Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster.

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. Unlike Kerberos, SSL is fully distributed and does not require setting up a shared authentication service. For information about generating SSL certificates, see Preparing server certificates.

SSL settings for DataStax Enterprise client-to-node encryption 

To enable client-to-node SSL, set the client encryption options. Where you set them depends on the version.

Procedure

  1. Set the client encryption options using one of the two following scenarios.
    Configure the client_encryption_options only in the cassandra.yaml file. If necessary, remove them from the dse.yaml.
  2. On each node, under client_encryption_options:
    • Enable encryption.
    • Set the paths to your .keystore and .truststore files.
    • Provide the passwords used when generating the keystore and truststore.
    client_encryption_options:
    enabled: true
    keystore: resources/dse/conf/.keystore
    keystore_password: keystore password
    store_type: JKS
    truststore: resources/dse/conf/.truststore
    truststore_password: truststore password
    protocol: ssl
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
    For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
    Note: Initializing Solr to support SSL encryption

    When you enable SSL, it automatically enables the authentication/authorization filters in Solr web.xml and configures an SSL connector in Tomcat. This means that you don't have to change your web.xml or server.xml.