XDCR Data Security

XDCR Data Security

The data replicated between clusters can be encrypted in both uni-directional and bi-directional replications. Only the Full Administrator can manage XDCR data security settings.

When you use Secure Cross Datacenter Replication (XDCR), all traffic from the source and destination data centers will be encrypted. Encryption causes a slight increase in the CPU load since it requires additional CPU cycles.

Enable XDCR Data Security

To enable XDCR data security using SSL and create replication:

  1. On the destination cluster, navigate to Security > Root Certificate and copy the certificate.

    (Optional) To regenerate the existing destination certificate, click Regenerate before copying.

  2. In the source cluster, select the XDCR tab.
  3. In the Remote Clusters panel, click Create Cluster Reference to verify or create the cluster reference.
  4. Select the Enable TLS Encryption box and paste the certificate in the provided area and click Save.

  5. In the Ongoing Replications panel, click Create Replication, provide the cluster and bucket information, and click Replicate. If this is an existing replication that is simply enabling TLS the replication will automatically restart to enable the SSL communication. During restart XDCR will use the last check point of the replication stream.

Change XDCR Data Encryption

In some situations, such as updating SSL data security, the SSL certificate is regenerated, and the XDCR data encryption is updated. Only the Full Administrator can regenerate the SSL certificate to update XDCR data encryption.

To change XDCR data encryption:

  1. On the destination cluster, navigate to Settings > Cluster.
  2. Click Regenerate and copy the certificate.
  3. On the source cluster, select the XDCR tab.
  4. In the Remote Clusters panel, for the destination cluster, click Edit.
  5. Paste the regenerated certificate in the provided area and click Save. Anytime you regenerate the destination cluster’s certificate, update the corresponding source cluster(s) with that regenerated certificate.

    For example, if source clusters A, B, and C use XDCR data encryption to replicate to destination cluster D, update each of the source clusters whenever you regenerate the certificate on the destination cluster D.

Important: Replication will stop if you regenerate the destination cluster's certificate and don't update the source cluster(s) with the new certificate.

Use an SSL Certificate

As a security best practice, periodically rotate the XDCR certificates and also make sure that you instantiate a new certificate on the remote cluster.

The following example is a self-signed SSL/TLS certificate obtained on the cluster. Click Security > Root Certificate to reach the certificate.

XDCR Data Security Error Messages

When creating the cluster reference, if the SSL certificates are not the same on the destination and source clusters, the following error message displays: Attention - Got certificate mismatch while trying to send https request to HOST:18091

The SSL certificates can become mismatched, such as when the certificate on the destination cluster is regenerated, and the source cluster is not updated with the new certificate. In this case, vBucket replication stops and the following error message displays: Error replicating vbucket <bucketNumber>. Please see logs for details.