Client-to-node encryption
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.
cassandra.yaml
- The cassandra.yaml file is located in the installation_location/conf directory.
Prerequisites
To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.
Procedure
client_encryption_options
:- Enable encryption.
-
Modify the cassandra.yaml file with the
following settings:
Production clusters
client_encryption_options: enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false keystore: /usr/local/lib/cassandra/conf/server-keystore.jks keystore_password: myKeyPass require_client_auth: true # Set trustore and truststore_password if require_client_auth is true truststore: /usr/local/lib/cassandra/conf/server-truststore.jks truststore_password: truststorePass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
This file uses the certificates prepared with a self-signed CA.
Development clusters
client_encryption_options: enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false keystore: conf/keystore.node0 keystore_password: cassandra require_client_auth: true # Set trustore and truststore_password if require_client_auth is true truststore: conf/truststore.node0 truststore_password: cassandra protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
This file uses the certificates prepared for development.
Set appropriate paths to the
keystore
andtruststore
files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is required, setrequire_client_auth
totrue
. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to runcqlsh
on a local node with SSL encryption, setrequire_client_auth
tofalse
.Enabling client encryption encrypts all traffic on the
native_transport_port
(default: 9042). If both encrypted and unencrypted traffic is required, in the cassandra.yaml setnative_transport_port_ssl
for encrypted traffic (default: 9142) andnative_transport_port
for traffic that is not encrypted to different ports.
-
Restart the database to make changes effective.
kill -9 cassandra_pid
cassandra