Securing client to cluster connections
Client-to-node encryption protects in-flight data from client machines to a database cluster using SSL (Secure Sockets Layer) and establishes a secure channel between the client and the coordinator node.
Unlike Kerberos, does not require setting up a shared authentication service.
If you are using DSE Search, enabling SSL automatically enables in the DSE Search web.xml file and configures an SSL connector in Tomcat using the authentication/authorization filters. You do not have to change your web.xml or server.xml files. |
If the TomcatSolrRunner doesn’t find a connector in server.xml it creates a default connector. The default connector binds to the rpc_address in cassandra.yaml.
Prerequisites
-
DataStax recommends Enabling JCE Unlimited.
-
Prepare an SSL certificate, Setting up SSL certificates.
Procedure
-
To enable encryption, perform these steps on each node:
DSE Search and Spark nodes require the truststore entries in
cassandra.yaml
. -
Production clusters:In the cassandra.yaml file, in the client_encryption_options section:
-
Set enabled to true.
-
Set the paths to your .keystore and .truststore files.
-
Provide the passwords that were used when generating the keystore and truststore.
-
To enable client certificate authentication, set require_client_auth to true.
-
Use an SSL production certificate.
client_encryption_options: enabled: true keystore: resources/dse/conf/.keystore ## Path to your .keystore file keystore_password: <keystore_password> ## Password that you used to generate the keystore require_client_auth: true # Set truststore and truststore_password when require_client_auth: true truststore: resources/dse/conf/.truststore ## Path to your .truststore truststore_password: <truststore_password> ## Password that you used to generate the truststore protocol: ssl algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL. To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.
-
-
Development clusters: In the cassandra.yaml file, in the client_encryption_options section:
-
Set enabled to true.
-
Provide the passwords that were used when generating the keystore and truststore.
-
Set the paths to your .keystore and .truststore files.
-
If two-way certificate authentication is desired, set require_client_auth to true. Enabling two-way certificate authentication allows tools to connect to a remote node.
-
Complete Setting up SSL certificates. For local access to run
cqlsh
on a local node with SSL encryption,require_client_auth
can be set tofalse
.
client_encryption_options: enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false keystore: conf/keystore.node0 keystore_password: cassandra require_client_auth: true # Set trustore and truststore_password if require_client_auth is true truststore: conf/truststore.node0 truststore_password: cassandra protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
-
-
If the
client_encryption_options
are set in dse.yaml file, remove them. -
If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.
If your ticket granting principal uses AES-256, you might see a warning like this in the logs:
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket
-
Restart DataStax Enterprise.