setting-master-password

      +

      Manages the Couchbase master password

      SYNOPSIS

      couchbase-cli setting-master-password [--cluster <url>] [--username <user>] [--password <password>]
          [--client-cert <path>] [--client-cert-password <password>] [--client-key <path>]
          [--client-key-password <password>] [--new-password <password>] [--rotate-password]

      DESCRIPTION

      Couchbase Server Enterprise Edition has a "Secret Management" feature, which allows users to securely encrypt passwords and other sensitive configuration information that is stored on disk. These secrets must be stored in a secure way; and access must be controlled, to reduce the risk of accidental exposure. By using Secret Management in Couchbase Server, secrets are written to disk in encrypted format. To decrypt these secrets, Couchbase requires entry of a "master password", which is supplied by the user during server startup. This master password can be passed to the server using the couchbase-cli master-password command.

      By default, the Secret Management feature is disabled. To enable the feature, you must first set the master password. Once a master password is set, the user is required to enter it when the server starts up. This can be done by setting the environment variable CB_MASTER_PASSWORD=<password> during server startup.

      OPTIONS

      -c
      --cluster

      Specifies the hostname of a node in the cluster. See the HOST FORMATS section for more information on specifying a hostname.

      -u
      --username <username>

      Specifies the username of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error.

      -p
      --password <password>

      Specifies the password of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error. If this argument is specified, but no password is given then the command will prompt the user for a password through non-echoed stdin. You may also specify your password by using the environment variable CB_REST_PASSWORD.

      --client-cert <path>

      The path to a client certificate used to authenticate when connecting to a cluster. May be supplied with --client-key as an alternative to the --username and --password flags. See the CERTIFICATE AUTHENTICATION section for more information.

      --client-cert-password <password>

      The password for the certificate provided to the --client-cert flag, when using this flag, the certificate/key pair is expected to be in the PKCS#12 format. See the CERTIFICATE AUTHENTICATION section for more information.

      --client-key <path>

      The path to the client private key whose public key is contained in the certificate provided to the --client-cert flag. May be supplied with --client-cert as an alternative to the --username and --password flags. See the CERTIFICATE AUTHENTICATION section for more information.

      --client-key-password <password>

      The password for the key provided to the --client-key flag, when using this flag, the key is expected to be in the PKCS#8 format. See the CERTIFICATE AUTHENTICATION section for more information.

      --rotate-data-key

      Secrets are encrypted using a data key file, which is a unique key that is stored on disk for each server. To open this file, the master password is used to generate a key which decrypts the contents of the data key file. The contents of the decrypted data key file can then be used to decrypt secrets. Some users may want to generate a new data key file periodically, to increase security. This option is used to generate a new data key file.

      --new-password

      Sets a new master password for the server specified. The user may specify this password on the command line, or through non-echoed stdin. To specify the password through non-echoed stdin, do not provide a value for this option. The user will then be prompted to enter the password.

      HOST FORMATS

      When specifying a host for the couchbase-cli command the following formats are expected:

      • couchbase://<addr> or couchbases://<addr>

      • http://<addr>:<port> or https://<addr>:<port>

      • <addr>:<port>

      It is recommended to use the couchbase://<addr> or couchbases://<addr> format for standard installations. The other formats allow an option to take a port number which is needed for non-default installations where the admin port has been set up on a port other that 8091 (or 18091 for https).

      CERTIFICATE AUTHENTICATION (MTLS AUTHENTICATION)

      This tool supports authenticating against a Couchbase Cluster by using certificate based authentication (mTLS authentication). To use certificate based authentication a certificate/key must be supplied, there a currently multiple ways this may be done.

      PEM ENCODED CERTIFICATE/KEY

      An unencrypted PEM encoded certificate/key may be supplied by using: - --client-cert <path> - --client-key <path>

      The file passed to --client-cert must contain the client certificate, and an optional chain required to authenticate the client certificate.

      The file passed to --client-key must contain at most one private key, the key can be in one of the following formats: - PKCS#1 - PKCS#8

      Currently, only the following key types are supported: - RSA - DSA

      PEM ENCODED CERTIFICATE/PEM OR DER ENCRYPTED PKCS#8 KEY

      An encrypted PKCS#8 formatted key may be provided using: - --client-cert <path> - --client-key <path> - --client-key-password <password>

      The file passed to --client-cert must contain the client certificate, and an optional chain required to authenticate the client certificate.

      Currently, only the following key types are supported: - RSA - DSA

      ENCRYPTED PKCS#12 CERTIFICATE/KEY

      An encrypted PKCS#12 certificate/key may be provided using: - --client-cert <path> - --client-cert-password <password>

      The file passed to --client-cert must contain the client certificate and exactly one private key. It may also contain the chain required to authenticate the client certificate.

      Currently, only the following key types are supported: - RSA - DSA

      EXAMPLES

      To use the Secret Management feature, the first thing you need to do is set a password on each node of the cluster. To do this, install and start Couchbase, but don’t go through the setup process or initialize the cluster. Once Couchbase has started, run the following command to set the master password for your server.

      $ couchbase-cli setting-master-password -c 127.0.0.1 -u Administrator \
        -p password --new-password password

      Once the master password is configured restart the server. Upon restarting the cluster you will notice that the server doesn’t fully start. This is because it is waiting for you to enter the master password. You can do this by running the command below. The master-password subcommand has to be run locally on the node that is waiting for the master password.

      $ couchbase-cli master-password --send-password password

      Note you can also use the CB_MASTER_PASSWORD=<password> environmental variable to pass the password to the node during startup.

      ENVIRONMENT AND CONFIGURATION VARIABLES

      CB_REST_USERNAME

      Specifies the username to use when executing the command. This environment variable allows you to specify a default argument for the -u/--username argument on the command line.

      CB_REST_PASSWORD

      Specifies the password of the user executing the command. This environment variable allows you to specify a default argument for the -p/--password argument on the command line. It also allows the user to ensure that their password are not cached in their command line history.

      CB_CLIENT_CERT

      The path to a client certificate used to authenticate when connecting to a cluster. May be supplied with CB_CLIENT_KEY as an alternative to the CB_USERNAME and CB_PASSWORD variables. See the CERTIFICATE AUTHENTICATION section for more information.

      CB_CLIENT_CERT_PASSWORD

      The password for the certificate provided to the CB_CLIENT_CERT variable, when using this variable, the certificate/key pair is expected to be in the PKCS#12 format. See the CERTIFICATE AUTHENTICATION section for more information.

      CB_CLIENT_KEY

      The path to the client private key whose public key is contained in the certificate provided to the CB_CLIENT_CERT variable. May be supplied with CB_CLIENT_CERT as an alternative to the CB_USERNAME and CB_PASSWORD variables. See the CERTIFICATE AUTHENTICATION section for more information.

      CB_CLIENT_KEY_PASSWORD

      The password for the key provided to the CB_CLIENT_KEY variable, when using this variable, the key is expected to be in the PKCS#8 format. See the CERTIFICATE AUTHENTICATION section for more information.

      COUCHBASE-CLI

      Part of the couchbase-cli suite