SCRAM-SHA* and Java - verification


#1

Greetings all,

I did a search and apologize if this is a duplicate, but I’m trying to verify the usage of SCRAM-SHA* in Java SDK 2.2.6. I’m very new to Couchbase but need to ensure that this mechanism is being used. However in my test app, I do not see an indicator in either the output or the logs that SCRAM-SHA* is being used. Is there any indicator that this mechanism is actually being used?

So far I’ve:

  • Tried with com.couchbase.scramEnabled=true and com.couchbase.scramEnabled=false
  • Tried with correct and incorrect bucket passwords

Yet, the success and errors do not appear to differ from each other, leading me to question whether or not it’s ever being used.

Thanks in advance,
Chris


#2

you’re right, it doesn’t appear in the logs. as a workaround if you configure your logging framework in TRACE mode and look at the dump of packets, during startup you should see confirmation of which mechanism was selected:

First there is a RECEIVED message, which is the server listing the supported mechanisms (by order of recommandation):

[cb-io-1-1] 15:50:00 TRACE LoggingHandler:94 - [id: 0xe82d58d3, L:/127.0.0.1:60459 - R:localhost/127.0.0.1:11210] RECEIVED: 75B
         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 81 20 00 00 00 00 00 00 00 00 00 33 00 00 00 00 |. .........3....|
|00000010| 00 00 00 00 00 00 00 00 53 43 52 41 4d 2d 53 48 |........SCRAM-SH|
|00000020| 41 35 31 32 20 53 43 52 41 4d 2d 53 48 41 32 35 |A512 SCRAM-SHA25|
|00000030| 36 20 53 43 52 41 4d 2d 53 48 41 31 20 43 52 41 |6 SCRAM-SHA1 CRA|
|00000040| 4d 2d 4d 44 35 20 50 4c 41 49 4e                |M-MD5 PLAIN     |
+--------+-------------------------------------------------+----------------+

Then the client WRITE to the server which mechanism it wants:

[cb-io-1-1] 15:50:01 TRACE LoggingHandler:94 - [id: 0xe82d58d3, L:/127.0.0.1:60459 - R:localhost/127.0.0.1:11210] WRITE: 36B
         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 80 21 00 0c 00 00 00 00 00 00 00 37 00 00 00 00 |.!.........7....|
|00000010| 00 00 00 00 00 00 00 00 53 43 52 41 4d 2d 53 48 |........SCRAM-SH|
|00000020| 41 35 31 32                                     |A512            |
+--------+-------------------------------------------------+----------------+

So you should see SCRAM-SHA512 like in the example above, and then the connection being established. Not an ideal solution for operations of course, but if you’re just trying to manually assert that this works once, it should do the trick.


#3

Thanks for that response! Unfortunately, I’m not seeing that in my logs.

Here’s my sample code:

public static void main( String[] args ) {
    logger.trace( "STARTING MAIN" );
    logger.trace( "com.couchbase.scramEnabled value = " + System.getProperty( "com.couchbase.scramEnabled" ) );
    CouchbaseEnvironment env = DefaultCouchbaseEnvironment.builder().connectTimeout( 60000 ).build();
    Cluster cluster = CouchbaseCluster.create( env, COUCHBASE_SERVERS );
    ClusterManager cm = cluster.clusterManager( "Administrator", "password" );
    if ( !cm.hasBucket( "scramBucket" )) {
      BucketSettings bs = DefaultBucketSettings.builder().name( "scramBucket" ).quota( 256 ).password( "scramPassword" ).build();
      cm.insertBucket( bs );
    }
    Bucket bucket = cluster.openBucket("scramBucket", args[0]);
    JsonObject testObject = JsonObject.empty().
        put( "Blah", "blah" );
    JsonDocument doc = JsonDocument.create( "whatever", testObject );
    JsonDocument response = bucket.upsert( doc );

    JsonDocument got = bucket.get( "whatever" );
    System.out.println( "Found: " + got );
    cluster.disconnect();
    logger.trace( "EXITING MAIN" );
  }

and yet I can’t find what you’ve posted above anywhere in the output. Now, I’m assuming the above should be in the client logs, not the server, since the Couchbase server doesn’t seem to support lower than debug.

I’m seeing it use normal CRAM-MD5:

>  +-------------------------------------------------+
>  |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
> +--------+-------------------------------------------------+----------------+
> |00000000| 81 20 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 |. ..............|
> |00000010| 00 00 00 00 00 00 00 00 43 52 41 4d 2d 4d 44 35 |........CRAM-MD5|
> |00000020| 20 50 4c 41 49 4e                               | PLAIN          |
> +--------+-------------------------------------------------+----------------+
> TRACE LoggingHandler - [id: 0x0db013e8, L:/XXX.XXX.XXX.XXX:52426 - R:openshift-2/XXX.XXX.XXX.XXX:11210] WRITE: 32B
>  +-------------------------------------------------+
>  |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
> +--------+-------------------------------------------------+----------------+
> |00000000| 80 21 00 08 00 00 00 00 00 00 00 08 00 00 00 00 |.!..............|
> |00000010| 00 00 00 00 00 00 00 00 43 52 41 4d 2d 4d 44 35 |........CRAM-MD5|
> +--------+-------------------------------------------------+----------------+

#4

Ah but I just thought of something: which version of Couchbase Server are you using (and which build)? This is still experimental in the server and is only available in the 4.5 BETA.

If you’re using the 4.5 beta, can you please post a gist/pastebin of your TRACE log?


#5

Ah! That was definitely it - I updated the docker image to 4.5.0-beta and saw the necessary information. Thanks so much for your help!