Firewall And Secure XDCR in Couch 3.0.1

Couchbase Server
1

There seems to be conflicting information in the documentation and prior staff replies.

http://docs.couchbase.com/admin/admin/Tasks/xdcr-secure-communication.html
http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
http://docs.couchbase.com/couchbase-manual-2.5/cb-install/
http://blog.couchbase.com/iptables-firewall-settings-couchbase-db-and-couchbase-mobile-syncgateway

If you look at references to port 11214 and 11215, it indicates SSL for XDCR.

But in the xdcr documentation listed above, it talks about VPN is required for secure XDCR.

Now what is the real story?

Will the server make SSL XDCR communication between clusters or will it be un-encrypted and require VPN?

What is the configuration to force using 18091 and 18092 for XDCR instead of 8091.8092?

Does couchbase have more competent and organized information about network ports, linux routes, and firewall settings?

1 Like
2

Ok, I see at least some way to force the behavior.

When creating the connection, you can define host_name:port. So in this case, choose 18091 instead of 8091.

couchbase-cli xdcr-setup -c hostname_:8091 -u Administrator -p password
–create --xdcr-cluster-name=RemoteCluster --xdcr-hostname=10.3.121.123:8091 \
–xdcr-username=Administrator --xdcr-password=password

What will trigger the 18092 capi from being used and not 8092 for other operations.

1 Like
3

More info.

4

I still cannot find any way to actually trigger the couchbase server to start listening on 18091/18092 or 11214/11215

Does the server autogenerate a key and certificates on a frequent basis?

1 Like
5

–xdcr-demand-encryption=[0|1] Enables data encryption using Secure Socket Layer (SSL). 1

Ok, this shoult trigger 11214/11215 to start up. Is that correct?

How do we trigger 18091/18092 to start listening for SSL?

1 Like
6

There is some configuration information at:

http://docs.couchbase.com/couchbase-manual-2.5/cb-install/#initial-server-setup

{ssl_rest_port,11000}.
{ssl_capi_port,11001}.

And in the local.ini file:

[daemons]
; enable SSL support by uncommenting the following line and supply the PEM’s below.
; the default ssl port CouchDB listens on is 6984
; httpsd = {couch_httpd, start_link, [https]}

[ssl]
;cert_file = /full/path/to/server_cert.pem
;key_file = /full/path/to/server_key.pem

So many references, so little clarity!

7

Ok, I finally figured it out. Enterprise version runs this SSL stuff automatically. No need for any extra explanation and sorry for spamming this thread with each incremental detail in my pursuit of the truth.

Cheers todos