{"id":14913,"date":"2023-10-17T20:14:16","date_gmt":"2023-10-18T03:14:16","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=14913"},"modified":"2023-10-23T11:05:30","modified_gmt":"2023-10-23T18:05:30","slug":"securing-couchbase-with-tls-certificates-part-3","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/securing-couchbase-with-tls-certificates-part-3\/","title":{"rendered":"Securing Communication with TLS Certificates: A Definitive Guide for Couchbase Server (Part 3 of 3)"},"content":{"rendered":"

Understanding TLS within Couchbase Server<\/span><\/h2>\n

In Part 1<\/a> and Part 2<\/a> of this guide, we explained the history of TLS, the components involved and how it works. In this final 3rd part of the guide we combine this all together and learn how TLS works in Couchbase Server.<\/span><\/p>\n

Couchbase Cluster Certificates<\/span><\/h3>\n

\"\"<\/p>\n

In Couchbase Server, a cluster certificate ties everything to one or more trusted Certificate Authorities (CAs); it does not directly handle the database encryption. Instead, it establishes a chain of trust for the per-node certificates within the cluster.\u00a0<\/span><\/p>\n

All relying parties in Couchbase Server deployment must have the Cluster Certificate installed and trusted. Just like the previous example with the web browser having trusted root CAs, in a Couchbase deployment each Couchbase Server Node and connecting application using one of the SDKs must trust the Cluster Certificate. It is also imported into additional Couchbase Server Clusters that use the cross-datacenter replication (XDCR) feature to replicate data between the clusters securely.<\/span><\/p>\n

In Couchbase Capella, our Database as a Service (DBaaS) offering, all clusters actually use the same certificate authority, and hence all use the same Cluster Certificate. And, starting in early 2022, all official Couchbase SDKs released since have included, by default, automatic trusting of the Capella Cluster Certificate.<\/span><\/p>\n

Node Certificates for Network Encryption<\/span><\/h3>\n

Node Certificates and the per-node private keys are the primary component responsible for network encryption in Couchbase Server. The Node Certificates are created by a trusted Certificate Authority (CA) and are signed by the CA\u2019s Private Key (aka the Private Key associated with the Cluster Public Key\/Cert).<\/span><\/p>\n

Here\u2019s the creation process for a Couchbase Node Certificate.<\/span><\/p>\n

    \n
  1. \n
      \n
    1. A Certificate Signing Request (CSR) is requested to the Certificate Authority with an embedded Node\u2019s Public Key.<\/span><\/li>\n
    2. The Node\u2019s Certificate is created, including the embedded Node Public Key and this is signed using the Cluster Private Key on the CA system itself.<\/span><\/li>\n
    3. The Node Certificate is then provided back to the requestor.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

      \"\"<\/p>\n

      These certificates facilitate secure communication between Couchbase server nodes and enable encrypted connectivity with individual Couchbase server nodes from SDKs. Key points regarding node certificates include:<\/span><\/p>\n

      Node-to-node encryption<\/strong>: Node certificates secure the communication channels between Couchbase server nodes, safeguarding data as it travels within the cluster.<\/span><\/p>\n

      SDK connectivity<\/strong>: When SDKs connect to individual Couchbase server nodes, node certificates ensure that the communication is encrypted, maintaining data confidentiality.<\/span><\/p>\n

      Admin GUI access over HTTPS<\/strong>: By utilizing the node certificate, administrators can securely access the Couchbase Server’s graphical user interface (GUI) through HTTPS.<\/span><\/p>\n

      \"\"<\/p>\n

      If we look at an example of how a SDK makes an encrypted connection to a Couchbase Server node, you\u2019ll see the various components at work. I\u2019ve intentionally left out some detail, to keep it somewhat simple.<\/span><\/p>\n

      \"\"<\/p>\n

      \"\"<\/p>\n

      \"\"<\/p>\n

      The SDK will perform these steps with each Couchbase Server Node across the cluster it establishes a TLS connection with.<\/span><\/p>\n

      Example of setting up TLS in Couchbase Server<\/span><\/h2>\n

      In this section we\u2019ll setup TLS network encryption on a 3 node Couchbase Server cluster, running version 7.2.0 on Linux hosts. There\u2019s also a 4th Linux host used as the Certificate Authority.\u00a0<\/span><\/p>\n

      Cluster Private Key + Certificate<\/span><\/h3>\n

      Login to the Certificate Authority host, this is where we\u2019ll create the cluster certificate.<\/span><\/p>\n

      This is just a Linux host that has a current version of OpenSSL installed.\u00a0<\/span><\/p>\n

