Setting Up Secure Connections
Configure the connector to encrypt data in transit.
By default, the connector talks to Couchbase and Elasticsearch over unencrypted socket connections. If encryption is required, you can configure the connector to use TLS.
Couchbase Server and Elasticsearch both use a root certificate to generate a certificate for each node in the respective cluster.
This guide shows how to obtain the root certificates, and how to tell the connector it should trust these certificates when establishing secure connections.
You will need:
Couchbase Server Enterprise Edition if you’re connecting securely to a self-hosted Couchbase Server cluster. You can download and evaluate Enterprise Edition for free.
The Certificate Authority (CA) certificates used by your Couchbase Server and/or Elasticsearch clusters.
|The Couchbase Capella CA certificate is included in the connector.|
The steps for getting the Couchbase certificate are different depending on whether you are hosting your own Couchbase Server cluster or using Couchbase Capella.
The Capella CA certificate is included in the connector, and the connector trusts it by default unless you specify another trust source.
If you’re connecting to a Capella cluster, all you have to do is enable TLS by setting the
Log into the Capella admin website and navigate to your cluster. Click on the "Connect" tab and scroll down to "Security Certificates." Download the "Root Certificate."
Log into the admin console and navigate to
couchbase-ca.pem and paste the certificates into this file.
|Unless you’re working in a local development environment, it’s important to transfer the CA certificate using a secure channel, so you know you’re getting the correct certificate. If you are unable to access the admin console securely over HTTPS, copy the CA certificate from a server node using SSH or some other secure mechanism.|
Elasticsearch must first be configured to require TLS/SSL. Please refer to the Elasticsearch documentation, specifically Encrypting communications in Elasticsearch. Make sure you also follow the steps for Encrypting HTTP Client Communications.
As you follow the instructions in the Elasticsearch documentation, you’ll generate a CA certificate for your Elasticsearch cluster. (Alternatively, you might decide to use a well-known public CA, or an internal CA managed by your organization). This CA certificate is the one you’ll configure the connector to use in the next step.
Verify Elasticsearch requires secure connections by opening
https://localhost:9200 in your web browser.
(You might get a warning about an untrusted or self-signed certificate).
If Elasticsearch is configured correctly, you should be prompted for your Elasticsearch credentials.
In this final step, you’ll tell the connector where to locate the files containing the CA certificates for Couchbase and/or Elasticsearch.
Search for the
[couchbase] section and set the
secureConnection property to
Then set the
pathToCaCertificate property to the path of the file containing the Couchbase CA certificate.
A relative path is resolved using the connector installation directory as the base.
This means you can put the
couchbase-ca.pem file into the connector installation’s
config subdirectory, and set the
[couchbase] config section’s
pathToCaCertificate property to
If you’re connecting to Couchbase Capella, leave the
Now search for the
[elasticsearch] section and do the same thing, only this time set the
pathToCaCertificate property to the path of the file containing the Elasticsearch CA certificate.
Previous versions of the connector required the certificates to be in a Java keystore file.
This is no longer required.