Node-to-node encryption
Node-to-node (internode) encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).
Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).
Prerequisites
To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.
The location of the cassandra.yaml file depends on the type of
installation:
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Procedure
Enable
server_encryption_options
on each
node-
Modify the cassandra.yaml file with the following settings:
For production clusters:
This file uses the certificates prepared with a self-signed CA.server_encryption_options: internode_encryption: all keystore: /usr/local/lib/cassandra/conf/server-keystore.jks keystore_password: myKeyPass truststore: /usr/local/lib/cassandra/conf/server-truststore.jks truststore_password: truststorePass # More advanced defaults below: protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
For development clusters:
This file uses the certificates prepared for development.server_encryption_options: internode_encryption: all keystore: /conf/keystore.node0 keystore_password: cassandra truststore: /conf/truststore.node0 truststore_password: cassandra # More advanced defaults below: protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
Internode encryption can be set to four different choices:- all
- All traffic is encrypted.
- none
- No traffic is encrypted.
- dc
- Traffic between datacenters is encrypted.
- rack
- Traffic between racks is encrypted.
keystore
andtruststore
files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, setrequire_client_auth
totrue
.
Restart cassandra
-
Restart cassandra to make changes effective.
kill -9 cassandra_pid $ cassandra
-
Check the logs to discover if SSL encryption has been started. On Linux, use
the
grep
command:grep SSL install_location/logs/system.log
grep SSL %CASSANDRA_HOME%\logs\system.log
The resulting line will be similar to this example:
INFO [main] 2016-09-12 18:34:14,478 MessagingService.java:511 - Starting Encrypted Messaging Service on SSL port 7001