Client-to-node encryption
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Prerequisites
To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.
Procedure
- Enable encryption.
client_encryption_options
on each
node-
Modify the cassandra.yaml file with the following settings:
For production clusters:
client_encryption_options: enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false keystore: /usr/local/lib/cassandra/conf/server-keystore.jks keystore_password: myKeyPass require_client_auth: true # Set trustore and truststore_password if require_client_auth is true truststore: /usr/local/lib/cassandra/conf/server-truststore.jks truststore_password: truststorePass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
This file uses the certificates prepared with a self-signed CA.For development clusters:
This file uses the certificates prepared for development.client_encryption_options: enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false keystore: conf/keystore.node0 keystore_password: cassandra require_client_auth: true # Set trustore and truststore_password if require_client_auth is true truststore: conf/truststore.node0 truststore_password: cassandra protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
Set appropriate paths to the
keystore
andtruststore
files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, setrequire_client_auth
totrue
. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to runcqlsh
on a local node with SSL encryption,require_client_auth
can be set tofalse
Enabling client encryption will encrypt all traffic on thenative_transport_port
(default: 9042). If both encrypted and unencrypted traffic is required, an additional cassandra.yaml setting must be enabled. Thenative_transport_port_ssl
(default: 9142) sets an additional dedicated port to carry encrypted transmissions, whilenative_transport_port
carries unencrypted transmissions.Note: It is beneficial to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files if this option is enabled.
-
Restart cassandra to make changes effective.
kill -9 cassandra_pid $ cassandra