Using nodetool (JMX) with SSL encryption
Using nodetool with SSL encryption.
Using nodetool
with SSL requires some JMX setup. Changes to
cassandra-env.sh are required, and a configuration
file, ~/.cassandra/nodetool-ssl.properties
, is created.
Package installations | /etc/cassandra/cassandra-env.sh |
Tarball installations | install_location/conf/cassandra-env.sh |
Prerequisites
Procedure
- First, follow steps #1-8 in Enabling JMX authentication and authorization if authentication and authorization are required.
-
To run
nodetool
with SSL encryption, some additional changes are required to cassandra-env.sh. The following settings must be added to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file. These changes must be made on each node in the cluster.For production:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
For development:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
Enable SSL for JMX by setting
com.sun.management.jmxremote.ssl
totrue
. If two-way certificate authentication is desired, setcom.sun.management.jmxremote.ssl.need.client.auth
totrue
. Ifcom.sun.management.jmxremote.registry.ssl
is set totrue
, an RMI registry protected by SSL will be created and configured by the out-of-the-box management agent when the Java VM is started. If thecom.sun.management.jmxremote.registry.ssl
property is set totrue
, to have full security thencom.sun.management.jmxremote.ssl.need.client.auth
must also be enabled. Set appropriate paths to thekeystore
andtruststore
files. Set the passwords to the passwords set during keystore and truststore generation. - Restart Cassandra.
-
To run
nodetool
with SSL encryption, create a.cassandra/nodetool-ssl.properties
file in your home or client program directory with the following settings on the node on whichnodetool
will run.For production:-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks -Djavax.net.ssl.keyStorePassword=myKeyPass -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks -Djavax.net.ssl.trustStorePassword=truststorePass
For development:
-Djavax.net.ssl.keyStore=keystore.node0 -Djavax.net.ssl.keyStorePassword=cassandra -Djavax.net.ssl.trustStore=truststore.node0 -Djavax.net.ssl.trustStorePassword=cassandra -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true
-
Start
nodetool
with the --ssl option for encrypted connection for anynodetool
operation.$ nodetool --ssl info ## Package installations $ install_location/bin/nodetool -ssl info ## Tarball installations
-
Start
nodetool
with the --ssl option for encrypted connection and a username and password for authentication and authorization for anynodetool
operation.$ nodetool --ssl -u cassandra -pw cassandra status ## Package installations $ install_location/bin/nodetool -ssl -u cassandra -pw cassandra status ## Tarball installations