Encryption On-the-Wire API

Couchbase Server APIs for self-signed and X.509 certificates manage encryption on-the-wire.

Retrieve Node Certificate Info

Retrieves information about a node certificate.

GET /pools/default/certificate/node/<host:port>

Description

This command retrieves information about the uploaded node certificate.

Example

$ curl -X GET http://user:password@127.0.0.1:8091/pools/default/certificate/node/127.0.0.1:8091
      {"subject":"CN=127.0.0.1","expires":"2049-12-31T15:59:59.000Z","pem":"
      -----BEGIN CERTIFICATE-----\nMIIC+DCCAeKgAwIBAgIIFB4b2mfRLHcwCwYJKoZIhvcNAQELMCAxHjAcBgNVBAMT\
      nFUludGVtZWRpYXRlIEF1dGhvcml0eTAeFw0xMzAxMDEwMDAwMDBaFw00OTEyMzEy\
      nMzU5NTlaMBQxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQAD\
      nggEPADCCAQoCggEBAOO9byay0UjHI4Q1dd4zMgGPc7FkGDaH/5PEj7PdjlnZC6zm\
      ncsjqAyAq9WzI+LAzzfZXm2Da8MwJZX/MsvEcG15CV8bK075D1G4R7B+E+OIG//Xl\
      ntKZe7J0YqsW5KwZlDHWkyJ06ylWl/6hvw3YkG7mUOKi5WWuj8NGHP24cImkaon4+\
      nf8D6t3vEWFQEwb8IMUDgzwdihXdSqdzQ3a9ECKbl2BKeEFbPrzWoIYjWF5dyrZg3\
      n4/3+SHZ+uZzlG2x6cL2lrs7WUJXseasjkSFuQQzLZPIcJlJxlwXhKvfvucbgT9rG\
      nwopcjS3SaXnmreKF3jLmQGAPHYb8X1yCTTBQVLcCAwEAAaNGMEQwDgYDVR0PAQH\
      nBAQDAgCgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDwYDVR0R\
      nBAgwBocEfwAAATALBgkqhkiG9w0BAQsDggEBAEEWcC8uJ/Zk/4UFYTrQyvds/Kj8\
      n8/SNWVIcMNLHNsxPGtbrsRa9VFjPlCEB+dPpgIFq08626zRQ2Lb1qRZGWj+YM5gC\
      nhxaERSURrvr6i8x9jwALkQUxitRkNP6cb+wi4BCn8qjgxxyZ4g+CHEO9pHceljIn\
      n/bwY+hHTG0a+8hVj/14TGExFrEzNhyeSMmGpdFq3PNT97gRuVvFAz6ZD8qAt+S0j\
      nT61oShOpwNwhWnkK3OynN2JdVT+G496/xRayDPXG40V/AkJs3udZ6QmoeifkJ8sj\
      nYgOxdPWLMnAJ7fw6l/XE7XVD/Jld+pJrFa4YqHBkWL+s20OQmuWs8dVgVQ0=\n
      -----END CERTIFICATE-----\n\n"}

Upload and Regenerate Certificate

Uploads a pem-encoded root certificate (cluster CA) to the cluster.

POST /controller/uploadClusterCA

Description

The uploaded certificate will be displayed in the UI and used for XDCR replications and for client certificate stores.

Examples

curl -X POST --data-binary "@/path/root.pem" http://user:password@127.0.0.1:8091/controller/uploadClusterCA
curl -X POST --data-binary "@./ca.pem" http://Administrator:password@127.0.0.1:8091/controller/uploadClusterCA

Returns

Same output as in the GET /pools/default/certificate?extended=true method.

Setting up per node CA certificate

curl -X POST http://Administrator:password@127.0.0.1:8091/node/controller/reloadCertificate

Regenerating a self-signed certificate

If you configured Couchbase to use X.509 certificates, and you want to go back to the self-signed certificates, you can do this by regenerating the self-signed cluster certificate test.pem.

curl -X POST  http://Administrator:password@remoteHost:8091/controller/regenerateCertificate

Return Cluster Certificate

Returns the current cluster certificate.

