Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node.

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. Unlike Kerberos, SSL is fully distributed and does not require setting up a shared authentication service. For information about generating SSL certificates, see Preparing server certificates.

SSL settings for DataStax Enterprise client-to-node encryption 

To enable client-to-node SSL, set the client encryption options. Where you set them depends on the version.

Procedure

  1. Set the client encryption options using one of the two following scenarios.
    Configure the client_encryption_options only in the cassandra.yaml file. If necessary, remove them from the dse.yaml file.
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml
    The location of the cassandra.yaml file depends on the type of installation:
    Package installations /etc/cassandra/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
  2. On each node, under client_encryption_options:
    • To enable encryption, set enabled to true.
    • Set the paths to your .keystore and .truststore files.
    • Provide the passwords used when generating the keystore and truststore.
    • To enable client certificate authentication, set require_client_auth to true.
    client_encryption_options:
        keystore: resources/dse/conf/.keystore  ## Path to your .keystore file
        keystore_password: keystore password    ## Password used to generate the keystore
        store_type: JKS
        truststore: resources/dse/conf/.truststore  ## Path to your .truststore
        truststore_password: truststore password    ## Password used to generate the truststore
        protocol: ssl
        require_client_auth: true
        cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
    For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
    Note: Initializing Solr to support SSL encryption

    When you enable SSL, it automatically enables the authentication/authorization filters in Solr web.xml and configures an SSL connector in Tomcat. This means that you don't have to change your web.xml or server.xml.

  3. If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.
    If your ticket granting principle uses AES-256, you might see a warning like this in the logs:
    WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket