode "certificate=$(cat remoteCert.pem)"

Example

curl -X POST 
 -d 'name=remoteName' \  
 -d 'hostname=10.3.4.187:8091' \
 -d 'username=remoteAdmin' -d 'password=remotePassword' \
 -d 'demandEncryption=1 --data-urlencode "certificate=$(cat remoteCert.pem)"' \
 http://Administrator:asdasd@192.168.0.1:8091/pools/default/remoteClusters/

Disabling data encryption

To modify the XDCR configuration so that SSL data encryption is disabled, execute a PUT from the source cluster to the destination cluster with demandEncryption=0.

HTTP method and URI

PUT /pools/default/remoteClusters

Example

curl -X PUT  -u myAdmin:myPassword
  http://192.168.0.1:8091/pools/default/remoteClusters/ \
  -d 'name=remoteName' \ 
  -d 'hostname=10.3.4.187:8091'\
  -d 'username=remoteAdmin' -d 'password=remotePassword' \
  -d 'demandEncryption=0'