Using a cqlshrc file with SSL encryption.
Using a cqlshrc file means you don't have to override the
SSL_CERTFILE environmental variables every time.
Procedure
-
To run cqlsh with SSL encryption, create a
.cassandra/cqlshrc file in your home or client program
directory. The following settings must be added to the file. When validate is
enabled, the host in the certificate is compared to the host of the machine that
it is connected to verify that the certificate is trusted.
[authentication]
username = fred
password = !!bang!!$
[connection]
hostname = 127.0.0.1
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
certfile = ~/keys/node0.cer.pem
# Optional, true by default
validate = true
# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file
userkey = ~/node0.key.pem
usercert = ~/node0.cer.pem
[certfiles]
# Optional section, overrides the default certfile in the [ssl] section for 2 way SSL
172.31.10.22 = ~/keys/node0.cer.pem
172.31.8.141 = ~/keys/node1.cer.pem
Note: The use of the same IP addresses in the [certfiles]
as is
used to generate the dname of the certificates is required for 2 way SSL
encryption. Each node must have a line in the [certfiles]
section for client-to-remote-node or node-to-node. The SSL certificate must
be provided either in the configuration file or as an environment variable.
The environment variables (SSL_CERTFILE and
SSL_VALIDATE) override any options set in this
file.
-
Start cqlsh with the --ssl option for
cqlsh
to local node encrypted connection.
cqlsh --ssl ## Package installations
$ install_location/bin/cqlsh -ssl ## Tarball installations
-
Start cqlsh with the --ssl option for
cqlsh
and an IP address for remote node encrypted
connection.
cqlsh --ssl ## Package installations
$ install_location/bin/cqlsh -ssl 172.31.10.22 ## Tarball installations