Couchbase Capella Support

  • concept
    +
    Connecting to Couchbase Capella is very similar to connecting to any Couchbase cluster over an encrypted connection. This section explains how.

    You must use a Kafka connector version of 4.0.1 or higher. Earlier versions will not work.

    Before You Start

    Make sure your Capella cluster is configured to allow connections from the IP addresses of all computers running the connector.

    You will need the credentials of a Capella database user. For the source connector, the user must have read (or read/write) permission. For the sink connector, the user must have read/write permission.

    You will need to know which version of the connector you are using, so you can follow the instructions for that version.

    Configuring Version 4.1.7 and Later

    With this version of the connector, connecting to Capella is simple. All you need to do is enable TLS by setting the couchbase.enable.tls connector config property to true.

    The Capella Certificate Authority (CA) certificate bundled with the connector is trusted by default. You can skip the rest of this page, or continue reading to learn how to configure the connector to trust a different CA certificate.

    Certificate Download

    Once you have created a Cluster in Couchbase Capella, navigate to the Connect tab and download the security certificate.

    Cloud UI

    Rename the downloaded file to couchbase.pem. (The name doesn’t really matter, but the rest of this guide refers to the Couchbase certificate file by that name.)

    Configuring Version 4.0.5 and Later

    Enable TLS by setting couchbase.enable.tls to true.

    Set the couchbase.trust.certificate.path property to the absolute filesystem path to couchbase.pem.

    Now you’re ready to connect to your Couchbase Capella cluster.

    Alternatively, you can put the certificate in a trust store as decribed in the next section.

    Configuring Earlier Versions

    Prior to connector version 4.0.5, the certificate must live in a trust store.

    Add the certificate to a trust store

    The connector’s trust store is a Java keystore file containing the certificates the connector should trust. We’ll use the Java keytool command to create a keystore and populate it with the root certificates for Couchbase Capella.

    To add the Couchbase Capella root certificate:

    $ keytool -importcert -keystore truststore.jks -file couchbase.pem

    If the keystore file truststore.jks does not yet exist, you will be prompted to choose a password for the new keystore. Otherwise, you will be prompted for the password of the existing keystore.

    You will then be presented with a summary of the information in the certificate, and asked if you want to trust the certificate. If the information is correct, enter y to confirm.

    You can verify that it has been stored with keytool -list:

    $ keytool -list
    Enter keystore password:
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry

    Configure the connector to use a trust store

    Now that you have a trust store containing the Capella certificate, the last step is to configure the connector to use it for secure connections.

    Enable TLS by setting couchbase.enable.tls to true.

    Set the couchbase.trust.store.path property to the absolute filesystem path to truststore.jks.

    Configure couchbase.trust.store.password by providing the keystore password.

    Now you’re ready to connect to your Couchbase Capella cluster.