md1
December 10, 2014, 3:58pm
1
There seems to be conflicting information in the documentation and prior staff replies.
http://docs.couchbase.com/admin/admin/Tasks/xdcr-secure-communication.html
http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
http://docs.couchbase.com/couchbase-manual-2.5/cb-install/
http://blog.couchbase.com/iptables-firewall-settings-couchbase-db-and-couchbase-mobile-syncgateway
If you look at references to port 11214 and 11215, it indicates SSL for XDCR.
But in the xdcr documentation listed above, it talks about VPN is required for secure XDCR.
Now what is the real story?
Will the server make SSL XDCR communication between clusters or will it be un-encrypted and require VPN?
What is the configuration to force using 18091 and 18092 for XDCR instead of 8091.8092?
Does couchbase have more competent and organized information about network ports, linux routes, and firewall settings?
1 Like
md1
December 10, 2014, 4:10pm
2
Ok, I see at least some way to force the behavior.
When creating the connection, you can define host_name:port. So in this case, choose 18091 instead of 8091.
couchbase-cli xdcr-setup -c hostname_:8091 -u Administrator -p password
–create --xdcr-cluster-name=RemoteCluster --xdcr-hostname=10.3.121.123:8091 \
–xdcr-username=Administrator --xdcr-password=password
What will trigger the 18092 capi from being used and not 8092 for other operations.
1 Like
md1
December 10, 2014, 5:15pm
4
I still cannot find any way to actually trigger the couchbase server to start listening on 18091/18092 or 11214/11215
Does the server autogenerate a key and certificates on a frequent basis?
1 Like
md1
December 10, 2014, 5:27pm
5
–xdcr-demand-encryption=[0|1] Enables data encryption using Secure Socket Layer (SSL). 1
Ok, this shoult trigger 11214/11215 to start up. Is that correct?
How do we trigger 18091/18092 to start listening for SSL?
1 Like
md1
December 10, 2014, 6:09pm
6
There is some configuration information at:
http://docs.couchbase.com/couchbase-manual-2.5/cb-install/#initial-server-setup
{ssl_rest_port,11000}.
{ssl_capi_port,11001}.
And in the local.ini file:
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM’s below.
; the default ssl port CouchDB listens on is 6984
; httpsd = {couch_httpd, start_link, [https]}
[ssl]
;cert_file = /full/path/to/server_cert.pem
;key_file = /full/path/to/server_key.pem
So many references, so little clarity!
md1
December 11, 2014, 1:18am
7
Ok, I finally figured it out. Enterprise version runs this SSL stuff automatically. No need for any extra explanation and sorry for spamming this thread with each incremental detail in my pursuit of the truth.
Cheers todos