Using nodetool (JMX) with SSL encryption
Using nodetool with SSL encryption.
Using nodetool
with SSL requires some JMX setup. Changes to
cassandra-env.sh are required, and a configuration
file, ~/.cassandra/nodetool-ssl.properties
, is created.
Prerequisites
- Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development. Additionally, configure client-to-node encryption
- Enabling JMX authentication and authorization if authentication and authorization are required.
Procedure
-
To run
nodetool
with SSL encryption, additional changes are required to cassandra-env.sh. Add the following settings to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file. Make these changes on all nodes in the cluster.Production
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
Development
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
Where the settings implement the following SSL options:- (Required) Enable SSL for JMX by setting
com.sun.management.jmxremote.ssl
totrue
- Use a two-way certificate authentication by setting
com.sun.management.jmxremote.ssl.need.client.auth
totrue
- Create an RMI registry protected by SSL that is created and configured
by the out-of-the-box management agent when the Java VM is started by
setting
com.sun.management.jmxremote.registry.ssl
totrue
- Enable client authentication over SSL to have full security by setting
com.sun.management.jmxremote.ssl.need.client.auth
totrue
- (Required) Set appropriate paths to the
keystore
andtruststore
files. - (Required) Set the passwords to the passwords set during keystore and truststore generation.
- (Required) Enable SSL for JMX by setting
- Restart the database.
-
To run
nodetool
with SSL encryption, create a.cassandra/nodetool-ssl.properties
file in your home or client program directory with the following settings on the same system that runsnodetool
.Production
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks -Djavax.net.ssl.keyStorePassword=myKeyPass -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks -Djavax.net.ssl.trustStorePassword=truststorePass
Development
-Djavax.net.ssl.keyStore=keystore.node0 -Djavax.net.ssl.keyStorePassword=cassandra -Djavax.net.ssl.trustStore=truststore.node0 -Djavax.net.ssl.trustStorePassword=cassandra -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true
-
Start
nodetool
with the --ssl option for encrypted connection for anynodetool
operation.install_location/bin/nodetool -ssl info
-
Start
nodetool
with the --ssl option for encrypted connection and a username and password for authentication and authorization for anynodetool
operation.install_location/bin/nodetool -ssl -u cassandra -pw cassandra status