Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:

  1. Enable encryption.
  2. Modify the cassandra.yaml file with the following settings:

    Production clusters

    client_encryption_options:
        enabled: true
        # If enabled and optional is set to true encrypted and unencrypted connections are handled.
        optional: false
        keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
        keystore_password: myKeyPass
        
        require_client_auth: true
        # Set trustore and truststore_password if require_client_auth is true
        truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
        truststore_password: truststorePass
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

    This file uses the certificates prepared with a self-signed CA.

    Development clusters

    client_encryption_options:
        enabled: true
        # If enabled and optional is set to true encrypted and unencrypted connections are handled.
        optional: false
        keystore: conf/keystore.node0 
        keystore_password: cassandra
        
        require_client_auth: true
        # Set trustore and truststore_password if require_client_auth is true
        truststore: conf/truststore.node0
        truststore_password: cassandra
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

    This file uses the certificates prepared for development.

    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is required, set require_client_auth to true. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to run cqlsh on a local node with SSL encryption, set require_client_auth to false.

    Enabling client encryption encrypts all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, in the cassandra.yaml set native_transport_port_ssl for encrypted traffic (default: 9142) and native_transport_port for traffic that is not encrypted to different ports.

Restart the database.

  1. Restart the database to make changes effective.
    kill -9 cassandra_pid
    cassandra