Managing XDCR data encryption
XDCR data encryption provides SSL encryption for data replication. Enterprise Edition only.
Description
The process for configuring XDCR with data encryption involves configuring the XDCR cluster reference with data encryption enabled, providing the SSL certificate, and configuring replication.
HTTP method and URI
The following summarizes the HTTP methods used for defining XDCR data encryption:
| HTTP method | URI path | Description |
|---|---|---|
| GET | /pools/default/remoteClusters | Gets the destination cluster reference |
| POST | /pools/default/remoteClusters | Creates a reference to the destination cluster |
| PUT | /pools/default/remoteClusters/UUID | Modifies the destination cluster reference |
| DELETE | /pools/default/remoteClusters/UUID | Deletes the reference to the destination cluster. |
Retrieving certificates
To retrieve the SSL certificate from the destination cluster to the source cluster use the following HTTP method and URI:
HTTP method and URI
GET /pools/default/certificateSyntax
curl http://[remoteHost]:[port]/pools/default/certificateExample
curl http://remoteHost:8091/pools/default/certificate > ./remoteCert.pemRegenerating certificates
To regenerate a certificate on a destination cluster, use the following HTTP method and URI:
HTTP method and URI
POST /controller/regenerateCertificateExample
curl -X POST http://Administrator:asdasd@remoteHost:8091/controller/regenerateCertificateConfiguring XDCR with data encryption
A POST to /pools/default/remoteClusters creates the XDCR cluster reference from the source cluster to the destination cluster. Setting the demandEncryption parameter to one (1) and providing the certificate name and location enables data encryption.
HTTP method and URI
The following HTTP method and URI modifies the destination cluster reference.
PUT /pools/default/remoteClustersSyntax
curl –X POST -u Admin:myPassword
http://localHost:port/pools/default/remoteClusters
-d name=<clusterName> // Remote cluster name
-d hostname=<host>:<port> // FQDN of the remote host.
-d username=<adminName> // Remote cluster Admin name
-d password=<adminPassword> // Remote cluster Admin password
-d demandEncryption=[0|1] --data-urlencode "certificate=$(cat remoteCert.pem)"
Example
curl –X POST
-d name=remoteName
-d hostname=10.3.4.187:8091
-d username=remoteAdmin –d password=remotePassword
-d demandEncryption=1 --data-urlencode "certificate=$(cat remoteCert.pem)"
http://Administrator:[email protected]:8091/pools/default/remoteClusters/
Disabling data encryption
To modify the XDCR configuration so that SSL data encryption is disabled, execute a PUT from the source cluster to the destination cluster with demandEncryption=0.
HTTP method and URI
PUT /pools/default/remoteClustersExample
curl –X PUT -u Admin:myPassword
http://192.168.0.1:8091/pools/default/remoteClusters/
-d name=remoteName
-d hostname=10.3.4.187:8091
-d username=remoteAdmin –d password=remotePassword
-d demandEncryption=0