SSL connection issue for Couchbase Server 6.6

maksym.shulga · March 29, 2023, 9:57am

Hi,
I am using Couchbase Server 6.6 and I am going to setup SSL connection.
Guys gave certificate and password but I always has error:
ConfigurationException: Could not open bucket.

My working code without SSL is

public Bucket marketDataBucket() {
        Cluster cluster = couchbaseCluster();
        Bucket bucket = cluster.openBucket("MyBucket");
        return bucket;
    }

public CouchbaseEnvironment couchbaseEnvironment() {
        return DefaultCouchbaseEnvironment.builder().build();
    }

public Cluster couchbaseCluster() {
        return CouchbaseCluster.create(couchbaseEnvironment(), "couchbase://xxx-yyy-zzz")
        .authenticate("test", "test");
    }

Code with SSL

public Bucket marketDataBucket() {
        Cluster cluster = couchbaseCluster();
        Bucket bucket = cluster.openBucket("MyBucket");
        return bucket;
    }

public CouchbaseEnvironment couchbaseEnvironment() {
        return DefaultCouchbaseEnvironment.builder()
            .sslEnabled(true)
            .sslKeystoreFile("C:/Dev/certificate/cert.pfx")
            .sslKeystorePassword("Password")            
            .build();
    }

public Cluster couchbaseCluster() {
        return CouchbaseCluster.create(couchbaseEnvironment(), "couchbase://xxx-yyy-zzz");
    }

I also tried next code

public Bucket marketDataBucket() {
        Cluster cluster = couchbaseCluster();
        Bucket bucket = cluster.openBucket("MyBucket");
        return bucket;
    }

public CouchbaseEnvironment couchbaseEnvironment() {
        return DefaultCouchbaseEnvironment.builder()
            .sslEnabled(true)
            .certAuthEnabled(true)
            .sslKeystoreFile("C:/Dev/certificate/cert.pfx")
            .sslKeystorePassword("Password")            
            .build();
    }

public Cluster couchbaseCluster() {
        return CouchbaseCluster.create(couchbaseEnvironment(), "couchbase://xxx-yyy-zzz").authenticate(CertAuthenticator.INSTANCE);
    }

However, situation is the same.

I also create test_cert.pfx like this
Couchbase > Security > Root certificate
Copied the certificate and added to my keystore .
I used in my code instead of cert.pfx but I have the same issue
ConfigurationException: Could not open bucket.

I could not find some examples Couchbase Server 6.6 to check what I did wrongly.
Maybe somebody know how to fix my issue?

david.nault · March 29, 2023, 4:49pm

That code configures the SDK’s keystore, which is used for Client Certificate Authentication, also known as Mutual TLS (mTLS). That’s not what you want.

Try this instead:

// Configure which certificates the SDK trusts
.sslTruststoreFile("C:/Dev/certificate/cert.pfx")
.sslTruststorePassword("Password")

Thanks,
David

david.nault · March 29, 2023, 5:18pm

By the way, Couchbase Java SDK 2.x is no longer maintained. If you can, please upgrade to SDK 3.x as soon as possible.

Thanks,
David

maksym.shulga · March 30, 2023, 11:44am

Hi David,
thanks for your answers.
I tried use your approach

.sslTruststoreFile("C:/Dev/certificate/cert.pfx")
.sslTruststorePassword("Password")

with different ways,
However, the result is same

I am going to use Java SDK 3.x. Maybe do you know which 3.x will be working fine with Couchbase Server 6.6 ?

david.nault · March 30, 2023, 5:53pm

Any version of SDK 3 should work. I’d recommend the latest. See Compatibility | Couchbase Docs

While you’re thinking about upgrades, note that Couchbase Server 6.6 has already reached “end of maintenance”, and will reach “end of life” in October 2023. Reference: Enterprise Software Support Policy | Couchbase

With a recent version of SDK 3, it’s no longer necessary to put the trusted certificate in a pfx file. Instead, you can just copy the certificate from “Couchbase > Security > Root certificate” into a file, and point the SDK at that file. Example: Use Certificate in JAVA SDK - #3 by david.nault

Thanks,
David

maksym.shulga · March 31, 2023, 6:44pm

I wrote next code and it works
However, I have a question. How can I get rid of from clusterOptions("test", "test")
As I understood If I use certificate then I should not use my credential “test”, “test” which I used before. Am I right ?

