Troubleshooting SSL connections to Cassandra
Troubleshooting tips for typical SSL issues with connections from OpsCenter to Cassandra.
In OpsCenter 6.0, all OpsCenter SSL connections to DataStax Enterprise clusters are
validated automatically. Since moving to the JVM, OpsCenter uses a keystore/truststore model
to connect to Cassandra, and as such, requires stricter enforcement of SSL certificates than
in earlier versions of OpsCenter. Therefore there is no longer an option to disable SSL
certificate validation using the ssl_validate
option in cluster
settings.
- Create a truststore file on the OpsCenter machine using each Cassandra node's
certificates.
- Obtain the public key certificates from each Cassandra node you want to connect to OpsCenter.
- Import these public key certificates into the truststore file. For
example:
keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
- Create a client certificate and keystore on the OpsCenter
machine:
keytool -genkey -alias opscenter -keystore keystore.jks keytool -export -alias opscenter -file opscenter.cer -keystore keystore.jks
- If your DataStax Enterprise cluster is set up to require client auth
(
require_client_auth
under client-to-node-encryption in cassandra.yaml) when using client-to-node encryption, you will need to import the public certificate generated in step 2 into every node's truststore so that Cassandra will trust connections coming from OpsCenter.
Troubleshooting Connections with OpsCenter to Cassandra with SSL
OpsCenter shuts down due to invalid property in cluster config: ssl_validate
This error occurs when your cluster config contains the deprecated
ssl_validate
configuration value in your cluster_name.conf configuration file. Remove
the ssl_validate
option and Restart
OpsCenter.
OpsCenter cannot connect to the cluster with No Cassandra connection available error in logs
2016-02-04 16:06:53,255 [] DEBUG: Node 127.0.0.1 seems to be down, trying next contact point (MainThread) 2016-02-04 16:06:53,255 [] DEBUG: Unable to connect to any seed nodes, tried ['127.0.0.1'] (MainThread) 2016-02-04 16:06:53,256 [] WARN: No cassandra connection available for hostlist ['127.0.0.1'] . Retrying. (MainThread)
- Certificates in keystore/truststore are valid (hostnames match and certificates are not expired).
- Ensure that all public certificates for each node are in the truststore for OpsCenter.
- Ensure that the certificate for OpsCenter is in each node's truststore if
require_client_auth
is enabled.
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:
- Package installations: /etc/opscenter/clusters/cluster_name.conf
- Tarball installations: install_location/conf/clusters/cluster_name.conf