Using cqlsh with SSL
Using a cqlshrc file with SSL encryption using a self-signed CA.
Using a cqlshrc file is the easiest method of getting
cqlshrc
settings. The cqlshrc.sample provides an example
that can be copied as a starting point.
Prerequisites
Procedure
-
To run cqlsh with SSL encryption, create a
~/.cassandra/cqlshrc file in with the following
settings:
[authentication] username = fred password = !!bang!!$ [connection] hostname = 127.0.0.1 port = 9042 [ssl] certfile = ~/keys/cassandra.cert validate = false ;; Optional, true by default. See the paragraph below. [certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. 10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer 10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer
When
validate
is enabled, to verify that the certificate is trusted, the host in the certificate is compared to the host of the machine to which it is connected. Note that the rootCa certificate and key are supplied to access the trustchain. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.cqlsh
does not work with thecertfile
in the original format generated. Ifrequire_client_auth = true
, useopenssl
to generate a PEM file of the certificate with no keys (user.cer.pem
) and a PEM file of the key with no certificate (user.key.pem
). Add the following lines to[ssl]
in ~/.cassandra/cqlshrc# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file userkey = ~/user.key.pem usercert = ~/user.cer.pem
An optional section,
[certfiles]
, overrides the defaultcertfile
in the[ssl]
section. The use of the same IP addresses in the[certfiles]
section, as is used to generate thedname
of the certificates, is required for two-way SSL encryption. Each node must have a line in the[certfiles]
section for client-to-remote-node or node-to-node. Using[certfiles]
is more common for development clusters. -
Start cqlsh with the --ssl option for
cqlsh
to local node encrypted connection:install_location/bin/cqlsh --ssl
-
A username and password can also be supplied at cqlsh startup. This example provides
the username cassandra with password cassandra:
install_location/bin/cqlsh --ssl -u cassandra -p cassandra
Tip: CQLSH can read the username and password from the cqlshrc file at start up. -
For a remote node encrypted connection, start cqlsh with the --ssl option and an
IP address:
install_location/bin/cqlsh --ssl 172.31.10.22