XDCR Security

XDCR Security

XDCR security is configurable

Overview

By default, XDCR uses the Simple Authentication and Security Layer (SASL) framework to determine how username and password should be sent: either as plain text, or as encrypted by one of the members of the Salted Challenge Response Authentication Mechanism family of hash functions; which are SCRAM-SHA1, SCRAM-SHA256, and SCRAM-SHA512. Data is sent in plain text. No certificate management is required by this default handling.

See Password-Based Authentication for more information on the SASL framework. Note that if the credentials received by the target cluster require authentication by an LDAP server, the target cluster communicates with the LDAP server in plain text, using saslauthd. This is described in Setting Up saslauthd.

XDCR security can also be achieved by enabling TLS encryption.

Enabling TLS Encryption

Optionally, encryption can be applied per replication, via TLS certificates. See Authorization for details on the roles that permit this activity. Then, proceed as follows:

  1. On the destination cluster, navigate to Security > Root Certificate, and copy the certificate.

  2. On the source cluster, left-click on the XDCR tab. This brings up the XDCR Replications screen.

  3. Do one of the following:

    • To create a new cluster-reference, in the Remote Clusters panel, left-click on the Add Remote Cluster button, to the right. This brings up the Add Remote Cluster dialog.

    • To edit an existing cluster-reference, in the Remote Clusters panel, left-click on the Edit tab, at the right of the row of an existing cluster-reference. This brings up the Edit Remote Cluster dialog.

  4. In the dialog you have brought up, enter appropriate information for the Cluster Name, IP/Hostname, Username for Remote Cluster, and Password. Then, check the Enable TLS Encryption checkbox. When the dialog expands vertically, select one of the following encryption-options:

    • Half, which enables password encryption only.

    • Full, which enables password and data encryption.

    Paste the copied certificate into the pane at the bottom of the dialog. The appearance of the dialog is now approximately as follows:

    Left-click on the Save button.

  5. If you are adding a new cluster-reference, in the Ongoing Replications panel, click Add Replication, provide the cluster and bucket information, and click Replicate. This starts replication.

    Alternatively, if you are editing an existing replication, you do not have to take any further action: the existing replication automatically restarts, with TLS enabled. During restart, XDCR uses the last checkpoint of the replication stream.

Note that it is good practice periodically to rotate XDCR certificates, and instantiate new ones.

XDCR Security Error-Messages

When creating the cluster reference, if certificates on the destination and source clusters are mismatched, the following error message is displayed: Attention - Got certificate mismatch while trying to send https request to HOST:18091.

If XDCR is underway, and stops due to a certificate mismatch, the following error message is displayed: Error replicating vbucket <bucketNumber>. Please see logs for details.