Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

Prerequisites

All nodes must have all the relevant SSL certificates on all nodes. See Preparing server certificates.

To enable client-to-node SSL, you must set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:

  • Enable encryption.
  • Set the appropriate paths to your .keystore and .truststore files.
  • Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
  • To enable client certificate authentication, set require_client_auth to true. (Available starting with Cassandra 1.2.3.)

Example

client_encryption_options:
enabled: true
keystore: conf/.keystore ## The path to your .keystore file
keystore_password: <keystore password> ## The password you used when generating the keystore.
truststore: conf/.truststore
truststore_password: <truststore password>
require_client_auth: <true or false>