Using SSL connections

Connecting DevCenter to an SSL-enabled Apache Cassandra or DataStax Enterprise cluster.

DataStax DevCenter is compatible with DataStax Enterprise (DSE) versions up to 5.0.

Prerequisites

  • SSL must be configured and working on your cluster.
  • Install the Java Cryptography Extension (JSE) on your client system.

    Download the same version of Java as Apache Cassandra™ or DataStax Enterprise use:

    Installation directory (jre lib/security):

    • Linux: /usr/lib/jvm/jdk1.major.minor_update/jre/lib/security
    • Mac OS X: /Library/Java/JavaVirtualMachines/jdk1.major.minor_update/Contents/Home/jre/lib/security
    • Windows: C:\Program Files\Java\jre7\lib\security

    Extract the downloaded file and copy the content of UnlimitedJCEPolicy directory to the jre/lib/security directory.

  • The keytool command to manage encryption keys.
    Note: If you cannot find the keytool command on a Windows system, read these instructions.

Procedure

Server verification

  1. To perform server verification, the client needs to have the public key certificate of each node in the cluster stored in a local truststore file. This file is password protected (keytool prompts to create a password). The truststore file and password is entered into the DevCenter connection manager dialog box (see below).
    1. Using keytool, create a truststore file on your client by importing the public key certificates from each node in your cluster. 
       $ keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
 $ keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore .truststore
 $ keytool -import -v -trustcacerts -alias node2 -file node2.cer -keystore .truststore
    2. In DevCenter, select File > New > Connection to open the Connection Manager.
    3. Add the IP addresses of the nodes in your cluster.
    4. Select Next.
    5. Select This cluster requires SSL option and enter a full path to (or navigate to) the truststore file on your machine.
    6. Enter the truststore password.
    7. Select Try to establish a connection link to verify that you can successfully connect to Cassandra nodes.

Client verification

  1. If your cluster requires client verification, you need to perform the following additional steps:
    1. Create an SSL certificate for the client host (that is, the system on which DevCenter is installed). 
      $ keytool -genkey -alias client-host -keystore .keystore
    2. Export the client certificate. 
      $ keytool -export -alias client-host -file client-host.cer -keystore .keystore
      The public certificate is stored in the client-host.cer file.
    3. Copy the public certificate and import it into the truststore on all nodes of the Cassandra cluster which you want DevCenter to be connected to. 
      $ keytool -import -v -trustcacerts -alias client-host -file /tmp/client-host.cer -keystore /var/tmp/.truststore
      Note: You may have to ask your cluster administrator if you do not have the proper permissions to modify the truststore file on the cluster nodes.
    4. In DevCenter, right-click your connection and select Properties to edit the connection in the Connection Manager.
    5. In Advanced Settings (under Basic Settings) select the Client authentication required option and enter location of the keystore file and keystore password.
      The Connection manager displays an error if the keystore filepath or password is incorrect.
    6. Click the Try to establish a connection link to verify your configuration.
    7. Click OK at the bottom of the Connection Manager dialog to create or update the connection.
      Now you can enable and have DevCenter communicate with your SSL-enabled cluster.