Running cqlsh
Sample files for Kerberos, SSL, and Kerboros and SSL.
- Packaged installs: /usr/share/doc/dse-libcassandra
- Tarball installs: install_location/resources/cassandra/conf
Kerberos example
[connection] hostname = 192.168.1.2 port = 9160 factory = cqlshlib.kerberos.kerberos_transport_factory [kerberos] hostname = cassandra01.example.com service = cassandra principal = bill/cassandra-admin@example.com ;; Optional. qops = auth-conf ;; Optional, see the following paragraph. [kerberos-hostnames] ;; Optional section, overrides default hostname in [kerberos] section. 192.168.1.3 = cassandra01.example.com 192.168.1.4 = cassandra02.example.com
If qops is not specified the default (auth) is used. On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection. The client (cqlsh) value list must contain at least one of the QOP values specified on the server. To clarify, the client can have multiple QOP values, while the server can have only a single QOP value (specified in the dse.yaml).
The Kerberos hostname and service are mandatory settings and must be provided either in the configuration file or as environment variables. The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override any options set in this file. For more information about these settings, see Securing DataStax Enterprise nodes. The hostname and service must match the values set in the dse.yaml.
SSL example
[connection] hostname = 127.0.0.1 port = 9160 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = ~/keys/cassandra.cert validate = true ;; Optional, true by default. [certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. 192.168.1.3 = ~/keys/cassandra01.cert 192.168.1.4 = ~/keys/cassandra02.cert
You must create a pem key which is used in the cqlshrc file.
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12 openssl pkcs12 -in user.p12 -out user.pem -nodes
The pem key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.
Kerberos and SSL
For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in the above examples, except the factory setting:
factory = cqlshlib.kerberos_ssl.kerberos_ssl_transport_factory
The supported environmental variables are KRB_HOST, KRB_SERVICE, KRB_PRINCIPAL, SSL_CERTFILE, and SSL_VALIDATE variables.