Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

The location of the cassandra.yaml file depends on the type of installation:
DataStax Enterprise 5.0 Installer-Services and package installations /etc/dse/cassandra/cassandra.yaml
DataStax Enterprise 5.0 Installer-No Services and tarball installations install_location/resources/cassandra/conf/cassandra.yaml
Cassandra package installations /etc/cassandra/cassandra.yaml
Cassandra tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:

  1. Enable encryption.

Enable client_encryption_options on each node

  1. Modify the cassandra.yaml file with the following settings:
    For production clusters:
    client_encryption_options:
        enabled: true
        # If enabled and optional is set to true encrypted and unencrypted connections are handled.
        optional: false
        keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
        keystore_password: myKeyPass
        
        require_client_auth: true
        # Set trustore and truststore_password if require_client_auth is true
        truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
        truststore_password: truststorePass
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    This file uses the certificates prepared with a self-signed CA.
    For development clusters:
    client_encryption_options:
        enabled: true
        # If enabled and optional is set to true encrypted and unencrypted connections are handled.
        optional: false
        keystore: conf/keystore.node0 
        keystore_password: cassandra
        
        require_client_auth: true
        # Set trustore and truststore_password if require_client_auth is true
        truststore: conf/truststore.node0
        truststore_password: cassandra
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    This file uses the certificates prepared for development.

    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to run cqlsh on a local node with SSL encryption, require_client_auth can be set to false

    Enabling client encryption will encrypt all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, an additional cassandra.yaml setting must be enabled. The native_transport_port_ssl (default: 9142) sets an additional dedicated port to carry encrypted transmissions, while native_transport_port carries unencrypted transmissions.
    Note: It is beneficial to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files if this option is enabled.

Restart cassandra

  1. Restart cassandra to make changes effective.
    kill -9 cassandra_pid
    $ cassandra