A newer version of this documentation is available.

View Latest

Managing XDCR Data Encryption

    +
    XDCR data encryption provides SSL encryption for data replication. Enterprise Edition only.

    Description

    The process for configuring XDCR with data encryption involves configuring the XDCR cluster reference with data encryption enabled, providing the SSL certificate, and configuring replication.

    HTTP method and URI

    The following summarizes the HTTP methods used for defining XDCR data encryption:

    HTTP method URI path Description

    GET

    /pools/default/remoteClusters

    Gets the destination cluster reference

    POST

    /pools/default/remoteClusters

    Creates a reference to the destination cluster

    POST

    /pools/default/remoteClusters/[Name]

    Modifies the destination cluster reference

    DELETE

    /pools/default/remoteClusters/[Name]

    Deletes the reference to the destination cluster.

    Retrieving certificates

    To retrieve the SSL certificate from the destination cluster to the source cluster use the following HTTP method and URI:

    HTTP method and URI

    GET /pools/default/certificate

    Syntax

    curl http://[remoteHost]:[port]/pools/default/certificate

    Example

    curl http://remoteHost:8091/pools/default/certificate > ./remoteCert.pem

    Regenerating certificates

    To regenerate a certificate on a destination cluster, use the following HTTP method and URI:

    HTTP method and URI

    POST /controller/regenerateCertificate

    Example

    curl -X POST http://Administrator:asdasd@remoteHost:8091/controller/regenerateCertificate

    Configuring XDCR with data encryption

    A POST to /pools/default/remoteClusters creates the XDCR cluster reference from the source cluster to the destination cluster. Setting the demandEncryption parameter to one (1) and providing the certificate name and location enables data encryption.

    HTTP method and URI

    The following HTTP method and URI modifies the destination cluster reference.

    PUT /pools/default/remoteClusters

    Syntax

    curl -X POST  -u Admin:myPassword
      http://localHost:port/pools/default/remoteClusters
      -d name=<clusterName>             // Remote cluster name
      -d hostname=<host>:<port>       // FQDN of the remote host.
      -d username=<adminName>           // Remote cluster Admin name
      -d password=<adminPassword>       // Remote cluster Admin password
      -d demandEncryption=[0|1] --data-urlencode "certificate=$(cat remoteCert.pem)"
      -d encryptionType=["half"|"full"] // set to "half" to just encrypt log-in details

    Example

    curl -X POST
     -d 'name=remoteName' \
     -d 'hostname=10.3.4.187:8091' \
     -d 'username=remoteAdmin' -d 'password=remotePassword' \
     -d 'demandEncryption=1 --data-urlencode "certificate=$(cat remoteCert.pem)"' \
     -d 'encryptionType="full"' \
     http://Administrator:asdasd@192.168.0.1:8091/pools/default/remoteClusters/

    Disabling data encryption

    To modify the XDCR configuration so that SSL data encryption is disabled, execute a PUT from the source cluster to the destination cluster with demandEncryption=0.

    HTTP method and URI

    PUT /pools/default/remoteClusters

    Example

    curl -X PUT  -u myAdmin:myPassword
      http://192.168.0.1:8091/pools/default/remoteClusters/ \
      -d 'name=remoteName' \
      -d 'hostname=10.3.4.187:8091'\
      -d 'username=remoteAdmin' -d 'password=remotePassword' \
      -d 'demandEncryption=0'