Using nodetool (JMX) with SSL
Using nodetool with SSL encryption.
Using nodetool
with SSL requires some JMX setup. Changes to
cassandra-env.sh are required, and a configuration
file, ~/.cassandra/nodetool-ssl.properties
, is created.
The location of the cassandra-env.sh file depends on
the type of installation:
Package installations | /etc/cassandra/cassandra-env.sh |
Tarball installations | install_location/conf/cassandra-env.sh |
Procedure
- First, follow steps #1-5 in Enabling JMX authentication.
-
To run
nodetool
with SSL encryption, some additional changes are required to cassandra-env.sh. The following settings must be added to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file.JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/home/automaton/keystore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/home/automaton/truststore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
- Restart Cassandra.
-
To run
nodetool
with SSL encryption, create a.cassandra/nodetool-ssl.properties
file in your home or client program directory with the following settings.-Djavax.net.ssl.keyStore=/home/automaton/keystore.node0 -Djavax.net.ssl.keyStorePassword=cassandra -Djavax.net.ssl.trustStore=/home/automaton/truststore.node0 -Djavax.net.ssl.trustStorePassword=cassandra -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true
-
Start
nodetool
with the --ssl option for encrypted connection for anynodetool
operation.nodetool --ssl info ## Package installations $ install_location/bin/nodetool -ssl info ## Tarball installations