Using nodetool (JMX) with SSL

Using nodetool with SSL encryption.

Using nodetool with SSL requires some JMX setup. Changes to cassandra-env.sh are required, and a configuration file, ~/.cassandra/nodetool-ssl.properties, is created.

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/cassandra/cassandra-env.sh
Tarball installations install_location/conf/cassandra-env.sh

Procedure

  1. First, follow steps #1-8 in Enabling JMX authentication.
  2. To run nodetool with SSL encryption, some additional changes are required to cassandra-env.sh. The following settings must be added to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file.
      JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/home/automaton/keystore.node0"
      JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
      JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/home/automaton/truststore.node0"
      JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  3. Restart Cassandra.
  4. To run nodetool with SSL encryption, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings.
    -Djavax.net.ssl.keyStore=/home/automaton/keystore.node0
    -Djavax.net.ssl.keyStorePassword=cassandra
    -Djavax.net.ssl.trustStore=/home/automaton/truststore.node0
    -Djavax.net.ssl.trustStorePassword=cassandra
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
    -Dcom.sun.management.jmxremote.registry.ssl=true
  5. Start nodetool with the --ssl option for encrypted connection for any nodetool operation.
    nodetool --ssl info ## Package installations
    $ install_location/bin/nodetool -ssl info ## Tarball installations