Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

cassandra.yaml

The cassandra.yaml file is located in the installation_location/conf directory.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:

Enable encryption.
Modify the cassandra.yaml file with the following settings:
Production clusters
```
client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
    keystore_password: myKeyPass
    
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
    truststore_password: truststorePass
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
```
This file uses the certificates prepared with a self-signed CA.

Development clusters
```
client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: conf/keystore.node0 
    keystore_password: cassandra
    
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: conf/truststore.node0
    truststore_password: cassandra
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
```
This file uses the certificates prepared for development.

Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is required, set require_client_auth to true. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to run cqlsh on a local node with SSL encryption, set require_client_auth to false.

Enabling client encryption encrypts all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, in the cassandra.yaml set native_transport_port_ssl for encrypted traffic (default: 9142) and native_transport_port for traffic that is not encrypted to different ports.

Restart the database.

Restart the database to make changes effective.
```
kill -9 cassandra_pid
```
```
cassandra
```