Using nodetool (JMX) with SSL encryption

Using nodetool with SSL encryption.

Using nodetool with SSL requires some JMX setup. Changes to cassandra-env.sh are required, and a configuration file, ~/.cassandra/nodetool-ssl.properties, is created.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development. Additionally, configure client-to-node encryption.

Procedure

First, follow steps #1-8 in Enabling JMX authentication and authorization if authentication and authorization are required.

To run nodetool with SSL encryption, some additional changes are required to . The following settings must be added to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file. These changes must be made on each node in the cluster.

For production:

  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
    
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=%USERPROFILE\server-keystore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=%USERPROFILE\server-truststore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"

For development:

   JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=%USERPROFILE\keystore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=%USERPROFILE\truststore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"

Enable SSL for JMX by setting com.sun.management.jmxremote.ssl to true. If two-way certificate authentication is desired, set com.sun.management.jmxremote.ssl.need.client.auth to true. If com.sun.management.jmxremote.registry.ssl is set to true, an RMI registry protected by SSL will be created and configured by the out-of-the-box management agent when the Java VM is started. If the com.sun.management.jmxremote.registry.ssl property is set to true, to have full security then com.sun.management.jmxremote.ssl.need.client.auth must also be enabled. Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation.

Restart Cassandra.

To run nodetool with SSL encryption, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the node on which nodetool will run.

For production:

-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true    
-Djavax.net.ssl.keyStore=%USERPROFILE\server-keystore.jks
-Djavax.net.ssl.keyStorePassword=myKeyPass
-Djavax.net.ssl.trustStore=%USERPROFILE\server-truststore.jks
-Djavax.net.ssl.trustStorePassword=truststorePass

For development:

-Djavax.net.ssl.keyStore=%USERPROFILE\keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=%USERPROFILE\truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true

Start nodetool with the --ssl option for encrypted connection for any nodetool operation.

C:\> %CASSANDRA_HOME%\bin\nodetool.bat --ssl ring

CASSANDRA_HOME

Windows 3.0 installations	C:\Program Files\Datastax Community\apache-cassandra\
Windows 3.x installations	C:\Program Files\Datastax-DDC\apache-cassandra\

On a standard Windows installation, the installation wizard creates %CASSANDRA_HOME% as an environment variable.

Start nodetool with the --ssl option for encrypted connection and a username and password for authentication and authorization for any nodetool operation.
```
C:\> %CASSANDRA_HOME%\bin\nodetool.bat --ssl -u cassandra -pw cassandra status
```