Node-to-node encryption

Node-to-node encryption protects data that is transferred between nodes in a cluster using SSL.

Node-to-node encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Preparing server certificates.

SSL settings for node-to-node encryption

To enable node-to-node SSL, you must set the encryption options in the cassandra.yaml file.

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

On each node, under encryption_options:

  • Enable the internode_encryption options (described below).
  • Set the appropriate paths to your .keystore and .truststore files.
  • Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
  • To enable peer certificate authentication, set require_client_auth to true.

The available inter-node options are:

  • all
  • none
  • dc - Cassandra encrypts the traffic between the data centers.
  • rack - Cassandra encrypts the traffic between the racks.
   internode_encryption: internode_option
   keystore: resources/dse/conf/.keystore
   keystore_password: keystore password
   truststore: resources/dse/conf/.truststore
   truststore_password: truststore password
   require_client_auth: true or false
To encrypt the truststore and keystore passwords with KMIP, see Configuring encryption using off-server encryption keys.