Node-to-node encryption
Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).
Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).
Prerequisites
To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.
The location of the cassandra.yaml file depends on
the type of installation:
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Procedure
On each node under sever_encryption_options:
-
Enable internode_encryption.
The available options are:
- all
- none
- dc: Cassandra encrypts the traffic between the datacenters.
- rack: Cassandra encrypts the traffic between the racks.
- Set the appropriate paths to your keystore and truststore files.
- Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
- To enable 2 way certificate authentication, set require_client_auth to true.
Example
server_encryption_options:
internode_encryption: all
keystore: /conf/keystore.node0
keystore_password: cassandra
truststore: /conf/truststore.node0
truststore_password: cassandra
require_client_auth: true
What's next
cqlsh --ssl ## Package installations $ install_location/bin/nodetool ring ## Tarball installations