Node-to-node encryption using SSL
Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.
Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Preparing server certificates.
The
location of the cassandra.yaml file
depends on the type of installation:
Installer-Services | /etc/dse/cassandra/cassandra.yaml |
Package installations | /etc/dse/cassandra/cassandra.yaml |
Installer-No Services | install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
Tip: OpsCenter Lifecycle Manager can configure
DataStax Enterprise clusters to use node-to-node encryption and automates the
process of preparing server
certificates using an internal certificate authority and deploys the
resulting keystore and truststore to each node automatically.
To encrypt the
truststore and keystore passwords with KMIP, see Encrypting using off-server encryption keys.Procedure
To enable node-to-node SSL encryption:
Set the server_encryption_options in the
cassandra.yaml file on each node:
server_encryption_options:
internode_encryption: internode_option
keystore: resources/dse/conf/.keystore
keystore_password: keystore_password
truststore: resources/dse/conf/.truststore
truststore_password: truststore_password
require_client_auth: true|false
- Specify the internode_encryption option.
- Set the appropriate paths to your .keystore and .truststore files.
- Provide the required passwords. The passwords must match the passwords that were used when generating the keystore and truststore.
- To enable peer certificate authentication, set require_client_auth to true.