Node-to-node encryption

Node-to-node (internode) encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

Node-to-node encryption protects data transferred between nodes in a cluster, including gossip communications, using SSL (Secure Sockets Layer).

cassandra.yaml

  • The cassandra.yaml file is located in the installation_location/conf directory.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable node-to-node SSL, you must set the server_encryption_options in the cassandra.yaml file.

Procedure

Enable server_encryption_options on each node

  1. Modify the cassandra.yaml file with the following settings:

    Production clusters

    server_encryption_options:
        internode_encryption: all
        keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
        keystore_password: myKeyPass
        truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
        truststore_password: truststorePass
        # More advanced defaults below:
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
        require_client_auth: true
    This file uses the certificates prepared with a self-signed CA.
    Note: cipher_suites can be configured for FIPS-140 compliance if required.
    Development clusters
    server_encryption_options:
        internode_encryption: all
        keystore: /conf/keystore.node0
        keystore_password: cassandra
        truststore: /conf/truststore.node0
        truststore_password: cassandra
        # More advanced defaults below:
        protocol: TLS
        algorithm: SunX509
        store_type: JKS
        cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
        require_client_auth: true
    This file uses the certificates prepared for development.
    Internode encryption can be set to four different choices:
    all
    All traffic is encrypted.
    none
    No traffic is encrypted.
    dc
    Traffic between datacenters is encrypted.
    rack
    Traffic between racks is encrypted.
    Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true.

Restart the database.

  1. Restart the database to make changes effective:
    kill -9 cassandra_pid
    cassandra
  2. Check the logs to discover if SSL encryption has been started. Use the grep command:
    grep SSL install_location/logs/system.log

    The resulting line is similar to this example:

    INFO  [main] 2016-09-12 18:34:14,478 MessagingService.java:511 - Starting Encrypted Messaging Service on SSL port 7001