Configuring client-to-node encryption
Check the client-to-node configuration between DSE and OpsCenter when troubleshooting SSL problems.
In all supported versions, OpsCenter SSL connections to DataStax Enterprise (DSE)
clusters are validated automatically. OpsCenter uses a keystore/truststore model to
connect to DSE, which requires stricter enforcement of SSL certificates. Therefore,
there is no longer an option to disable SSL certificate validation using the
ssl_validate
option in cluster settings.
To ensure that OpsCenter is configured to work with your client-to-node encryption-enabled cluster, follow these steps:
Procedure
-
Create a truststore file on the OpsCenter machine using each DSE node's
certificates.
-
Create a client certificate and keystore on the OpsCenter machine:
keytool -genkey -alias opscenter -keystore keystore.jks
keytool -export -alias opscenter -file opscenter.cer -keystore keystore.jks
-
If your DSE cluster is set up to require client authentication
(
require_client_auth
under client-to-node-encryption in cassandra.yaml) when using client-to-node encryption, you will need to import the public certificate generated in step 2 into every node's truststore so that DSE will trust connections coming from OpsCenter.