Node-to-node encryption

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Prerequisites

All nodes must have all the relevant SSL certificates on all nodes. See Preparing server certificates.

To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

On each node under server_encryption_options:

  • Enable internode_encryption.
    The available options are:
    • all
    • none
    • dc: Cassandra encrypts the traffic between the data centers.
    • rack: Cassandra encrypts the traffic between the racks.
  • Set the appropriate paths to your keystore and truststore files.
  • Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
  • To enable 2 way certificate authentication, set require_client_auth to true.

Example

server_encryption_options:
   internode_encryption: all
   keystore: /conf/keystore.node0
   keystore_password: cassandra
   truststore: /conf/truststore.node0
   truststore_password: cassandra
   require_client_auth: true

What's next

Cassandra must be restarted after making changes to the cassandra.yaml file. Use the nodetool utility to check of all nodes are up after making the changes.
$ cqlsh --ssl ## Package installations
$ install_location/bin/nodetool ring ## Tarball installations