Using cqlsh with Kerberos/SSL 

Sample files are provided to help configure authentication for Kerberos, SSL, and Kerberos and SSL.

To run cqlsh with Kerberos, SSL, or Kerberos and SSL, use the sample files and make changes as appropriate for your environment. The default location of the sample files depends on the type of installation:
Package installations /etc/dse/cassandra
Installer-Services installations /usr/share/dse/resources/cassandra/conf
Installer-No Services and Tarball installations install_location/resources/cassandra/conf

Use the sample cqlshrc.sample.kerberos file as a starting point.

Kerberos example

Required settings for Kerberos authentication:

hostname =
port = 9042
factory = cqlshlib.kerberos.kerberos_transport_factory ;; Mandatory

hostname = ;; Mandatory
service = cassandra ;; Mandatory
principal = bill/ ;; Optional.
qops = auth-conf ;; Optional, see the paragraph below.
The kerberos, hostname, and service are mandatory settings and must match the values in the dse.yaml configuration file or in environment variables.
  • In the kerberos_options section of the dse.yaml file, set service_principal. The service_principal must be consistent everywhere: in the dse.yaml file, present in the keytab, and in the cqlshrc file (where service_principal is separated into service/hostname).
  • The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override the options that are set in dse.yaml.
The default (auth) is used when qops is not specified. On the client side, the qops option is a comma-delimited list of the quality of protection (QOP) values that are allowed by the client for the connection.
  • The client (cqlsh) value list must contain at least one of the QOP values that are specified on the server.
  • The client can have multiple QOP values, while the server can only have a single QOP value that is specified in the dse.yaml file.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.

username = fred
password = !!bang!!$

hostname =
port = 9042
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. = /etc/dse/cassandra/conf/dsenode0.cer = /etc/dse/cassandra/conf/dsenode1.cer
  • When validate = false there is no server authentication, only data encryption.
  • When validate = true cqlsh will validate the server's certificate against the certfile
When validate is enabled, you must create a pem key which is used in the cqlshrc file. For example:
$ keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
openssl pkcs12 -in user.p12 -out user.pem -nodes
Note: When generating the certificate, be sure to set the CN to the hostname of the node.

This pem key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_HOST, KRB_SERVICE, KRB_PRINCIPAL, SSL_CERTFILE, and SSL_VALIDATE variables.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml