Client-to-node encryption protects data in flight from client machines to a database
cluster.
Client-to-node encryption protects data in flight from client machines to a database
cluster. It establishes a secure channel between the client and the coordinator
node. Unlike Kerberos, SSL is fully distributed and does not require setting up a
shared authentication service. For information about generating SSL certificates,
see Preparing server certificates.
SSL settings for DataStax Enterprise client-to-node encryption
To enable client-to-node SSL, set the client encryption options. Where you set them
depends on the version.
Procedure
-
Set the client encryption options using one of the two following
scenarios.
Configure the client_encryption_options only in the
cassandra.yaml file. If necessary,
remove them from the
dse.yaml.
-
On each node, under client_encryption_options:
- Enable encryption.
- Set the paths to your .keystore and
.truststore files.
- Provide the passwords used when generating the keystore and
truststore.
client_encryption_options:
enabled: true
keystore: resources/dse/conf/.keystore
keystore_password: keystore password
store_type: JKS
truststore: resources/dse/conf/.truststore
truststore_password: truststore password
protocol: ssl
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
For information about using Kerberos with SSL, see
Using Kerberos and SSL at the same
time.
Note: Initializing Solr to support SSL
encryptionWhen you enable SSL, it automatically enables the
authentication/authorization filters in Solr web.xml and configures an
SSL connector in Tomcat. This means that you don't have to change your
web.xml or server.xml.