Node-to-node encryption

Node-to-node (internode) encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

cassandra.yaml

  • The cassandra.yaml file is located in the installation_location/conf directory.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.

Procedure

Enable server_encryption_options on each node
  1. Modify the cassandra.yaml file with the following settings:

    Production clusters

    server_encryption_options:
    internode_encryption: all
    keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
    keystore_password: myKeyPass
    truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
    truststore_password: truststorePass
    # More advanced defaults below:
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    require_client_auth: true
    This file uses the certificates prepared with a self-signed CA.
    Note: cipher_suites can be configured for FIPS-140 compliance if required.
    Development clusters
    server_encryption_options:
    internode_encryption: all
    keystore: /conf/keystore.node0
    keystore_password: cassandra
    truststore: /conf/truststore.node0
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
    require_client_auth: true
    This file uses the certificates prepared for development.
    Internode encryption can be set to four different choices:
    all
    All traffic is encrypted.
    none
    No traffic is encrypted.
    dc
    Traffic between datacenters is encrypted.
    rack
    Traffic between racks is encrypted.
    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true.
Restart the database.
  1. Restart the database to make changes effective: 
    kill -9 cassandra_pid
    cassandra
  2. Check the logs to discover if SSL encryption has been started. Use the grep command: 
    grep SSL install_location/logs/system.log

    The resulting line is similar to this example:

    INFO  [main] 2016-09-12 18:34:14,478 MessagingService.java:511 - Starting Encrypted Messaging Service on SSL port 7001