Client-to-node encryption protects data in flight from client machines to a database
cluster using SSL. It establishes a secure channel between the client and the coordinator
node.
Client-to-node encryption protects in-flight data from client
machines to a database cluster using SSL (Secure Sockets Layer) and establishes
a secure channel between the client and the coordinator node. See:
DSE Search
When you enable SSL, the authentication/authorization filters are
automatically enabled in the Solr web.xml file and an SSL
connector in Tomcat is configured. You do not have to change your
web.xml or server.xml
files.
Note: If the TomcatSolrRunner doesn't find a connector in
it creates a default connector.
The default connector binds to the
rpc_address in cassandra.yaml.
You can
change Tomcat web server
settings.
Procedure
Perform these steps on each node.
DSE Search nodes and DSE Analytics
nodes with Spark require the truststore entries in
.
-
In the file, in the
client_encryption_options section:
- To enable encryption, set enabled to true.
- Set the paths to your .keystore and
.truststore files.
- Provide the passwords that were used when generating the keystore and
truststore.
- To enable client certificate authentication, set
require_client_auth to true.
client_encryption_options:
enabled: true
keystore: resources/dse/conf/.keystore ## Path to your .keystore file
keystore_password: keystore password ## Password that you used to generate the keystore
store_type: JKS
truststore: resources/dse/conf/.truststore ## Path to your .truststore
truststore_password: truststore password ## Password that you used to generate the truststore
protocol: ssl
require_client_auth: true
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
For information about using Kerberos with SSL, see
Using Kerberos and SSL at the same time.
To encrypt the truststore and keystore passwords with KMIP, see
Encrypting using off-server encryption keys.
The
location of the
cassandra.yaml file
depends on the type of installation:
Installer-Services |
/etc/dse/cassandra/cassandra.yaml |
Package installations |
/etc/dse/cassandra/cassandra.yaml |
Installer-No Services |
install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations |
install_location/resources/cassandra/conf/cassandra.yaml |
The location of
the
dse.yaml file depends
on the type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
The
default location of the Tomcat
server.xml file
is the same for all installation types:
Installer-Services and Package
installations |
/etc/dse/resources/tomcat/conf/server.xml |
Installer-No Services and Tarball
installations |
/etc/dse/tomcat/conf/server.xml |
-
If the
client_encryption_options
are set in
file, remove them.
-
If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure
that your ticket granting principal does not use AES-256.
If your ticket granting principle uses AES-256, you might see a warning
like this in the logs:
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket