Node-to-node encryption

Node-to-node (internode) encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.

The location of the cassandra.yaml file depends on the type of installation:
Cassandra package installations /etc/cassandra/cassandra.yaml
Cassandra tarball installations install_location/cassandra/conf/cassandra.yaml

Procedure

Enable server_encryption_options on each node
  1. Modify the cassandra.yaml file with the following settings:
    For production clusters:
    server_encryption_options:
    internode_encryption: all
    keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
    keystore_password: myKeyPass
    truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
    truststore_password: truststorePass
    # More advanced defaults below:
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    require_client_auth: true
    This file uses the certificates prepared with a self-signed CA.
    Note: cipher_suites can be configured for FIPS-140 compliance if required.
    For development clusters:
    server_encryption_options:
    internode_encryption: all
    keystore: /conf/keystore.node0
    keystore_password: cassandra
    truststore: /conf/truststore.node0
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    require_client_auth: true
    This file uses the certificates prepared for development.
    Internode encryption can be set to four different choices:
    all
    All traffic is encrypted.
    none
    No traffic is encrypted.
    dc
    Traffic between datacenters is encrypted.
    rack
    Traffic between racks is encrypted.
    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true.
Restart cassandra
  1. Restart cassandra to make changes effective. 
    kill -9 cassandra_pid
$ cassandra
  2. Check the logs to discover if SSL encryption has been started. On Linux, use the grep command: 
    grep SSL install_location/logs/system.log

    The resulting line will be similar to this example:

    INFO  [main] 2016-09-12 18:34:14,478 MessagingService.java:511 - Starting Encrypted Messaging Service on SSL port 7001