public ClusterEnvironment couchbaseEnvironment() {
        return ClusterEnvironment.builder()
            .securityConfig(SecurityConfig
                 .enableTls(true)                                
				 .trustStore(Paths.get("C:/Dev/certificate/cert.pfx"), "Password", Optional.empty())).build();
}

public Cluster couchbaseCluster() {
    Cluster cluster = Cluster.connect("couchbase://xxx-yyy-zzz",
        ClusterOptions.clusterOptions("test", "test")
			.environment(couchbaseEnvironment()));

    return cluster;
}

david.nault · March 31, 2023, 8:00pm

As I understood If I use certificate then I should not use my credential “test”, “test” which I used before. Am I right ?

Guys gave certificate and password

I would ask the guys who gave you the certificate, “Is this a Certificate Authority (CA) certificate, or a client certificate for Mutual TLS (mTLS)?”

If it’s a CA certificate, then you should continue using username and password.

If it’s a client certificate for mTLS, then I’ve misunderstood the problem and given you bad advice
The way to use a client certificate is documented here: Authentication | Couchbase Docs

Thanks,
David

maksym.shulga · April 2, 2023, 8:28pm

Hi David,
Thanks for answer.

You are right. it is Certificate Authority (CA) certificate. So, I need use username and password.

Another thing which I found out:
I tried to run next code

Cluster cluster = couchbaseCluster();
        Bucket bucket = cluster.openBucket("MyBucket");
        Collection myCollection = bucket.defaultCollection();
        // Upsert Document
        MutationResult upsertResult = myCollection .upsert(
            "my-document",
            JsonObject.create().put("name", "mike")
        );

        // Get Document
        GetResult getResult = myCollection .get("my-document");

However, using TLS I can create cluster and get Bucket and get Collection but I can’t to do Upsert

securityConfig(SecurityConfig
                 .enableTls(true)                                
				 .trustStore(Paths.get("C:/Dev/certificate/cert.pfx"), "Password", Optional.empty())).build();

I Always have AmbiguousTimeoutException.

UpsertRequest, Reason: TIMEOUT {"cancelled":true,"completed":true,"coreId":"0x3602f97700000001","idempotent":false,"reason":"TIMEOUT","requestId":5,"requestType":"UpsertRequest","retried":127,"retryReasons":["BUCKET_OPEN_IN_PROGRESS"],"service":{"bucket":"MarketData","collection":"_default","documentId":"my-document","opaque":"0x2","scope":"_default","type":"kv"},"timeoutMs":60000,"timings":{"encodingMicros":84591,"totalMicros":60026210}}

I also added .timeoutConfig(TimeoutConfig.kvTimeout(Duration.ofSeconds(60))) but I have the save error.

When I delete using TLS and use just

Cluster cluster = Cluster.connect(connectionString, username, password);

Then I can do Upsert Document without any problem.

Maybe I need to add more configuration params to environment or cluster to fix this issue?

public ClusterEnvironment couchbaseEnvironment() {
        return ClusterEnvironment.builder()
            .securityConfig(SecurityConfig
                 .enableTls(true)                                
				 .trustStore(Paths.get("C:/Dev/certificate/cert.pfx"), "Password", Optional.empty())).build();
}

public Cluster couchbaseCluster() {
    Cluster cluster = Cluster.connect("couchbase://xxx-yyy-zzz",
        ClusterOptions.clusterOptions("test", "test")
			.environment(couchbaseEnvironment()));

    return cluster;
}

david.nault · April 3, 2023, 4:57pm

I would look in the logs before the timeout exception, to see if there are more clues. If you don’t see anything, you might need to configure your logging framework to enable DEBUG logging for the com.couchbase category.

maksym.shulga · April 6, 2023, 8:29am

Hi David,
Thanks for help.

I have found the root of issue.
When I use Cluster.connect(…) which uses Set of SeedNodes where I use
static SeedNode create(String address)
I get error.
Maybe I need use
static SeedNode create(String address, Optional<Integer> kvPort, Optional<Integer> clusterManagerPort)
for creating SeedNode. I don’t know.

However, when I use connection string then all works fine
Cluster.connect(couchbaseProperties.getUrl().get(0) + "," + couchbaseProperties.getUrl().get(1),

system · July 17, 2023, 9:36am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.