Secure Sync Gateway Access
Couchbase Sync Gateway TLS encryption and verification
Related Security topics: User Authentication | TLS Certificate Authentication
Overview
TLS is required by default for all communications with Couchbase Server [1]. TLS v1.3 is supported as the default protocol.
We strongly recommend always having TLS enabled, although this can be over-ridden for development and testing only.
Additionally, the Admin and Metrics REST API security is also enhanced by the use of Couchbase Server RBAC user credentials to authenticate and authorize access — see: REST API Access
Couchbase Server Connection
By default Sync Gateway requires TLS encryption and the server scheme is specified as couchbases://
.
You can set the bootstrap.server_tls_skip_verify flag true
to connect to 'default CBS'.
But, this must only be done for testing or development purposes.
The content in Table 1 shows the TLS configuration options for sync gateway-Couchbase Server communication. The options include flags that will allow you to override the requirement to use TLS — for use in testing and-or development environments only.
Bootstrap Configuration / Command-line flag |
Default Behavior | Opt-out |
---|---|---|
|
TLS enabled |
Set this |
|
TLS enabled unless |
|
|
Provides the path to the root CA certificate to verify the certificate chain and hostname of the Couchbase Server cluster |
Omit if not required |
|
Omit if not required |
|
|
Omit if not required |
Behavior
Required Configuration | Default Behavior | Opt-Out Trigger |
---|---|---|
Use |
|
|
For more on creating and installing certificates, see: TLS Certificate Authentication.
Client Connection
Couchbase Lite client applications must be updated to use TLS when connecting to sync gateway nodes running in default mode.
Bootstrap Configuration | Command-line flag | Default | Purpose |
---|---|---|---|
|
|
nil |
|
|
|
- |
Provide the path to the TLS certificate file. |
Omit both options to use plaintext — for development and-or testing only — see the Bootstrap Configuration.
Configuration Properties |
Default Behavior |
Opt-Out Trigger |
---|---|---|
TLS verification and encryption is enabled by default, unless the opt-out is triggered |
Omit from configuration |
Running Sync Gateway
As a Service
The serviceconfig.json
file uses the couchbases:
scheme, with server_skip_tls_verify=true
by default, to facilitate testing and development; no TLS validation is done.
Use the following settings to configure TLS:
For more on configuration options, see: Bootstrap Configuration.
Command Line
Use the following command line flags to configure TLS:
-
-bootstrap.ca_cert_path
-
-bootstrap.x509_cert_path
-
-bootstrap.x509_key_path
-
-bootstrap.server_skip_tls_verify
Sync Gateway will error non-secure server schemes (couchbase:
or ws:
) unless the opt-out option is true.
Note that you can no longer start sync gateway without providing at least one parameter, as with no configuration file specified, you need to either provide a TLS Cert/Key, or disable TLS.
For more on command line options, see: Command Line Options.