Using nodetool (JMX) with SSL encryption

Using nodetool with SSL encryption.

1. To run nodetool with SSL encryption, additional changes are required to cassandra-env.sh. Add the following settings to the file. Use the file path to the keystore and truststore, and appropriate passwords for each file. Make these changes on all nodes in the cluster.

   Production

   JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
     JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
     JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
     #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
     #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
     
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"

   Development

      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
     JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
     JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
     #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
     #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
   
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
     JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"

   Where the settings implement the following SSL options:

   • (Required) Enable SSL for JMX by setting com.sun.management.jmxremote.ssl to true
   • Use a two-way certificate authentication by setting com.sun.management.jmxremote.ssl.need.client.auth to true
   • Create an RMI registry protected by SSL that is created and configured by the out-of-the-box management agent when the Java VM is started by setting com.sun.management.jmxremote.registry.ssl to true
   • Enable client authentication over SSL to have full security by setting com.sun.management.jmxremote.ssl.need.client.auth to true
   • (Required) Set appropriate paths to the keystore and truststore files.
   • (Required) Set the passwords to the passwords set during keystore and truststore generation.
2. Restart the database.
3. To run nodetool with SSL encryption, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the same system that runs nodetool.

   Production

   -Dcom.sun.management.jmxremote.ssl=true
   -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
   -Dcom.sun.management.jmxremote.registry.ssl=true  
   -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks
   -Djavax.net.ssl.keyStorePassword=myKeyPass
   -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks
   -Djavax.net.ssl.trustStorePassword=truststorePass

   Development

   -Djavax.net.ssl.keyStore=keystore.node0
   -Djavax.net.ssl.keyStorePassword=cassandra
   -Djavax.net.ssl.trustStore=truststore.node0
   -Djavax.net.ssl.trustStorePassword=cassandra
   -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
   -Dcom.sun.management.jmxremote.registry.ssl=true

4. Start nodetool with the --ssl option for encrypted connection for any nodetool operation.

   install_location/bin/nodetool -ssl info

5. Start nodetool with the --ssl option for encrypted connection and a username and password for authentication and authorization for any nodetool operation.

   install_location/bin/nodetool -ssl -u cassandra -pw cassandra status