Securing internal transactional node connections

Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.

Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Setting up SSL certificates.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cassandra.yaml

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

To enable node-to-node SSL encryption:

  1. Set the server_encryption_options in the cassandra.yaml file on each node:
    • internode_encryption: Encrypts traffic between nodes, options: none, all, dc, or rack.
    • keystore: Relative path from DSE installation directory or absolute path to the keystore file.
    • keystore_password: Password to access the keystore.
    • truststore: Relative path from DSE installation directory or absolute path to truststore file.
    • truststore_password: Password to access truststore.
    • require_client_auth: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL.
    • require_endpoint_verification: Optional, verify the connected host and the host name in the certificate match.
    Note: To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.
    server_encryption_options:
       internode_encryption: all
       keystore: resources/dse/conf/keystore.jks
       keystore_password: myPassKey
       truststore: resources/dse/conf/truststore.jks
       truststore_password: truststorePass
       require_client_auth: true
       require_endpoint_verification: true
  2. Restart DSE.