Added secret mgmt related topics

couchbase · Dec 19, 2016 · 57c7560 · 57c7560
1 parent 88ab65f
commit 57c7560
Show file tree

Hide file tree

Showing 7 changed files with 167 additions and 0 deletions.
diff --git a/content/cli/cbcli/master-password.dita b/content/cli/cbcli/master-password.dita
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN" "reference.dtd">
+<reference id="reference_b1h_jnt_gy">
+  <title><cmdname>master-password</cmdname></title>
+  <shortdesc>Sets and sends the master password.</shortdesc>
+  <refbody>
+    <section id="section_jxx_knt_gy">
+      <title>Syntax</title>
+      <p>The basic syntax is:</p>
+      <codeblock>ccouchbase-cli master-password -c [host]:8091 -u [admin] -p [password] [options]</codeblock>
+    </section>
+    <section id="section_kxx_knt_gy">
+      <title>Description</title>
+      <p>The <cmdname>master-password</cmdname> command sets and sends the master password.  </p>
+    </section>
+    <section id="section_lxx_knt_gy">
+      <title>Options</title>
+      <p>The following are the command options:</p>
+      <table id="table_mxx_knt_gy">
+        <title>node-init options</title>
+        <tgroup cols="2">
+          <colspec colname="col1" colwidth="1*"/>
+          <colspec colname="col2" colwidth="1.01*"/>
+          <thead>
+            <row>
+              <entry>Option</entry>
+              <entry>Description</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry><codeph>--new-password</codeph></entry>
+              <entry>Prompts user for a new master password on this node.</entry>
+            </row>
+            <row>
+              <entry><codeph>--rotate-data-key</codeph></entry>
+              <entry>Rotates the master password data key</entry>
+            </row>
+            <row>
+              <entry><codeph>--send-password</codeph></entry>
+              <entry>Prompts for the master password to start the server. </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+    </section>
+    <section id="section_nxx_knt_gy">
+      <title>Examples</title>
+      <p>To change the master password:</p>
+      <codeblock>couchbase-cli master-password -c 192.168.0.1:8091 -u Administrator -p password --new-password</codeblock>
+      <p>To rotate the data key:</p>
+      <codeblock>couchbase-cli master-password -c 192.168.0.1:8091 -u Administrator -p password --rotate-data-key</codeblock></section>
+  </refbody>
+</reference>
diff --git a/content/cli/cli.ditamap b/content/cli/cli.ditamap
@@ -28,6 +28,7 @@
 			<topicref href="cbcli/collect-logs-stop.dita"/>
 			<topicref href="cbcli/failover.dita"/>
 			<topicref href="cbcli/group-manage.dita"/>
+			<topicref href="cbcli/master-password.dita"/>
 			<topicref href="cbcli/node-init.dita"/>
 			<topicref href="cbcli/rebalance.dita"/>
 			<topicref href="cbcli/rebalance-status.dita"/>

diff --git a/content/rest-api/rest-api.ditamap b/content/rest-api/rest-api.ditamap
@@ -107,6 +107,7 @@
 				</topicref>
 
 				<topicref href="rest-encryption.dita"/>
+				<topicref href="rest-secret-mgmt.dita"/>
 
