Using cqlsh with SSL

Using a cqlshrc file with SSL encryption using a self-signed CA.

Using a cqlshrc file is the easiest method of getting cqlshrc settings. The cqlshrc.sample provides an example that can be copied as a starting point.

The location of the cqlshrc.sample file depends on the type of installation:
Cassandra package installations /etc/cassandra/cqlshrc.sample
Cassandra tarball installations install_location/conf/cqlshrc.sample

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development. Additionally, configure client-to-node encryption.

Procedure

  1. To run cqlsh with SSL encryption, create a .cassandra/cqlshrc file in with the following settings:
    [authentication]
    username = fred
    password = !!bang!!$
    
    [connection]
    hostname = 127.0.0.1
    port = 9042
     
    [ssl]
    certfile = ~/keys/cassandra.cert
    validate = false ;; Optional, true by default. See the paragraph below.    
    
    [certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
    10.209.182.160 = /etc/cassandra/conf/node0.cer 
    10.68.65.199 = /etc/cassandra/conf/node1.cer

    When validate is enabled, to verify that the certificate is trusted the host in the certificate is compared to the host of the machine to which it is connected. Note that the rootCa certificate and key are supplied to access the trustchain. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

    Note: Additional settings in the cqlshrc file are described in Creating and using the cqlshrc file.

    An optional section, [certfiles], will override the default certfile in the [ssl] section. The use of the same IP addresses in the [certfiles] section, as is used to generate the dname of the certificates, is required for two-way SSL encryption. Each node must have a line in the [certfiles] section for client-to-remote-node or node-to-node. Using certfiles] is more common for development clusters.

  2. Start cqlsh with the --ssl option for cqlsh to local node encrypted connection.
    cqlsh --ssl ## Package installations
    $ install_location/bin/cqlsh --ssl ## Tarball installations
  3. A username and password can also be supplied at cqlsh startup. This example provides the username cassandra with password cassandra.
    cqlsh --ssl ## Package installations
    $ install_location/bin/cqlsh --ssl -u cassandra -p cassandra ## Tarball installations

    Note that a username and password can be entered in the cqlshrc file so that it will be automatically read each time cqlsh is started.

  4. For a remote node encrypted connection, start cqlsh with the --ssl option and an IP address:
    cqlsh --ssl ## Package installations
    $ install_location/bin/cqlsh --ssl 172.31.10.22 ## Tarball installations