XDCR Data Security

XDCR Data Security

XDCR can be encrypted with TLS.

Enable XDCR Data Security

To enable XDCR data security, you must be appropriately authorized. For information, see Authorization.

Proceed as follows:

  1. On the destination cluster, navigate to Security > Root Certificate, and copy the certificate.

  2. On the source cluster, left-click on the XDCR tab. This brings up the XDCR Replications screen.

  3. Do one of the following:

    • To create a new cluster-reference, in the Remote Clusters panel, left-click on the Add Remote Cluster button, to the right. This brings up the Add Remote Cluster dialog.

    • To edit an existing cluster-reference, in the Remote Clusters panel, left-click on the Edit tab, at the right of the row of an existing cluster-reference. This brings up the Edit Remote Cluster dialog.

  4. In the dialog you have brought up, enter appropriate information for the Cluster Name, IP/Hostname, Username for Remote Cluster, and Password. Then, check the Enable TLS Encryption checkbox. When the dialog expands vertically, select one of the following encryption-options:

    • Half, which enables password encryption only.

    • Full, which enables password and data encryption.

    Paste the copied certificate into the pane at the bottom of the dialog. The appearance of the dialog is now approximately as follows:

    Left-click on the Save button.

  5. If you are adding a new cluster-reference, in the Ongoing Replications panel, click Add Replication, provide the cluster and bucket information, and click Replicate. This starts replication.

    Alternatively, if you are editing an existing replication, you do not have to take any further action: the existing replication automatically restarts, with TLS enabled. During restart, XDCR uses the last checkpoint of the replication stream.

Note that it is good practice periodically to rotate XDCR certificates, and instantiate new ones.

XDCR Data Security Error-Messages

When creating the cluster reference, if certificates on the destination and source clusters are mismatched, the following error message is displayed: Attention - Got certificate mismatch while trying to send https request to HOST:18091.

If XDCR is underway, and stops due to a certificate mismatch, the following error message is displayed: Error replicating vbucket <bucketNumber>. Please see logs for details.