      First we\u2019ll create a Couchbase template file that will be used later on for the per-node certificates.<\/span><\/p>\n\n\n\n\n
      Command (no output)<\/strong><\/td>\n<\/tr>\n
      \n
      cat > cbserver.ext <<EOF\r\nbasicConstraints=CA:FALSE\r\nsubjectKeyIdentifier = hash\r\nauthorityKeyIdentifier = keyid,issuer:always\r\nextendedKeyUsage=serverAuth\r\nkeyUsage = digitalSignature,keyEncipherment\r\nEOF<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      The next step will be to create the encrypted Cluster Private Key, named cluster_private.key.<\/em><\/span><\/p>\n
      Run the following command, you will be prompted for a passphrase to encrypt this key.\u00a0<\/span><\/p>\n
      The private key will be PKCS8 (PKCS #8) format and encrypted with the very secure 265 bit <\/span>Advanced Encryption Standard<\/b> (<\/span>AES<\/b>).<\/span><\/p>\n\n\n\n\n\n\n
      Command<\/strong><\/td>\n<\/tr>\n
      \n
      openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out cluster_private.key<\/pre>\n<\/td>\n<\/tr>\n
      Output<\/strong><\/td>\n<\/tr>\n
      \n
      .................................................+++++\r\n....+++++\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      You can validate it is an encrypted private key, by looking at the start of the file.<\/p>\n\n\n\n\n\n\n
      Command<\/strong><\/td>\n<\/tr>\n
      \n
      head cluster_private.key<\/pre>\n<\/td>\n<\/tr>\n
      Output<\/strong><\/td>\n<\/tr>\n
      \n
      -----BEGIN ENCRYPTED PRIVATE KEY-----\r\nMIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI7V+8dCGg42oCAggA\r\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAvcj4Z3cB\/j2gIudgzhRgSBIIE\r\n0HFbApMtub0oadBYkx7RHPxd4jpILoTJ2nwqYtn79r\/fCf1KwwwcWAd6vXOC0EeH\r\n0acalU4ZfMF756CafORL7mfnB7VIw2ht5ObsUpCiYu9cIh8tHK2bipIELKMKfCT3\r\nljxjOn\/AEZIqWy6RmwV375Ri3RONBT+czGIs4FXUA8TY\/ZHlOw46yYxpxPefkRLU\r\nH9bfcg8RLqPKfeAOprisHNhmoch0MuU0gS6U0Lt+KvNDWNylIQba94q36FQIE3YW\r\nOVlHkgB2\/YCx9BR\/ZnWlIK6I\/ZrN6Z4u\/n9hFY\/oYrxj4RIorvJyjeSq52XzVrPd\r\n1bTeZob\/MJomNhyeW0SYbUsRV\/40N11wzx5tkSftuP8zs9MzP36qspDq56rl3W5H\r\ngrKM7c9Dn+BLQbHz4158Wxaxz2CzTsn5IT5Q6BP27StrTGMYeHSAX32D+s313kPw<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      Now we\u2019ll create the cluster certificate in the PEM x.509 format. In our case the certificate is intended to be self-signed, meaning that it will not be vouched for by any other authority. This means that it can be created directly, based on the existing private key ca.key<\/em>, without assistance from a third party.<\/span><\/p>\n
      When we create the cluster certificate, valid for 3650 days (10 years), it will have a cluster public key embedded into the certificate which is the corresponding pair of the cluster_private.key<\/em> made earlier. You will need to provide the passphrase you entered earlier to now decrypt the private key for this command.<\/span><\/p>\n\n\n\n\n\n\n
      Command<\/strong><\/td>\n<\/tr>\n
      \n
      openssl req -new -x509 -days 3650 -sha256 -key cluster_private.key -out cluster_cert.pem -subj \"\/CN=Couchbase Root CA\"<\/pre>\n<\/td>\n<\/tr>\n
      Output<\/strong><\/td>\n<\/tr>\n
      \n
      Enter pass phrase for cluster_private.key:<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      Now we can print out the contents of the new cert file (and also see the public key).<\/span><\/p>\n\n\n\n\n\n\n
      Command<\/strong><\/td>\n<\/tr>\n
      \n
      openssl x509 -text -noout -in .\/cluster_cert.pem<\/pre>\n<\/td>\n<\/tr>\n
      Output<\/strong><\/td>\n<\/tr>\n
      \n
      Certificate:\r\n\u00a0\u00a0\u00a0\u00a0Data:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Version: 3 (0x2)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Serial Number:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a07e:a6:19:80:11:8c:b2:12:cc:86:91:bd:9b:df:f1:2f:75:ef:50:07\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Signature Algorithm: sha256WithRSAEncryption\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Issuer: CN = Couchbase Root CA\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Validity\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Not Before: Jul 26 12:26:06 2023 GMT\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Not After : Jul 23 12:26:06 2033 GMT\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Subject: CN = Couchbase Root CA\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Subject Public Key Info:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Public Key Algorithm: rsaEncryption\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RSA Public-Key: (2048 