XDCR Data Security
The data replicated between clusters can be encrypted in both uni-directional and bi-directional replications. Only the Full Administrator can manage XDCR data security settings.
When you use Secure Cross Datacenter Replication (XDCR), all traffic from the source and destination data centers will be encrypted. Encryption causes a slight increase in the CPU load since it requires additional CPU cycles.
Enable XDCR Data Security
To enable XDCR data security using SSL and create replication:
- On the destination cluster, navigate to
(Optional) To regenerate the existing destination certificate, click Regenerate before copying.
and copy the certificate.
- In the source cluster, select the XDCR tab.
- In the Remote Clusters panel, click Create Cluster Reference to verify or create the cluster reference.
- Select the Enable TLS Encryption box and paste the certificate in the provided area and click Save.
- In the Ongoing Replications panel, click Create Replication, provide the cluster and bucket information, and click Replicate. If this is an existing replication that is simply enabling TLS the replication will automatically restart to enable the SSL communication. During restart XDCR will use the last check point of the replication stream.
Change XDCR Data Encryption
In some situations, such as updating SSL data security, the SSL certificate is regenerated, and the XDCR data encryption is updated. Only the Full Administrator can regenerate the SSL certificate to update XDCR data encryption.
To change XDCR data encryption:
- On the destination cluster, navigate to .
- Click Regenerate and copy the certificate.
- On the source cluster, select the XDCR tab.
- In the Remote Clusters panel, for the destination cluster, click Edit.
- Paste the regenerated certificate in the provided area and click Save. Anytime you regenerate the destination cluster’s certificate, update the corresponding source cluster(s) with that regenerated certificate.
For example, if source clusters A, B, and C use XDCR data encryption to replicate to destination cluster D, update each of the source clusters whenever you regenerate the certificate on the destination cluster D.
Use an SSL Certificate
As a security best practice, periodically rotate the XDCR certificates and also make sure that you instantiate a new certificate on the remote cluster.
The following example is a self-signed SSL/TLS certificate obtained on the cluster. Clickto reach the certificate.
XDCR Data Security Error Messages
When creating the cluster reference, if the SSL certificates are not the same on the destination and source clusters, the following error message displays: Attention - Got certificate mismatch while trying to send https request to HOST:18091
The SSL certificates can become mismatched, such as when the certificate on the destination cluster is regenerated, and the source cluster is not updated with the new certificate. In this case, vBucket replication stops and the following error message displays: Error replicating vbucket <bucketNumber>. Please see logs for details.