All nodes require relevant SSL certificates. Steps to generate SSL certificates for
client-to-node encryptions or node-to-node encryption.
Tip: OpsCenter Lifecycle Manager can configure DataStax Enterprise
clusters to use node-to-node encryption and automates the process of preparing
server certificates.
Follow these steps to generate SSL certificates for
client-to-node encryption or
node-to-node encryption. If you generate
the certificates for one type of encryption, you do not need to generate them again:
the same certificates are used for both types of encryption.
All nodes must have all the relevant SSL certificates. A keystore contains private keys. The truststore contains SSL certificates for each
node and does not require signing by a trusted and recognized public certification
authority.
Procedure
To prepare server certificates:
-
When using SSL client-to-node
encryption, the common name (CN) in the certificate must
be the hostname or IP address of the node that issues the command.
Ensure that the CN that is used to generate the SSL certificate matches the DNS
resolvable host name.
Mismatches between the CN and node hostname cause an
exception and the connection is
refused.
-
Generate the private and public key pair for the nodes of the cluster leaving
the key password the same as the keystore password:
keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
For
this prompt
What is your first and last name?
, enter the
hostname or the fully qualified domain name (FQDN) of the Cassandra node for
which you are generating the keys. The values that you enter for the first and
last name are used to set the certificate CN (Common Name) that is used for
server authentication by the client.
-
Repeat the previous step on each node using a different alias for each
node.
-
Export the public part of the certificate to a separate file and copy these
certificates to all other nodes.
keytool -export -alias dse_node0 -file dse_node0.cer -keystore .keystore
-
Add the certificate of each node to the truststore of each node, so the nodes
can verify the identity of other nodes.
A prompt for setting a password for the newly created truststore
appears.
keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
$ keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
. . .
$ keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
-
Make sure .keystore is readable only by the DataStax
Enterprise daemon and not by any user of the system.