Enabling SSL - package installations

To enable SSL for package installations, edit the configuration file and run a script to generate the keys used by OpsCenter and the agents.

opscenterd.conf 

The location of the opscenterd.conf file depends on the type of installation:

Location Package Installer (GUI or text mode) Tarball
Service No-service
/etc/opscenter/opscenterd.conf X X    
install_location/conf/opscenterd.conf     X X

address.yaml 

The location of the address.yaml file depends on the type of installation:

  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml

Prerequisites

  • The Python interface for the OpenSSL library (pyOpenSSL). With package installs (rpm or deb) of OpsCenter, the python-openssl package is installed as a dependency. However, this is not the case with CentOS 5.x installs.

Procedure

  1. Ensuring that a version of pyOpenSSL compatible with the installed version of libssl is a requirement for any secure communications in OpsCenter.
    • If you are using libssl 1.x, ensure that pyOpenSSL 0.10+ is installed and compiled properly.
    1. Optional: Determine the version of pyOpenSSL installed. 
      $ python -c "import OpenSSL; print OpenSSL.__version__"
    2. Optional: Manually install pyOpenSSL. 
      $ sudo easy_install pyOpenSSL
  2. Run the OpsCenter setup.py script: 
    $ sudo /usr/share/opscenter/bin/setup.py
    The script generates the SSL keys and certificates (used by the OpsCenter daemon and the agents to communicate with one another) in the following directory:
    /var/lib/opscenter
  3. Open opscenterd.conf in an editor and add the following lines to enable SSL: 
    $ sudo vi /etc/opscenter/opscenterd.conf
    
[agents]
use_ssl = true
  4. Restart the OpsCenter daemon.

If you want to connect to a cluster in which agents have already been deployed, log in to each of the nodes and reconfigure the address.yaml file (see steps below).

  1. Reconfigure the agents on all nodes.
    1. Copy /var/lib/opscenter/ssl/agentKeyStore from the OpsCenter machine to /var/lib/datastax-agent/ssl/agentKeyStore on each node in the cluster. 
      $ scp /var/lib/opscenter/ssl/agentKeyStore user@node:/var/lib/datastax-agent/ssl/
      Where node is either the host name of the node or its IP address and user is the user ID on the node.
    2. Log into each node in the cluster using ssh. 
      $ ssh user@node
    3. Edit the address.yaml file, changing the value of use_ssl to 1. 
      $ sudo vi /var/lib/datastax-agent/conf/address.yaml
      use_ssl: 1
    4. Restart the agent. 
      $ sudo service datastax-agent restart

If you do not want to manually edit all of the node configuration files, follow the agent installation procedure.

  1. After opscenterd and all agents have been configured and restarted, verify proper connection through the dashboard.

What's next

If you are upgrading an existing cluster to SSL, see adding an existing cluster for instructions on generating an OpenSSL certificate for the cluster to be reconfigured for SSL communications with OpsCenter.