Client-to-node encryption protects data in flight from client machines to a database
cluster. It establishes a secure channel between the client and the coordinator node.
Client-to-node encryption protects data in flight from client machines to a database
cluster. It establishes a secure channel between the client and the coordinator
node. Unlike Kerberos, SSL is fully distributed and does not require setting up a
shared authentication service. For information about generating SSL certificates,
see Preparing server certificates.
SSL settings for DataStax Enterprise client-to-node encryption
To enable client-to-node SSL, set the client encryption options. Where you set them
depends on the version.
Procedure
-
Set the client encryption options using one of the two following
scenarios.
Configure the client_encryption_options only in the
file. If necessary, remove them
from the file.
The location of
the
dse.yaml file depends on the
type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
The location of the
cassandra.yaml file depends on
the type of installation:
Package installations |
/etc/cassandra/cassandra.yaml |
Tarball installations |
install_location/resources/cassandra/conf/cassandra.yaml |
-
On each node, under client_encryption_options:
- To enable encryption, set enabled to true.
- Set the paths to your .keystore and
.truststore files.
- Provide the passwords used when generating the keystore and
truststore.
- To enable client certificate authentication, set
require_client_auth to true.
client_encryption_options:
keystore: resources/dse/conf/.keystore ## Path to your .keystore file
keystore_password: keystore password ## Password used to generate the keystore
store_type: JKS
truststore: resources/dse/conf/.truststore ## Path to your .truststore
truststore_password: truststore password ## Password used to generate the truststore
protocol: ssl
require_client_auth: true
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
For information about using Kerberos with SSL, see
Using Kerberos and SSL at the same
time.
Note: Initializing Solr to support SSL
encryptionWhen you enable SSL, it automatically enables the
authentication/authorization filters in Solr web.xml and configures an
SSL connector in Tomcat. This means that you don't have to change your
web.xml or server.xml.
-
If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure
that your ticket granting principal does not use AES-256.
If your ticket granting principle uses AES-256, you might see a warning
like this in the logs:
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket