Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Prerequisites

All nodes must have all the relevant SSL certificates on all nodes. See Preparing server certificates.

To enable client-to-node SSL, you must set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:
  • Enable encryption.
  • Set the appropriate paths to your .keystore and .truststore files.
  • Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
  • To enable client certificate authentication for two-way SSL encryption, set require_client_auth to true. Enabling this option allows tools like cqlsh to connect to a remote node. If only local access is required, such as running cqlsh on a local node with SSL encryption, this option is not required. If the options is set to true, then the truststore and truststore password must also be included. The password used for both the keystore and the truststore in this example is cassandra.

Example

This example uses the password cassandra

client_encryption_options:
enabled: true
# The path to your keystore file; ex: conf/keystore.node0
keystore: conf/keystore.node0 
# The password for your keystore file
keystore_password: cassandra 
# The next 3 lines are included if 2-way SSL is desired
require_client_auth: true
# The path to your trustore file; ex: conf/truststore.node0
truststore: conf/truststore.node0
# The password for your truststore file
truststore_password: cassandra

What's next

Cassandra must be restarted after making changes to the cassandra.yaml file.