A newer version of this documentation is available.

View Latest

SSL Connections

By default connections between applications (SDK) and the cluster are not protected against eavesdropping. This means that anyone with access to the network can view items being transferred between client and server. Using a password protected bucket only restricts programmatic access to authorized clients, but may still allow intruders to inspect the traffic.

This is typically not an issue when both client and server are operating on secure networks, however larger deployments may have larger networks and tighter security requirements.

Couchbase Server Enterprise edition allows secure SSL connections. When SSL connections are used, connections between SDKs and the server are secure and protected against eavesdropping, as the traffic is encrypted. When using SSL connections, the SDK will use SSL connections to all services (KV, Query, and MapReduce).

In order to make use of SSL connections, you must first obtain the SSL certificate

Getting the certificate via the REST API

Getting the certificate via the web UI

In order for the SDK to connect to the cluster using SSL, the SDK must be aware of the server’s self-signed SSL certificate. Use the Couchbase Web Console to retrieve the SSL certificate:

  1. Open a browser and navigate to the Couchbase Web Console.

  2. Click Settings  Cluster.

  3. In the Configuration section, click Show to display the certificate. couchbase ssl

  4. Copy the entire content of the certificate and store it in a file on the application server on which you want to install the certificate, and save it to a file accessible locally to your SDK.

    For C (libcouchbase-based) SDKs, you will need to pass the path to this file (the path itself does not matter, so long as it exists and is accessible by the SDK) to the connection string using the certpath connection string option. For other SDKs this may involve installing the certificate to a special kind of certificate repository or store.

    The examples below demonstrate how to configure and connect your SDK to a Couchbase Cluster with SSL encryption in Python:

    #!/usr/bin/env python
    
    from couchbase.bucket import Bucket
    
    # Note the `couchbases` in the scheme. This is required for SSL connections!
    cb = Bucket('couchbases://10.0.0.31/default?certpath=/tmp/couchbase-ssl-certificate.pem')
    print cb.server_nodes

    C | Java | .NET | Go | Node.js

Performance considerations

SSL encryption naturally adds overhead: it increases the amount of data being transferred (as data must be wrapped in encrypted 'envelope', which contains additional information) and also adds processing overhead to encrypt and decrypt the data.