Configuring client-to-node encryption

Check the client-to-node configuration between DSE and OpsCenter when troubleshooting SSL problems.

In all supported versions, OpsCenter SSL connections to DataStax Enterprise (DSE) clusters are validated automatically. OpsCenter uses a keystore/truststore model to connect to DSE, which requires stricter enforcement of SSL certificates. Therefore, there is no longer an option to disable SSL certificate validation using the ssl_validate option in cluster settings.

To ensure that OpsCenter is configured to work with your client-to-node encryption-enabled cluster, follow these steps:

Procedure

  1. Create a truststore file on the OpsCenter machine using each DSE node's certificates.
    1. Obtain the public key certificates from each DSE node you want to connect to OpsCenter.
    2. Import these public key certificates into the truststore file. For example: 
      keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
  2. Create a client certificate and keystore on the OpsCenter machine: 
    keytool -genkey -alias opscenter -keystore keystore.jks
    keytool -export -alias opscenter -file opscenter.cer -keystore keystore.jks
  3. If your DSE cluster is set up to require client authentication (require_client_auth under client-to-node-encryption in cassandra.yaml) when using client-to-node encryption, you will need to import the public certificate generated in step 2 into every node's truststore so that DSE will trust connections coming from OpsCenter.