Using nodetool, dsetool, and dse advrep with SSL encryption.
Using nodetool,
dsetool, and dse advrep with SSL requires some JMX setup.
A high-level overview of the required configuration to set up nodetool, dsetool,
and dse advrep for use with SSL:
- Configure JMX SSL on the server side with changes on each node in the cluster.
- Restart DSE.
- Configure the client settings in your home or client program directory on the
node on which the command will run.
Procedure
Configure JMX SSL on the server side:
Important: Make these
changes in the
file on each
node in the cluster.
-
If the
$LOCAL_JMX
setting is present, change it to no:
-
Add the following settings:
For
production:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
For
development:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
where:
com.sun.management.jmxremote.ssl=true
enables SSL
for JMX.
com.sun.management.jmxremote.ssl.need.client.auth=true
enables two-way certificate authentication.
com.sun.management.jmxremote.registry.ssl=true
creates an RMI registry protected by SSL and configures an
out-of-the-box management agent when the Java VM is started.
com.sun.management.jmxremote.registry.ssl=true
requires that
com.sun.management.jmxremote.ssl.need.client.auth=true
is also enabled.
You must:
- Set appropriate paths to the
keystore
and
truststore
files.
- Set the passwords to the passwords set during keystore and
truststore generation.
-
Restart DSE.
-
To configure the client settings, create a
.cassandra/nodetool-ssl.properties
file in your home or
client program directory with the following settings on the node on which the
command will run.
For
production:-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra
For development:
-Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true
To use nodetool, dsetool, and dse advrep with SSL for an encrypted
connection for any operation:
-
Start the command with the --ssl option.
nodetool
example:
nodetool --ssl command
dsetool
example:
dsetool --ssl command
dse advrep
example:
dse advrep --ssl command
-
Start the command with the --ssl option for an encrypted
connection and specify the username and password for authentication and
authorization for any operation. If you do not enter a password, you are
prompted to enter one.
nodetool
example:
nodetool --ssl -u username -pw password command
dsetool
example:
dsetool --ssl -a jmx_username -b jmxpassword command
dse advrep
example:
dse advrep --ssl -u username command