Setting up SSL for nodetool, dsetool, and dse advrep

Using nodetool, dsetool, and dse advrep with SSL encryption.

Using nodetool, dsetool, and dse advrep with SSL requires some JMX setup.

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations install_location/resources/cassandra/conf/cassandra-env.sh

Prerequisites

Complete Preparing server certificates for SSL encryption. Additionally, configure client-to-node encryption.
A high-level overview of the required configuration to set up nodetool, dsetool, and dse advrep for use with SSL:
  1. Configure JMX SSL on the server side with changes on each node in the cluster.
  2. Restart DSE.
  3. Configure the client settings in your home or client program directory on the node on which the command will run.

Procedure

Configure JMX SSL on the server side:

Important: Make these changes in the cassandra-env.sh file on each node in the cluster.

  1. If the $LOCAL_JMX setting is present, change it to no: 
    "$LOCAL_JMX" = "no"
  2. Add the following settings:
    For production:
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
  
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
    For development:
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
    where:
    • com.sun.management.jmxremote.ssl=true enables SSL for JMX.
    • com.sun.management.jmxremote.ssl.need.client.auth=true enables two-way certificate authentication.
    • com.sun.management.jmxremote.registry.ssl=true creates an RMI registry protected by SSL and configures an out-of-the-box management agent when the Java VM is started.
    • com.sun.management.jmxremote.registry.ssl=true requires that com.sun.management.jmxremote.ssl.need.client.auth=true is also enabled.
    You must:
    • Set appropriate paths to the keystore and truststore files.
    • Set the passwords to the passwords set during keystore and truststore generation.
  3. Restart DSE.
  4. To configure the client settings, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the node on which the command will run.
    For production:
    -Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true  
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra

    For development:

    -Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true

To use nodetool, dsetool, and dse advrep with SSL for an encrypted connection for any operation:

  1. Start the command with the --ssl option.
    nodetool example:
    nodetool --ssl command
    dsetool example:
    dsetool --ssl command
    dse advrep example:
    dse advrep --ssl command
  2. Start the command with the --ssl option for an encrypted connection and specify the username and password for authentication and authorization for any operation. If you do not enter a password, you are prompted to enter one.
    nodetool example:
    nodetool --ssl -u username -pw password command
    dsetool example:
    dsetool --ssl -a jmx_username -b jmxpassword command
    dse advrep example:
    dse advrep --ssl -u username command