Node-to-node encryption

Node-to-node (internode) encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.

The location of the cassandra.yaml file depends on the type of installation:
Cassandra package installations /etc/cassandra/cassandra.yaml
Cassandra tarball installations install_location/cassandra/conf/cassandra.yaml

Procedure

Enable server_encryption_options on each node
  1. Modify the cassandra.yaml file with the following settings:
    For production clusters:
    server_encryption_options:
        internode_encryption: all
        keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
        keystore_password: myKeyPass
        truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
        truststore_password: truststorePass
        # More advanced defaults below:
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
        require_client_auth: true
    This file uses the certificates prepared with a self-signed CA.
    Note: cipher_suites can be configured for FIPS-140 compliance if required.
    For development clusters:
    server_encryption_options:
        internode_encryption: all
        keystore: /conf/keystore.node0
        keystore_password: cassandra
        truststore: /conf/truststore.node0
        truststore_password: cassandra
        # More advanced defaults below:
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
        require_client_auth: true
    This file uses the certificates prepared for development.
    Internode encryption can be set to four different choices:
    all
    All traffic is encrypted.
    none
    No traffic is encrypted.
    dc
    Traffic between datacenters is encrypted.
    rack
    Traffic between racks is encrypted.
    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true.
Restart cassandra
  1. Restart cassandra to make changes effective.
    kill -9 cassandra_pid
    $ cassandra
  2. Check the logs to discover if SSL encryption has been started. On Linux, use the grep command:
    grep SSL install_location/logs/system.log
    

    The resulting line will be similar to this example:

    INFO  [main] 2016-09-12 18:34:14,478 MessagingService.java:511 - Starting Encrypted Messaging Service on SSL port 7001