Client-to-node encryption
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.
The location of the cassandra.yaml file depends on the type of
installation:
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Prerequisites
To enable client-to-node SSL, you must set the client_encryption_options in the cassandra.yaml file.
Procedure
On each node under
client_encryption_options:
- Enable encryption.
- Set the appropriate paths to your .keystore and .truststore files.
- Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
-
To enable client certificate authentication for two-way SSL encryption, set
require_client_auth to true. Enabling this
option allows tools like cqlsh to connect to a remote node. If only local access
is required, such as running cqlsh on a local node with SSL encryption, this
option is not required. If the options is set to true, then the truststore and
truststore password must also be included. The password used for both the
keystore and the truststore in this example is
cassandra
.
Example
This example uses the password cassandra
client_encryption_options:
enabled: true
# The path to your keystore file; ex: conf/keystore.node0
keystore: conf/keystore.node0
# The password for your keystore file
keystore_password: cassandra
# The next 3 lines are included if 2-way SSL is desired
require_client_auth: true
# The path to your trustore file; ex: conf/truststore.node0
truststore: conf/truststore.node0
# The password for your truststore file
truststore_password: cassandra