Troubleshooting SSL connections to Cassandra

Troubleshooting tips for typical SSL issues with connections from OpsCenter to Cassandra.

In OpsCenter 6.0, all OpsCenter SSL connections to DataStax Enterprise clusters are validated automatically. Since moving to the JVM, OpsCenter uses a keystore/truststore model to connect to Cassandra, and as such, requires stricter enforcement of SSL certificates than in earlier versions of OpsCenter. Therefore there is no longer an option to disable SSL certificate validation using the ssl_validate option in cluster settings.

To ensure that OpsCenter is set up to work with your client-to-node encryption-enabled cluster, follow these steps:
  1. Create a truststore file on the OpsCenter machine using each Cassandra node's certificates.
    1. Obtain the public key certificates from each Cassandra node you want to connect to OpsCenter.
    2. Import these public key certificates into the truststore file. For example:
      keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
  2. Create a client certificate and keystore on the OpsCenter machine:
    keytool -genkey -alias opscenter -keystore keystore.jks
    keytool -export -alias opscenter -file opscenter.cer -keystore keystore.jks
  3. If your DataStax Enterprise cluster is set up to require client auth (require_client_auth under client-to-node-encryption in cassandra.yaml) when using client-to-node encryption, you will need to import the public certificate generated in step 2 into every node's truststore so that Cassandra will trust connections coming from OpsCenter.

Troubleshooting Connections with OpsCenter to Cassandra with SSL

OpsCenter shuts down due to invalid property in cluster config: ssl_validate

This error occurs when your cluster config contains the deprecated ssl_validate configuration value in your cluster_name.conf configuration file. Remove the ssl_validate option and Restart OpsCenter.

OpsCenter cannot connect to the cluster with No Cassandra connection available error in logs

While this error can be due to a number of issues with the cluster connection, when working with SSL, it can be an indicator that the keystore/truststore setup needs tweaking. You might see errors similar to these in the logs:
2016-02-04 16:06:53,255 [] DEBUG: Node 127.0.0.1 seems to be down, trying next contact point (MainThread)
2016-02-04 16:06:53,255 [] DEBUG: Unable to connect to any seed nodes, tried ['127.0.0.1'] (MainThread)
2016-02-04 16:06:53,256 []  WARN: No cassandra connection available for hostlist ['127.0.0.1'] .  Retrying. (MainThread)
These errors indicate that OpsCenter cannot make a connection with the DataStax Enterprise cluster. To ensure that your SSL setup is correct, check the following:
  • Certificates in keystore/truststore are valid (hostnames match and certificates are not expired).
  • Ensure that all public certificates for each node are in the truststore for OpsCenter.
  • Ensure that the certificate for OpsCenter is in each node's truststore if require_client_auth is enabled.

cluster_name.conf 

The location of the cluster_name.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf