Editing OpsCenter cluster connections for authentication or encryption

Cluster connection settings define how OpsCenter connects to a DSE cluster. Edit the cluster connection settings if authentication or encryption has been enabled on a DSE cluster.

The connection settings for a cluster define how OpsCenter connects to a DSE cluster. For example, if Kerberos authentication or client-to-node encryption was enabled on a cluster, you need to specify that information in the cluster connection settings.

address.yaml

The location of the address.yaml file depends on the type of installation:
  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

Procedure

  1. Select the cluster to edit from the Cluster menu in OpsCenter Monitoring.
  2. Click Settings > Cluster Connections.
    The Edit Cluster Connection Settings dialog appears.

    Collapsed view Edit Cluster Connections Settings in OpsCenter Monitoring

    Tip: Select other clusters to edit connection settings for from the Cluster list.
  3. If applicable, change the IP addresses of cluster nodes.
  4. Optional: If applicable, change the JMX Port and Native Transport Port listen port numbers if you are not using the defaults.
  5. Optional: If applicable, click JMX is enabled on my cluster to add or edit user credentials (username and passwords) if the JMX port requires authentication.
  6. Optional: If applicable, click Native transport security is enabled on my cluster to add or edit user credentials (username and password) if the Native Transport port requires authentication.
  7. Optional: If applicable to your environment, select DSE security (kerberos) is enabled on my cluster and complete the fields.

    DSE security (Kerberos) enabled configuration settings for OpsCenter connections

    1. Enter the Service Name. For example, if the server principal on your nodes is dse/nodeX.example.com@EXAMPLE.COM, this field should be dse.
    2. Enter the Opscenterd Client Principal for the OpsCenter process/machine to use. Example: opscenterd/opscenterd.EXAMPLE.COM.
    3. Enter the location of the keytab OpsCenter machine in Opscenterd Keytab Location, which contains credentials for the opscenter_client_principal. Example: /etc/opscenter/security/krb5_opsc.keytab.
    4. Enter the client principal for the DataStax Agent process/machine to use in DataStax Agent Client Principal. Example: dxagent/_HOST.
      Important: Because each datastax-agent has a different principal name, the DataStax Agent Client Principal entered in this field is a placeholder. The kerberos_client_principal property must be set in the address.yaml file for each datastax-agent. For example:
      kerberos_client_principal: datastax-agent@dsenode1/dsenode2/dsenode3
    5. Enter the location of the keytab on the DataStax Agent machines in DataStax Agent Keytab Location, which contains credentials for the agent_client_principal. Example: /usr/agent/conf/krb5_agent.keytab.

    For more information, see Setting up Kerberos and the Kerberos tutorial.

  8. If configuring client-to-node settings, select Client-to-node encryption is enabled on my cluster. Indicate the following paths for OpsCenter and each agent to use for connecting directly to the monitored DSE cluster.
    When client-to-node encryption is enabled for a cluster using Lifecycle Manager, the ssl_truststore and ssl_truststore_password fields are automatically propagated in cluster_name.conf with the corresponding values from ssl_keystore and ssl_keystore_password for both opscenterd and the agent: LCM propagates the ssl_keystore value into ssl_keystore and ssl_truststore; and the ssl_keystore_password value into ssl_keystore_password and ssl_truststore_password.

    Client-to-node encryption enabled connection settings for OpsCenter and Agents

    Note: For information about creating keystores and truststores, see Enabling client-to-node encryption in OpsCenter.
    1. Enter the OpsCenter Keystore Path, which is the SSL keystore location for OpsCenter (opscenterd) to use for connecting to the monitored DSE cluster. The value entered in the UI populates the [cassandra] ssl_keystore property in the OpsCenter cluster configuration file (cluster_name.conf).
    2. Enter the Password for the OpsCenter Keystore Path. The value entered in the UI populates the [cassandra] ssl_keystore_password property in cluster_name.conf.
    3. Enter the OpsCenter Truststore Path, which is the SSL truststore location for OpsCenter (opscenterd) to use for connecting to the monitored DSE cluster. This value should be the same as OpsCenter Keystore Path if the same file is used as both the keystore and the truststore (that is, there is not a separate truststore). The value entered in the UI populates the [cassandra] ssl_truststore property in cluster_name.conf.
    4. Enter the Password for the OpsCenter Truststore Path. This value should be the same as password for the OpsCenter Keystore Path if the same file is used as both the keystore and the truststore (that is, there is not a separate truststore). The value entered in the UI populates the [cassandra] ssl_truststore_password property in cluster_name.conf.
    5. Enter the Agent Keystore Path, which is the SSL keystore location for each agent to use for connecting to the monitored DSE cluster. The value entered in the UI populates the [agents] ssl_keystore property in cluster_name.conf.
    6. Enter the Password for the Agent Keystore Path. The value entered in the UI populates the [agents] ssl_keystore_password property in cluster_name.conf.
    7. Enter the Agent Truststore Path, which is the SSL truststore location for each agent to use for connecting to the monitored DSE cluster. This value should be the same as password for the Agent Keystore Path if the same file is used as both the keystore and the truststore (that is, there is not a separate truststore).The value entered in the UI populates the [agents] ssl_truststore property in (cluster_name.conf).
    8. Enter the Password for the Agent Truststore Path. This value should be the same as password for the Agent Keystore Path if the same file is used as both the keystore and the truststore (that is, there is not a separate truststore). The value entered in the UI populates the [agents] ssl_truststore_password property in cluster_name.conf.
  9. Click Save Cluster.