couchbase · rao-shwe · Aug 6, 2025 · Jul 30, 2025 · Aug 1, 2025 · Aug 4, 2025
diff --git a/modules/introduction/partials/new-features-80.adoc b/modules/introduction/partials/new-features-80.adoc
@@ -125,6 +125,23 @@ XDCR UI supports network type for connecting to the target cluster.
 The options are Auto, Force using alternate address, and Force using internal address.
 For more information, see xref:manage:manage-xdcr/create-xdcr-reference.adoc#create-an-xdcr-reference-with-the-ui[Create an XDCR Reference with the UI].
 
+[#section-new-features-800-security-authentication]
+=== Security and Authentication
+https://jira.issues.couchbase.com/browse/MB-50939[MB-50939]::
+Added support for the Hybrid authentication mode in the certificate-based client authentication.
+When Hybrid is selected:
++
+--
+* Clients can authenticate using either certificates or username/password credentials.
+* All nodes must use mutual TLS (mTLS) for inter-node communication.
+* The prerequisite is that the property `clusterEncryptionLevel` be set to `all` or `strict`.
+--
++
+This mode enhances flexibility for clients while enforcing strict security for node-to-node communication.
++
+For more information, see xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client Certificate Handling].
+=======
+
 [#section-new-feature-800-query-service]
 === Query Service
 

diff --git a/modules/manage/assets/images/manage-security/clientCertificatesDisplay71.png b/modules/manage/assets/images/manage-security/clientCertificatesDisplay71.png
diff --git a/modules/manage/pages/manage-security/configure-client-certificates.adoc b/modules/manage/pages/manage-security/configure-client-certificates.adoc
@@ -47,7 +47,7 @@ For information on sample buckets and how to install them, see xref:manage:manag
 * Has a defined, locally authenticated user named `clientuser`, who has been assigned a role that permits reading and writing to the `travel-sample` bucket.
 For information on creating users and roles, see xref:manage:manage-security/manage-users-and-roles.adoc[Manage Users and Roles].
 
-* Has client-certificate handling configured as either _enabled_ or _mandatory_.
+* Has client-certificate handling configured as either _enabled_ or _hybrid_ or _mandatory_.
 For details, see xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client-Certificate Handling].
 
 Note that additional information on file-types can be found in the procedures for _server_-certificate generation; in xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates].

diff --git a/modules/manage/pages/manage-security/enable-client-certificate-handling.adoc b/modules/manage/pages/manage-security/enable-client-certificate-handling.adoc
@@ -37,24 +37,38 @@ On the right-hand side of the display, the options for client certificates are s
 +
 image::manage-security/clientCertificatesDisplay71.png[,400,align=left]
 
-. Specify whether certificates are enabled, and if so, whether manadatory. The *Require Client Certificate* panel provides three options, as radio buttons.
-These are:
+. Specify whether certificates are enabled or disabled. The *Require Client Certificate* panel provides the following options.
 
-* *Disable*:  Disables client certificate-based authentication.
-This is the default value.
+* *Disable*: Disables client certificate-based authentication.
+The client can authenticate using only username and password.
+**Disable** is the default value.
 
 * *Enable*: Enables client certificate-based authentication.
-When enabled, if the client presents a certificate, Couchbase Server attempts to extract a username from the certificate, and then to authenticate based on the extracted username.
-If the client does not present a certificate, the certificate-based authentication-process is not triggered; and the client is expected to authenticate by some other means.
+When enabled, the client can authenticate using either a certificate, or a username and password.
 
-* *Mandatory*: Specifies that all clients _must_ present a certificate, in order to authenticate.
-No other form of client-authentication is handled over the secure connection.
-Note that imposing this level of security likely requires the additional measure of disabling non-secure console access: see xref:manage:manage-security/manage-console-access.adoc[Manage Console Access].
+** When the client presents a certificate, the certificate-based authentication process is triggered.
+Couchbase Server attempts to extract a username from the certificate and authenticate based on the extracted username.
+
+** When the client does not present a certificate, the certificate-based authentication process is not triggered.
+The client is expected to authenticate by some other means.
+
+* *Hybrid*: Enables the client to authenticate using either a certificate, or a username and password.
+Enforces that all nodes must authenticate only through mutual TLS (mTLS) for inter-node communication.
+The prerequisite is that the `clusterEncryptionLevel` setting is configured to `all` or `strict`.
 +
-A current limitation is that client certificate authentication cannot be set to mandatory if node-to-node encryption is set to _all_.
 See xref:learn:clusters-and-availability/node-to-node-encryption.adoc[Node-to-Node Encryption].
 
-. If *Require Client Certificate* has been set to either *Enable* or *Mandatory*, establish how the username within each client certificate is to be determined.
+* *Mandatory*: Enables and enforces that the clients must authenticate using certificates only.
+Enables and enforces that all nodes must authenticate through certificates only when communicating with each other.
+The prerequisite is that the `clusterEncryptionLevel` setting is configured to `all` or `strict`.
++
+See xref:learn:clusters-and-availability/node-to-node-encryption.adoc[Node-to-Node Encryption].
++
+No other form of client-authentication is handled over the secure connection.
++
+NOTE: Imposing this level of security may require the additional measure of disabling non-secure console access. See xref:manage:manage-security/manage-console-access.adoc[Manage Console Access].
+
+. When *Require Client Certificate* is set to *Enable* or *Hybrid* or *Mandatory*, then establish how the username within each client certificate must be determined.
 +
 Each certificate is expected to provide a _username_ as part of its content.
 Frequently, the username is specified as the certificate's _Subject Common Name_; but it may also be expressed as a _Subject Alternative Name_.
@@ -98,7 +112,7 @@ The document may appear as follows:
 }
 ----
 
-The value of `state` can be `enable`, `disable`, or `mandatory`.
+The value of `state` can be `enable`, `disable`, `hybrid`, or `mandatory`.
 See the xref:manage:manage-security/enable-client-certificate-handling.adoc#client-certificate-enablement-values[definitions] provided above.
 Each of the elements specified in the `prefixes` array must be a tuple of three key-value pairs, whose respective keys are `path`, `prefix`, and `delimiter`.
 Each tuple thus specifies an element in the client certificate that is to be extracted and used as a username for authentication: