A newer version of this documentation is available.

View Latest

Secure Data Access

Couchbase Server client libraries support client-side encryption using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
Couchbase Server and SDKs support TLS v1.0 - 1.2 by default. Which version is used depends on the client and server version. Older versions might still use SSL and should be upgraded to newer version of the SDK.

Starting with Couchbase Server version 4.1.1, you can set the minimum version of TLS 1.2 or higher using the following command:

curl -X POST -u Administrator:password http://127.0.0.1:8091/diag/eval -d "ns_config:set(ssl_minimum_protocol, 'tlsv1.2’)"

The TLS 1.2 setup command can be executed per cluster. The command has to be invoked using full administrator privileges.

For changes to be affective on port 18092, cluster restart is needed. For changes to be affective just on port 18091, no cluster restart is needed.

Encryption for data access is performed through client-server communication and view access.

SSL/TLS Based Client-server Communication

Couchbase Server client libraries support client-side encryption using the SSL/TLS protocol by encrypting data in-flight between the client and the server. For Couchbase clients released after version 2.0, Couchbase Server provides secure client-server communication that does not require configuration.

When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message are passed (RFC 5246). First, the client sends a cipher suite list, a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client cipher suite list. Check whether your clients support TLS.

To enable SSL/TLS on the client side, you need to get a certificate from Couchbase Server and then follow the steps specific to the client you are using.

To obtain the certificate, access the Couchbase Web Console, navigate to Settings  Certificate  Show certificate and copy the certificate.

The certificate that is obtained is a self-signed server-generated certificate.
If the Couchbase Server certificate is re-generated, you must obtain a new certificate.

The following clients support SSL/TLS:

  • Java

  • .NET

  • Node.js

  • PHP

  • C

  • Go

Use the Couchbase network port 11207 for data communication between the client and the data nodes using SSL/TLS.

SSL/TLS Based View Access

A new port 18092 is established for view access: https://couchbase_server:18092

Supported Ciphers

Couchbase Server uses the ciphers that are accepted by default by OpenSSL.

The default is to have high-security ciphers built in with openSSL. For example, on the MAC OS these are:

  • AES256-SHA...YES

  • AES128-SHA...YES

  • DES-CBC3-SHA...YES

You can override this selection by setting the environment variable before starting Couchbase as follows:

COUCHBASE_SSL_CIPHER_LIST= <list of ciphers to accept>

Set the variable to COUCHBASE_SSL_CIPHER_LIST= MEDIUM, HIGH to include only medium- and high-security ciphers for your installation.

For example, on the MAC OS these are:

  • SEED-SHA...YES

  • AES256-SHA...YES

  • AES128-SHA...YES

  • DES-CBC3-SHA...YES

  • RC4-SHA...YES

  • RC4-MD5...YES

  • RC4-MD5...YES