Securing internal transactional node connections

Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Setting up SSL certificates.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

To enable node-to-node SSL encryption:

  1. Set the server_encryption_options in the cassandra.yaml file on each node:

    • internode_encryption: Encrypts traffic between nodes, options: none, all, dc, or rack.

    • keystore: Relative path from DSE installation directory or absolute path to the keystore file.

    • keystore_password: Password to access the keystore.

    • truststore: Relative path from DSE installation directory or absolute path to truststore file.

    • truststore_password: Password to access truststore.

    • require_client_auth: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL.

    • require_endpoint_verification: Optional, verify the connected node’s IP address matches the certificate.

    To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.

    server_encryption_options:
       internode_encryption: **all**
       keystore: **resources/dse/conf/keystore.jks**
       keystore_password: **myPassKey**
       truststore: **resources/dse/conf/truststore.jks**
       truststore_password: **truststorePass**
       require_client_auth: **true**
       require_endpoint_verification: **true**
  2. Restart DSE.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com