Using cqlsh with SSL encryption

Using a cqlshrc file with SSL encryption.

Using a cqlshrc file is the easiest method of getting cqlshrc settings. The cqlshrc.sample provides an example that can be copied as a starting point.

The location of the cqlshrc.sample file depends on the type of installation:
Package installations /etc/cassandra/cqlshrc.sample
Tarball installations install_location/conf/cqlshrc.sample

Procedure

  1. To run cqlsh with SSL encryption, create a .cassandra/cqlshrc file in your home or client program directory. The following settings must be added to the file. When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to verify that the certificate is trusted.
    [authentication]
    username = fred
    password = !!bang!!$
    
    [connection]
    hostname = 127.0.0.1
    port = 9042
    factory = cqlshlib.ssl.ssl_transport_factory
    
    [ssl]
    certfile = ~/keys/node0.cer.pem
    # Optional, true by default
    validate = true 
    # The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file
    userkey = ~/node0.key.pem 
    usercert = ~/node0.cer.pem 
    
    [certfiles]  
    # Optional section, overrides the default certfile in the [ssl] section for 2 way SSL
    172.31.10.22 = ~/keys/node0.cer.pem
    172.31.8.141 = ~/keys/node1.cer.pem
    Note: The use of the same IP addresses in the [certfiles] as is used to generate the dname of the certificates is required for 2 way SSL encryption. Each node must have a line in the [certfiles] section for client-to-remote-node or node-to-node. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.
  2. Start cqlsh with the --ssl option for cqlsh to local node encrypted connection.
    cqlsh --ssl ## Package installations
    $ install_location/bin/cqlsh --ssl ## Tarball installations
  3. Start cqlsh with the --ssl option for cqlsh and an IP address for remote node encrypted connection.
    cqlsh --ssl ## Package installations
    $ install_location/bin/cqlsh --ssl 172.31.10.22 ## Tarball installations