 
 			</topicref>

diff --git a/content/rest-api/rest-secret-mgmt.dita b/content/rest-api/rest-secret-mgmt.dita
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
+<topic id="topic_jdz_bd3_hy">
+  <title>Secret Management API</title><shortdesc>An Administrator can change the master password and data key. Resetting the password
+    requires authentication.</shortdesc>
+  <body>
+    <section>
+      <title>POST  /node/contorller/changeMasterPassword</title>
+      <p><b>Description</b></p>
+      <p>This command retrieves changes the master password. </p>
+      <p><b>Parameters</b></p>
+      <p>
+        <ul id="ul_bs2_gsd_3y">
+          <li>newPassword - Specifies a new password. Required.</li>
+        </ul>
+      </p>
+      <p><b>Syntax:</b>
+      </p>
+      <codeblock>$ curl -v -X POST -d 'newPassword=blah’ http://Administrator:password@127.0.0.1:8091 \
+/node/controller/changeMasterPassword      </codeblock>
+
+     </section> <section>
+        <title>POST /node/contorller/rotateDataKey</title>
+          <p><b>Description</b></p>
+          <p>This command changes the data key.  </p>
+          <p><b>Parameters</b></p>
+          <p>
+        <ul id="ul_vfy_lsd_3y">
+          <li>None.</li>
+        </ul>
+      </p>
+          <p><b>Syntax:</b>
+          </p>
+          <codeblock>$ curl -v -X POST http://Administrator:password@127.0.0.1:8091 \
+            /node/controller/rotateDataKey      </codeblock>
+      </section> 
+
+  </body>
+</topic>
diff --git a/content/security/pict/secret-mgmt.png b/content/security/pict/secret-mgmt.png
diff --git a/content/security/secret-mgmt.dita b/content/security/secret-mgmt.dita
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
+<topic id="topic_s2r_2yt_gy">
+  <title>Secret Management and Hardening</title>
+  <shortdesc>Using the Secret Management functionality Couchbase Server provides you a way to
+    securely manage server secrets which helps hardening of Couchbase Server. This feature allows
+    businesses to fulfill important requirements around their server secrets needed for
+    compliance.</shortdesc>
+  <body>
+    <p>Secrets must be stored in a secure way and access to these secrets must be controlled to
+      reduce the risk of accidental exposure. With secret management in Couchbase Server, secrets
+      are written to disk in encrypted format. Couchbase uses an AES 256-bit algorithm in GCM mode
+      to encrypt secrets using an encryption hierarchy as shown in the following illustration. </p>
+    <p>
+      <image href="pict/secret-mgmt.png" width="570" id="image_secret_mgmt"/></p><p>The master password is at the top of the encryption hierarchy. The master password is either user
+      specified or can be inserted into the system using a system environment variable
+        <codeph>CB_MASTER_PASSWORD</codeph> or using the prompt. If the environment variable is not
+      set, Couchbase Server waits until the master password is specified using the prompt. Couchbase
+      recommends that you use a strong master password. </p>
+    <p>When you specify a master password, Couchbase derives a master key from that password. This
+      zero-knowledge password design hardens the Couchbase system. </p>
+    <p>To bootstrap the system, the master key is used to open the encrypted data key. The decrypted
+      data key is then used to open the encrypted secrets, and the secrets are used to start
+      Couchbase Server. </p>
+
+
+    <section id="section_password_rotation">
+      <title>Password Rotation</title>
+      <p>With the Secret Management in 4.6, you can rotate your secrets at different levels of the
+        key hierarchy periodically or in the event of a breach. </p>
+      <p>
+        <ul id="ul_kdl_mzt_gy">
+          <li>Master password rotation - This first level of rotation can be achieved by setting a
+            new password using the CLI or REST API. Couchbase allows the flexibility of setting one
+            master password per node. </li>
+          <li>Data key rotation - This second level of rotation can done rotation by changing the
+            data key using the CLI or REST API. </li>
+          <li>Secret rotation - This third level of rotation can be done by changing the values of
+            the secrets. For example, to reset the administrator password secrets use the <xref
+              href="../cli/cbreset_password-tool.dita#cbreset_password_tool">cbreset_password</xref>
+            tool. </li>
+        </ul>
+      </p><p>For better security, you can rotate your password anytime without any application downtime, and
+        all rotation requests are audited by Couchbase Server if the <xref
+          href="security-auditing.dita#topic_a5p_npm_lq">auditing</xref> option is enabled. </p>
+    </section>
+    <section id="section_configure_master_password">
+      <title>Configuring the Master Password</title>
+      <p>You can set the master password by using the environment variable or during the initial
+        startup using the prompt.</p>
+      <p>To set the master password using the environment variable:<ol id="ol_xv4_1md_3y">
+        <li>Run the following command to set the environment variables, for example, on Ubuntu
+          bash shell terminal:<p><codeph>export
+            CB_MASTER_PASSWORD=p@$$wor4</codeph></p></li>
+      </ol></p>
+      <p>To set the master password using the prompt: <ol id="ol_rkj_wmd_3y">
+          <li>Unset the environment variable by running the following command:<p><codeph>unset
+                CB_MASTER_PASSWORD</codeph></p></li>
+          <li>Run the following command to pass the environment variable on a
+                server:<p><codeph>couchbase-cli master-password -c 192.168.0.1:8091
+                --send-password</codeph></p></li>
+        </ol></p><p>To rotate your server secrets using the CLI command, see <xref
+          href="../cli/cbcli/master-password.dita#reference_b1h_jnt_gy">master-password</xref> for
+        details. </p>
+      <p>To rotate your server secrets using the REST API, see <xref
+          href="../rest-api/rest-secret-mgmt.dita#topic_jdz_bd3_hy">Secret Management API</xref> for
+        details.</p>
+    </section>  
+  </body>
+
+</topic>
diff --git a/content/security/security.ditamap b/content/security/security.ditamap
@@ -31,6 +31,7 @@
     <topicref href="security-x509certsintro.dita"/>
    </topicref>
    <topicref href="security-in-applications.dita"/>
+   <topicref href="secret-mgmt.dita"/>
   </topicref>
   <topicref href="security-best-practices.dita">
    <topicref href="security-passwords.dita"/>