Using nodetool and dsetool with SSL encryption.
Using nodetool and dsetool with SSL
requires some JMX setup.
A high-level overview of the required configuration to set up nodetool and dsetool
for use with SSL:
- Configure JMX SSL on the server side with changes on each node in the cluster.
- Restart DSE.
- Configure the client settings in your home or client program directory on the
node on which the command will run.
Procedure
Configure JMX SSL on the server side:
Important: Make these
changes in the
file on each
node in the cluster.
-
If the
$LOCAL_JMX
setting is present, change it to no:
-
Add the following settings for the server:
For
production:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
For
development:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
where:
com.sun.management.jmxremote.ssl=true
enables SSL
for JMX.
com.sun.management.jmxremote.ssl.need.client.auth=true
enables two-way certificate authentication.
com.sun.management.jmxremote.registry.ssl=true
creates an RMI registry protected by SSL and configures an
out-of-the-box management agent when the Java VM is started.
com.sun.management.jmxremote.registry.ssl=true
requires that
com.sun.management.jmxremote.ssl.need.client.auth=true
is also enabled.
You must:
- Set appropriate paths to the
keystore
and
truststore
files.
- Set the passwords to the passwords set during keystore and
truststore generation.
-
Restart DSE.
-
To configure the client settings, create a
.cassandra/nodetool-ssl.properties
file in your home or
client program directory with the following settings on the node on which the
command will run.
For
production:-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra
For development:
-Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true
To use nodetool or dsetool with SSL for an encrypted connection for any
operation:
-
Start the command with the --ssl option.
nodetool
example:
nodetool --ssl info ## Package installations
installation_location/bin/nodetool --ssl command ## Tarball installations
dsetool
example:
dsetool --ssl command ## Package installations
installation_location/bin/dsetool --ssl command ## Tarball installations
-
Start the command with the --ssl option for an encrypted
connection and specify the username and password for authentication and
authorization for any operation.
nodetool
example:
nodetool --ssl -u username -pw password command ## Package installations
installation_location/bin/nodetool --ssl -u username -pw password command ## Tarball installations
dsetool
example:
dsetool --ssl -l username -p password command ## Package installations
installation_location/bin/dsetool --ssl -l username -p password command ## Tarball installations