Client-to-node encryption using SSL

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL. It establishes a secure channel between the client and the coordinator node.

Client-to-node encryption protects in-flight data from client machines to a database cluster using SSL (Secure Sockets Layer) and establishes a secure channel between the client and the coordinator node. See:

DSE Search

When you enable SSL, the authentication/authorization filters are automatically enabled in the Solr web.xml file and an SSL connector in Tomcat is configured. You do not have to change your web.xml or server.xml files.

Note: If the TomcatSolrRunner doesn't find a connector in server.xml it creates a default connector. The default connector binds to the rpc_address in cassandra.yaml. You can change Tomcat web server settings.

Procedure

Perform these steps on each node.

DSE Search nodes and DSE Analytics nodes with Spark require the truststore entries in cassandra.yaml.

  1. In the cassandra.yaml file, in the client_encryption_options section:
    • To enable encryption, set enabled to true.
    • Set the paths to your .keystore and .truststore files.
    • Provide the passwords that were used when generating the keystore and truststore.
    • To enable client certificate authentication, set require_client_auth to true. 
    client_encryption_options:
    enabled: true
    keystore: resources/dse/conf/.keystore  ## Path to your .keystore file
    keystore_password: keystore password  ## Password that you used to generate the keystore
    store_type: JKS
    truststore: resources/dse/conf/.truststore  ## Path to your .truststore
    truststore_password: truststore password  ## Password that you used to generate the truststore
    protocol: ssl
    require_client_auth: true
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
    For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time. To encrypt the truststore and keystore passwords with KMIP, see Encrypting using off-server encryption keys.
    The location of the cassandra.yaml file depends on the type of installation:
    Installer-Services /etc/dse/cassandra/cassandra.yaml
    Package installations /etc/dse/cassandra/cassandra.yaml
    Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml
    The default location of the Tomcat server.xml file is the same for all installation types:
    Installer-Services and Package installations /etc/dse/resources/tomcat/conf/server.xml
    Installer-No Services and Tarball installations /etc/dse/tomcat/conf/server.xml
  2. If the client_encryption_options are set in dse.yaml file, remove them.
  3. If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.
    If your ticket granting principle uses AES-256, you might see a warning like this in the logs: 
    WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket