Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Configuring IPsec for a Couchbase Cluster

DZone's Guide to

Configuring IPsec for a Couchbase Cluster

Want to get your Couchbase cluster in line with IPsec? This guide shows you how to do it.

· Database Zone
Free Resource

Traditional relational databases weren’t designed for today’s customers. Learn about the world’s first NoSQL Engagement Database purpose-built for the new era of customer experience.

Some Couchbase deployments require secure communications between nodes across the network. This could be due to reasons like data governance policies or regulatory compliance. Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). The goal of this article is to give Couchbase Administrators a quick start on how to configure IPsec across nodes in a Couchbase cluster.  

IPsec Modes

IPsec has two modes: tunnel mode and transport mode. The most widely used is tunnel mode, which is usually used for VPN setups (creating a tunnel network device in the process). Tunnel mode is not practical for a Couchbase cluster, as it would require creating and maintaining tunnels between all pairs of nodes. 

Transport mode is needed when securing communication across nodes in the same network. It allows the use of IPsec on a per-packet basis — completely transparently for applications.

IPsec can provide authentication of packets (i.e. ensure that all packets received are from trusted nodes) and encryption of packets. Transport mode and associated Security Policy Database entries allow setting up behavior required for a Couchbase cluster:

  • specific kinds of incoming packets are only accepted if encapsulated in IPssec and valid (dropped otherwise)

  • specific kinds of outgoing packets are required to be encapsulated in IPsec

Usually “specific kind” is going to be something like: All packets from/to a Couchbase cluster network segment. Or it can be something like all: all packets to/from Cuchbase service ports.

Requirements

  • Linux Distribution (Debian is used for this blog). Windows does support IPsec, though this was not tested.
  • Linux Openswan U2.6.32/K2.6.32-573.el6.x86_64 (netkey) or higher.
  • Couchbase 4.1 or higher.
  • Sudo/root user access to the system.

Installation and Configuration of OpenSwan

From the command line using sudo, the following command was run on each node. For other Linux distro, use your appropriate package manager.

# sudo apt-get update

# sudo apt-get install openswan

The installer may prompt the user to create a x.509 certificate, but do not create a x.509 certificate. IPsec needs to be configured for transport mode. In the demonstration environment created for this blog, we have two nodes: 10.0.2.4 and 10.0.2.5.  

Steps

  1. On each node, add a line in the /etc/ipsec.secrets file: ipaddress_node1 ipaddress_node2: PSK "some_key".


  2. Modify the /etc/ipsec.conf file to use *.conf files located in the ipsec.d subdirectory.  This allows for easy automation if you need to add nodes to the cluster.  Each pair of nodes needs its own entry.  


  3. Create a configuration file in the /etc/ipsec.d/ directory with the following information:

  4. conn couchbase

    type=transport

    authby=secret

    left=<ip address of node 1>

    right=<ipaddress of node 2>

    pfs=yes

    auto=start

    • conn couchbase -connection: Arbitrary label for your connection. This can be anything you'd like
    • type=transport: We want to use transport mode for this connectionauthby=secret: we'll be using a pre-shared key (PSK) for this connection. 
    • left=10.0.2.4: This and the next line are just denoting the IP addresses involved in this IPsec association. It does not matter which IP is "left" and which is "right."
    • right=10.0.2.5: See above bullet.
    • pfs=yes: We want to enable Perfect Forward Secrecy for this connection. In short, this drastically improves security. Iauto=start: We want to pro-actively initiate the IPsec association immediately. This can also be set to auto=start, in which case it waits for the other end of the connection to initiate traffic.

  5. Enable IPsec to use the new configuration on both nodes: #sudo service ipsec restart.

Testing the Setup

From a command line on one node, type the following command:  

#ping <other node>

From the other node, use the command line and type:  (desired result) If you get no messages, you will need to debug your setup (please refer to IPsec Guides listed below)

#sudo tcpdump esp

Note: ESP = Encapsulating Security Payload

Couchbase Configuration

Install Couchbase on each node, a simple two-node configuration. Set up the cluster.  All communication between the two nodes can be traced using the tcpdump esp command, the sample above documents communication between two Couchbase nodes. 

Couchbase Test Cluster:

Couchbase Test Cluster

Screenshot: #sudo tcpdump esp  

References

IPsec Overview

Implementing IPsec Transport Mode 

Sample Configuration Files Used for this Test

/etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# Manual:     ipsec.conf.5

# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0   # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Debug-logging controls:  "none" for (almost) none, "all" for lots.

# klipsdebug=none

# plutodebug="control parsing"

# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

protostack=netkey

nat_traversal=yes

virtual_private=

oe=off

# Enable this if you see "failed to find any available worker"

# nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

include /etc/ipsec.d/*.conf

/etc/ipsecrets

include /etc/ipsec.d/*.secrets

# use IP addresses from your own environment

10.0.2.4 10.0.2.5: PSK "sharedkey"

/etc/ipsec.d/couchbase.conf

conn couchbase

type=transport

authby=secret

left=10.0.2.4

right=10.0.2.4

pfs=y

auto=start

Learn how the world’s first NoSQL Engagement Database delivers unparalleled performance at any scale for customer experience innovation that never ends.

Topics:
couchbase

Published at DZone with permission of Tim Wong. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}