Setting up SSL for nodetool and dsetool

Using nodetool and dsetool with SSL encryption.

Using nodetool and dsetool with SSL requires some JMX setup.

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations install_location/resources/cassandra/conf/cassandra-env.sh

Prerequisites

Complete Preparing server certificates. Additionally, configure Client-to-node encryption.
A high-level overview of the required configuration to set up nodetool and dsetool for use with SSL:
  1. Configure JMX SSL on the server side with changes on each node in the cluster.
  2. Restart DSE.
  3. Configure the client settings in your home or client program directory on the node on which the command will run.

Procedure

Configure JMX SSL on the server side:

Important: Make these changes in the cassandra-env.sh file on each node in the cluster.

  1. If the $LOCAL_JMX setting is present, change it to no: 
    "$LOCAL_JMX" = "no"
  2. Add the following settings for the server:
    For production:
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
  
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
    For development:
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
    where:
    • com.sun.management.jmxremote.ssl=true enables SSL for JMX.
    • com.sun.management.jmxremote.ssl.need.client.auth=true enables two-way certificate authentication.
    • com.sun.management.jmxremote.registry.ssl=true creates an RMI registry protected by SSL and configures an out-of-the-box management agent when the Java VM is started.
    • com.sun.management.jmxremote.registry.ssl=true requires that com.sun.management.jmxremote.ssl.need.client.auth=true is also enabled.
    You must:
    • Set appropriate paths to the keystore and truststore files.
    • Set the passwords to the passwords set during keystore and truststore generation.
  3. Restart DSE.
  4. To configure the client settings, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the node on which the command will run.
    For production:
    -Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true  
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra

    For development:

    -Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true

To use nodetool or dsetool with SSL for an encrypted connection for any operation:

  1. Start the command with the --ssl option.
    nodetool example:
    nodetool --ssl info ## Package installations
installation_location/bin/nodetool --ssl command ## Tarball installations
    dsetool example:
    dsetool --ssl command ## Package installations
installation_location/bin/dsetool --ssl command ## Tarball installations
  2. Start the command with the --ssl option for an encrypted connection and specify the username and password for authentication and authorization for any operation.
    nodetool example:
    nodetool --ssl -u username -pw password command ## Package installations
installation_location/bin/nodetool --ssl -u username -pw password command ## Tarball installations
    dsetool example:
    dsetool --ssl -l username -p password command ## Package installations
installation_location/bin/dsetool --ssl -l username -p password command ## Tarball installations