Using cqlsh with SSL
Using a cqlshrc file with SSL encryption using a self-signed CA.
Using a cqlshrc file is the easiest method of getting
cqlshrc
settings. The
cqlshrc.sample provides an example that can be
copied as a starting point.
Package installations | /etc/cassandra/cqlshrc.sample |
Tarball installations | install_location/conf/cqlshrc.sample |
Prerequisites
Procedure
-
To run cqlsh with SSL encryption, create a .cassandra/cqlshrc file in your
home or client program directory with the following settings:
For production clusters:
This file uses the certificates prepared with a self-signed CA.[authentication] username = fred password = !!bang!!$ [connection] hostname = 127.0.0.1 port = 9042 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = ~/.cassandra/rootCa.crt ;; Optional, true by default validate = true ;; To be provided when require_client_auth=true userkey = ~/.cassandra/rootCa.key ;; To be provided when require_client_auth=true usercert = ~/.cassandra/rootCa.crt
For development clusters:
This file uses the certificates prepared for development. The use of the same IP addresses in the[authentication] username = fred password = !!bang!!$ [connection] hostname = 127.0.0.1 port = 9042 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = ~/keys/node0.cer.pem # Optional, true by default validate = true # The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file userkey = ~/node0.key.pem usercert = ~/node0.cer.pem [certfiles] # Optional section, overrides the default certfile in the [ssl] section for 2 way SSL 172.31.10.22 = ~/keys/node0.cer.pem 172.31.8.141 = ~/keys/node1.cer.pem
[certfiles]
section, as is used to generate the dname of the certificates, is required for two-way SSL encryption. Each node must have a line in the[certfiles]
section for client-to-remote-node or node-to-node.When
validate
is enabled, to verify that the certificate is trusted the host in the certificate is compared to the host of the machine to which it is connected. Note that the rootCa certificate and key are supplied to access the trustchain. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.An optional section,
[certfiles]
, will override the defaultcertfile
in the[ssl]
section. The use of the same IP addresses in the[certfiles]
section, as is used to generate thedname
of the certificates, is required for two-way SSL encryption. Each node must have a line in the[certfiles]
section for client-to-remote-node or node-to-node. Usingcertfiles]
is more common for development clusters. -
Start cqlsh with the --ssl option for
cqlsh
to local node encrypted connection.$ cqlsh --ssl ## Package installations $ install_location/bin/cqlsh --ssl ## Tarball installations
-
A username and password can also be supplied at cqlsh startup. This example provides the username
cassandra with password cassandra.
$ cqlsh --ssl ## Package installations $ install_location/bin/cqlsh --ssl -u cassandra -p cassandra ## Tarball installations
Note that a username and password can be entered in the cqlshrc file so that it will be automatically read each time
cqlsh
is started. -
For a remote node encrypted connection, start cqlsh with the --ssl option and an
IP address:
$ cqlsh --ssl ## Package installations $ install_location/bin/cqlsh --ssl 172.31.10.22 ## Tarball installations