GET /pools/default/certificate

Description

If you include the parameter extended=true, it returns the extended certificate information:

{"cert": {"type" : ..., "pem" : ..., "subject" : ..., "expires" : ...}, warnings: []}

Parameters

  • type - generated or uploaded.

  • pem - pem encoded certificate.

  • subject - abbreviated certificate subject (*).

  • expires - expiration data (*).

  • warnings - warnings to be displayed in the UI.

(*) not available for generated certificates.

Example

$ curl -X GET http://user:password@127.0.0.1:8091/pools/default/
        certificate?extended=true
{"cert":{"type":"uploaded","pem":"-----BEGIN CERTIFICATE-----
          \nMIIC6DCCAdKgAwIBAgIIFB4YAjF90MgwCwYJKoZIhvcNAQELMBkxFzAVBgNVBAMT\
          nDlJvb3QgQXV0aG9yaXR5MB4XDTEzMDEwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVow\
          nGTEXMBUGA1UEAxMOUm9vdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB\
          nDwAwggEKAoIBAQDBum06stdiYQI2HQyjZeg3s0Pz8CziXqSg4GicaeKNloOfASwl\
          n+8LQDX5Dgb+Mc4ZxXYo9/7eVlsvSiZPZcv9D2pubjR4ZtEDY5t9AlXDiYTHK0zxG\
          nB34Llnz3gJmkAEAsjy4g+RfwpJS4kGVzFhrzgxOQJIJogZnLduk+mHFjyXI3X+8y\
          nf4KF8ijrXP8bbfa0kM1tjvcttaK7vTEP+G/mbOEFZErhScXT9eKRlgwsitaH7kI0\
          nimpqg3YX1znLQ5n+eLzeVR1HhszJrFaaaRHL0esml6jLEcZBBitJSuEuaMLp9ZWB\
          nA479ZHmN/vZc1SwfMrCE2+TE0ytW3O7eFXjXAgMBAAGjODA2MA4GA1UdDwEB/wQE\
          nAwIApDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MAsGCSqG\
          nSIb3DQEBCwOCAQEACReNkvIXhjPO0rWpgdVSqnLrjUb6DJf0n4Uyq6PfukeEfBtF\
          n59L+xUcoY6NFM5N6qRlGgg0eqTCVmQ6N6lKnnZRH23g3BPLjU2EqAtBHIc5f2JoM\
          nd1E4UD2v20MlFoeHL0YljGTywlqStoZYc2uYUJnJAVq2D1dWcwP2S7G6caLHMlAl\
          nQVYIZvjCGuqGckV1EqOTT7uKPH9ulljtYKVIq/aTbINjX0hJsaoN2hOfHVTp2Shq\
          neLMwgfNdg6zWRyeL/Mi/3jmSjSH61zyHva2xlY8Pl6Zurx/+pF1qN27+P8tCjsDO\
          nD2hAADXr8WRqC1Sd+xAGcFkvqOOFv/HRxDej3A==\
          n-----END CERTIFICATE-----\n",
          "subject":"CN=Root Authority","expires":"2049-12-31T15:59:59.000Z"},
          "warnings":[{"node":"n_0@127.0.0.1","message":
          "Certificate is not signed with cluster CA."}]}

Possible warnings:

{"node":"n_0@127.0.0.1","message":"Certificate is not signed with cluster CA."}
{"node":"n_0@127.0.0.1","message":"Certificate is expired."}
{"node":"n_0@127.0.0.1","message":"Certificate will expire soon.","expires":"2049-12-31T15:59:59.000Z"}

Apply Certificate to a Node

Takes chain.pem and pkey.pem and applies to a node.

POST /node/controller/reloadCertificate

Description

This command grabs chain.pem and pkey.pem from the data folder/inbox/ directory and applies them to the node.

Parameters

  • chain.pem - Contains a chain of pem-encoded certificates starting from the node certificate and ending with the last intermediate certificate that precedes the cluster certificate.

  • pkey.pem - Contains the pem-encoded private key for the node certificate.

Example

curl -X POST http://user:password@127.0.0.1:8091/node/controller/reloadCertificate

Returns

  • 200 - If it is a success

  • 400 - An error message if it failed.