bit)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Modulus:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a000:a6:51:f9:d5:6f:40:06:b3:b5:5b:55:b5:a0:82:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a02a:73:7a:0d:a8:02:1f:82:24:ed:c7:99:51:0a:d9:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0f8:09:08:0e:24:e0:34:fe:ef:0f:53:dd:27:19:af:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a1:0d:78:14:03:3e:26:2e:c0:44:35:fb:c7:84:57:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ad:66:be:95:d4:53:71:8c:24:30:26:46:6e:03:b9:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0b9:e9:b1:a1:fa:f9:7f:bd:88:f8:03:3e:20:dc:3a:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a029:dd:0d:2c:a3:0b:8e:22:46:49:ca:56:dc:b7:17:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0f9:87:12:d2:df:80:b8:35:df:19:4f:0d:f4:b2:9d:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a002:9e:2c:59:e4:25:98:05:85:cd:e8:64:04:43:1f:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a079:35:fb:ae:8b:e8:cd:16:24:68:90:9f:32:d5:d3:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a05f:b0:11:82:3f:a3:7a:83:d8:e2:c5:92:a5:ef:8f:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0e2:4e:b2:8f:c1:27:04:92:3c:6d:50:88:82:5b:73:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0e8:17:7b:03:c7:f3:98:71:dd:99:ed:84:f9:37:3a:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a067:79:d3:fa:6a:a4:2e:69:25:a1:2c:79:39:40:e5:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a051:2c:57:02:be:c0:d6:43:7f:d5:ce:c9:cb:ee:68:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a6:ad:13:17:22:d1:16:8b:08:17:ba:25:80:ce:9a:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0e8:a5:fc:e9:93:47:c5:a4:70:95:eb:3b:80:39:e7:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a094:af\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Exponent: 65537 (0x10001)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509v3 extensions:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509v3 Subject Key Identifier:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a018:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509v3 Authority Key Identifier:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0keyid:18:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509v3 Basic Constraints: critical\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0CA:TRUE\r\n\u00a0\u00a0\u00a0\u00a0Signature Algorithm: sha256WithRSAEncryption\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a03f:af:bb:c9:b9:89:82:78:fe:99:e6:49:fe:7b:8d:c4:67:f4:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a062:ff:f7:6d:46:9f:75:17:9e:56:8c:c4:06:71:95:a1:6c:cd:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0d6:ae:06:dd:3f:28:ce:3b:ea:bb:1b:4b:21:26:6b:85:48:5b:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a043:c8:9c:10:ac:3d:4c:e2:62:69:8d:45:9a:5d:f0:d5:14:b7:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a021:9e:00:9a:53:50:22:42:c7:1f:ad:80:68:dd:f3:69:89:9d:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a068:3e:37:62:69:c1:28:62:5a:08:91:98:96:49:64:8b:cc:01:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a04c:7a:cf:c3:ff:cf:04:86:85:fb:2b:cf:ed:89:6c:15:ba:f7:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a08f:03:cb:af:50:f7:10:35:93:3d:29:09:bf:a5:e3:0b:d2:18:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a2:7b:84:db:40:8a:b7:42:82:1b:ac:c8:8c:f0:d7:4f:45:de:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0b8:76:80:04:66:9b:3f:ed:e9:23:d5:52:51:9a:f8:cc:ad:1a:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a067:8f:a9:d7:45:3f:2a:07:89:5c:7b:fa:b5:73:f5:b0:4d:8d:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0d2:32:66:20:18:30:2e:d1:3e:cb:02:b3:4b:26:6e:25:20:83:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0f6:5b:a9:e8:fd:e2:d5:90:bc:16:65:6d:f9:de:9c:c0:e4:07:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a000:cb:e9:4b:9c:b4:fa:4c:79:c3:2f:3a:e7:e8:43:75:fc:b7:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a051:a5:16:ce<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      Now we have the Cluster Certificate (cluster_cert.pem<\/em>), this file needs to be copied to every Couchbase Server Node in the cluster. It also needs to be added to every application where the SDKs operate from as well as any hosts where admins access the UI such as an administrator\u2019s laptop. It\u2019s not a sensitive file and only contains public information.<\/span><\/p>\n
      Node Private Key + CSR<\/span><\/h3>\n
      The steps in this section will need to be repeated for each Couchbase Server Node:<\/span><\/p>\n