Certificate changes for 7.6

modules/introduction/pages/whats-new.adoc

@@ -1,6 +1,7 @@
 = What's New in Version 7.6
 :description: Couchbase is the modern database for enterprise applications. Couchbase Server 7.6 combines the strengths of relational databases with the flexibility, performance, and scale of Couchbase.
 :page-aliases: security:security-watsnew
+:page-toclevels: 2
 
 [abstract]
 {description}

modules/introduction/partials/new-features-76.adoc

@@ -63,7 +63,7 @@ You can migrate buckets while the database continues running.
 To complete the migration you must trigger a swap rebalance or a graceful failover followed by a full recovery on each node that contains the bucket.
 See xref:manage:manage-buckets/migrate-bucket.adoc[].
 
-=== Security
+=== Security and Authentication
 
 * Security settings now provide additional parameters, for the configuration of Couchbase-Server user-password hashing.
 See xref:rest-api:rest-setting-security.adoc[Configure On-the-Wire Security].
@@ -86,6 +86,32 @@ See xref:learn:security/authentication-domains.adoc#saml-authentication[SAML Aut
 This setting controls low-level network communication options when Couchbase Server securely connects to an LDAP server through intermediate systems such as proxies and firewalls.
 See xref:manage:manage-security/configure-ldap.adoc#advanced-settings[Advanced Settings] on the xref:manage:manage-security/configure-ldap.adoc[] page for more information about this setting.
 
+* Couchbase Server now supports using Public-Key Cryptography Standard (PKCS) #12 format certificates for node certificates. 
+This format lets you bundle the node's private key, public key, and certificate chain into a single file.  
+See xref:learn:security/certificates.adoc#pkcs12[PKCS #12 Certificates for Nodes] for more information.
+
+* Couchbase Server now supports the X.509 Elliptic Curve Key cipher suites.
+Elliptic Curve Key ciphers are less resource-intensive than other cipher suites. 
+They're useful when communicating with resource-constrained devices such as IoT hardware.
+See xref:learn:security/certificates.adoc#private-key-formats[Private Keys] for more information.
+
+* Couchbase Server no longer supports TLS versions 1.0 and 1.1. 
+When upgrading to version 7.6 or later, the upgrade process automatically sets  `minTLSVersion` to `tlsv1.2` if it's set to `tlsv1` or `tlsv1.1`.
+Before you upgrade, be sure all the clients you use support TLS 1.2 or greater.
+See xref:learn:security/on-the-wire-security.adoc[] for more information.
+
+* To prevent https://en.wikipedia.org/wiki/Lucky_Thirteen_attack[LUCKY13 attacks^], Couchbase Server 7.6 removes the following ciphers from the default cipher list:
+** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+** TLS_RSA_WITH_AES_256_CBC_SHA
+** TLS_RSA_WITH_AES_128_CBC_SHAa
+
+* You can now enable alerts for certificate expiration. 
+When enabled, Couchbase Server alerts you when server, node, or XDCR certificates are within 30 days of expiration. 
+You can change the alert period via the new `certExpirationDays` alert limit setting.
+Couchbase Server sends a second alert when certificates expire.
+See xref:learn:security/certificates.adoc#certificate-expiration[Certificate Expiration] for more information. 
+
 === Metrics
 
 * Couchbase Server has a new service discovery endpoint to help you configure the Prometheus event monitoring system.
@@ -95,6 +121,12 @@ See xref:manage:monitor/set-up-prometheus-for-monitoring.adoc[Configure Promethe
 
 * Disk usage statistics now  include transient files in progress, state files, and configuration files.
 
+=== Index Service
+
+* You can choose to have the rebalance process move an index's files between nodes instead of rebuilding them from scratch. 
+This setting improves rebalance performance as moving the files is faster than rebuilding them. 
+See xref:learn:clusters-and-availability/rebalance.adoc#index-rebalance-methods[Index Rebalance Methods]
+
 === Search Service
 
 * Couchbase Server 7.6 introduces Vector Search to enable AI integration, semantic search, and the RAG framework.
@@ -149,9 +181,9 @@ See xref:learn:data/expiration.adoc[] for more information.
 
 * `num_replica` configured for each index can now be found through {sqlpp} statement: `system:indexes`
 
-* The Query service adds cluster-level and node-level parameters to limit the size of explain plans in the completed requests catalog.
+* The Query Service adds cluster-level and node-level parameters to limit the size of explain plans in the completed requests catalog.
 
-* The Query service adds support for sequential scans, which enables querying without an index.
+* The Query Service adds support for sequential scans, which enables querying without an index.
 
 * The node-level and request-level N1QL Feature Control parameters now accept hexadecimal strings or decimal integers.
 
@@ -171,19 +203,13 @@ This integration simplifies Eventing code logic and lets Eventing benefit from t
 * The Sub-Document MUTATEIN operation allows you to modify only parts of a document instead of the entire document.
 This Sub-Document operation is faster and more efficient than a full-document operation like REPLACE or UPSERT.
 
-=== Index Service
-
-* You can choose to have the rebalance process move an index's files between nodes instead of rebuilding them from scratch. 
-This setting improves rebalance performance as moving the files is faster than rebuilding them. 
-See xref:learn:clusters-and-availability/rebalance.adoc#index-rebalance-methods[Index Rebalance Methods]
-
 === Install & Upgrade
 
 * Due to an Erlang compatibility issue, you cannot directly upgrade to Couchbase Server 7.6 from version 6.5 through 7.0.
 To upgrade a database running one of these earlier versions to 7.6, first upgrade it to Couchbase Server 7.1 or 7.2.
 See xref:install:upgrade.adoc[] for more information.
 
-=== Community Edition
+=== Couchbase Server Community Edition
 
 * You can no longer set the `sendStats` to `false` in Couchbase Server Community Edition clusters.  
 You can still set `sendStats` to `false` on Couchbase Server Enterprise Edition clusters.