Using CQL shell (cqlsh) with SSL
cqlsh with Kerberos and SSL, use the sample files as a starting point and make changes as appropriate for your environment.
DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.
[authentication] username = fred password = !!bang!!$ [connection] hostname = 127.0.0.1 port = 9042 [ssl] certfile = ~/keys/cassandra.cert validate = false ;; Optional, true by default. See the paragraph below. [certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. 10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer 10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer
cqlsh does not work with the
certfile in the original format generated.
require_client_auth = true, use
openssl to generate a PEM file of the certificate with no keys (
<user>.cer.pem) and a PEM file of the key with no certificate (
Add the following lines to
[ssl] in ~/.cassandra/cqlshrc
# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file userkey = ~/<user>.key.pem usercert = ~/<user>.cer.pem
The keystore is imported in PKCS12 format to a destination keystore (
keytool -importkeystore -srckeystore .keystore -destkeystore <user>.p12 -deststoretype PKCS12
Convert the two PEM files. When validate is enabled, you must create a PEM key to be used in the cqlshrc file.
openssl pkcs12 -in <user>.p12 -nokeys -out <user>.cer.pem -passin pass:cassandra openssl pkcs12 -in <user>.p12 -nodes -nocerts -out <user>.key.pem -passin pass:cassandra
In cqlshrc.sample.ssl, ensure the
userkey points to
<user>.key.pem and the
usercert points to
This PEM key is required because the host in the certificate is compared to the host of the machine that it is connected to.
The SSL certificate must be provided either in the configuration file or as an environment variable.
The environment variables (
SSL_VALIDATE) override any options set in this file.
DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.
For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.
The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.
The supported environmental variables are
--debug option to troubleshoot authentication problems
cqlsh. Pass the
--debug option to
cqlsh to populate
the debug log message with the type of authentication that