Node-to-node encryption
Node-to-node encryption protects data that is transferred between nodes in a cluster using SSL.
Node-to-node encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Preparing server certificates.
SSL settings for node-to-node encryption
To enable node-to-node SSL, you must set the encryption options in the cassandra.yaml file.
The location of the
cassandra.yaml file depends on
the type of installation:
Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
On each node, under encryption_options:
- Enable the internode_encryption options (described below).
- Set the appropriate paths to your .keystore and .truststore files.
- Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
- To enable peer certificate authentication, set require_client_auth to true.
The available inter-node options are:
- all
- none
- dc - Cassandra encrypts the traffic between the data centers.
- rack - Cassandra encrypts the traffic between the racks.
encryption_options:
internode_encryption: internode_option
keystore: resources/dse/conf/.keystore
keystore_password: keystore password
truststore: resources/dse/conf/.truststore
truststore_password: truststore password
require_client_auth: true or false
To
encrypt the truststore and keystore passwords with KMIP, see Configuring encryption using off-server encryption keys.