A newer version of this documentation is available.

View Latest

setting-security

      +

      Manage security policies

      SYNOPSIS

      couchbase-cli setting-security [--cluster <url>] [--username <user>]
          [--password <password>] [--set] [--get] [--disable-http-ui <0|1>]
          [--disable-www-authenticate <0|1>]
          [--cluster-encryption-level <all|control|strict>]
          [--tls-min-version <tlsv1|tlsv1.1|tlsv1.2>]
          [--tls-honor-cipher-order <0|1>] [---cipher-suites <ciphers>]
          [--hsts-max-age <seconds] [--hsts-preload-enabled <0|1>]
          [--hsts-include-sub-domains-enabled <0|1>]

      DESCRIPTION

      This command allows configuring cluster wide security settings.

      OPTIONS

      -c
      --cluster

      Specifies the hostname of a node in the cluster. See the HOST FORMATS section for more information on specifying a hostname.

      -u
      --username <username>

      Specifies the username of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error.

      -p
      --password <password>

      Specifies the password of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error. If this argument is specified, but no password is given then the command will prompt the user for a password through non-echoed stdin. You may also specify your password by using the environment variable CB_REST_PASSWORD.

      --get

      Gets current security settings.

      --set

      Set new security settings.

      --disable-http-ui <0|1>

      Specifies whether the Couchbase Web Console can be accessible over http. To disable access set this option to "1". To enable access set this option to "0". By default, access to the UI over http is enabled.

      --disable-www-authenticate <0|1>

      Specifies whether Couchbase Server will respond with WWW-Authenticate to unauthenticated requests. By default this is enabled which may result in browsers prompting the user for username/password and then caching the information.

      --cluster-encryption-level <all|control|strict>

      Specifies the cluster encryption level. The level is used when cluster encryption is turned on. If the level is "all" then both data and control messages between the nodes in the cluster will be sent over encrypted connections. If the level is "control" only control messages will be sent encrypted. If the level is "strict" it is the same as having the level "all" but all non-TLS ports on non-loopback interfaces will be closed. By default when cluster encryption is turned on, the level will be "control".

      --tls-min-version <tlsv1|tlsv1.1|tlsv1.2>

      Specify the minimum TLS protocol version to be used across all of the Couchbase services.

      --tls-honor-cipher-order <1|0>

      Specifies whether the cipher-order must be followed across all of the services. When set to 1, this allows weaker ciphers to be included in the cipher list for backwards compatibility of older clients/browsers while still forcing the newer clients to use stronger ciphers.

      --cipher-suites <cipher>

      Specify the cipher suite to be used across all of the couchbase services. The ciphers have to be a comma separated list such as: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA. If an empty string is given ("") then the cipher list will be reset to its default.

      --hsts-max-age <seconds>

      Specifies the max-ages directive in seconds the server uses in the Strict-Transport-Security header.

      --hsts-preload-enabled <1|0>

      Specifies whether the preload directive for the Strict-Transport-Security header the server uses should be set.

      --hsts-include-sub-domains-enabled <1|0>

      Specifies whether the includeSubDomains directive for the Strict-Transport-Security header the server uses should be set.

      HOST FORMATS

      When specifying a host for the couchbase-cli command the following formats are expected:

      • couchbase://<addr>

      • <addr>:<port>

      • http://<addr>:<port>

      It is recommended to use the couchbase://<addr> format for standard installations. The other two formats allow an option to take a port number which is needed for non-default installations where the admin port has been set up on a port other that 8091.

      EXAMPLES

      To disable the Couchbase Administration Console over HTTP run the following command.

      $ couchbase-cli setting-security -c localhost -u Administrator \
       -p password --set --disable-http-ui 1

      To change the encryption level to "all" run the following command.

      $ couchbase-cli setting-security -c localhost -u Administrator \
       -p password --set --cluster-encryption-level all

      To change max-ages directive for Strict-Transport-Security header to 10 seconds.

      $ couchbase-cli setting-security -c localhost -u Administrator \
       -p password --set --hsts-max-age 10

      ENVIRONMENT AND CONFIGURATION VARIABLES

      CB_REST_USERNAME

      Specifies the username to use when executing the command. This environment variable allows you to specify a default argument for the -u/--username argument on the command line.

      CB_REST_PASSWORD

      Specifies the password of the user executing the command. This environment variable allows you to specify a default argument for the -p/--password argument on the command line. It also allows the user to ensure that their password are not cached in their command line history.

      COUCHBASE-CLI

      Part of the couchbase-cli suite