Securing internal transactional node connections
Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Setting up SSL certificates.
OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.
Procedure
To enable node-to-node SSL encryption:
-
Set the
server_encryption_options
in the cassandra.yaml file on each node:-
internode_encryption
: Encrypts traffic between nodes, options:none
,all
,dc
, orrack
. -
keystore
: Relative path from DSE installation directory or absolute path to the keystore file. -
keystore_password
: Password to access the keystore. -
truststore
: Relative path from DSE installation directory or absolute path to truststore file. -
truststore_password
: Password to access truststore. -
require_client_auth
: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL. -
require_endpoint_verification
: Optional, verify the connected node’s IP address matches the certificate.
To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.
server_encryption_options: internode_encryption: **all** keystore: **resources/dse/conf/keystore.jks** keystore_password: **myPassKey** truststore: **resources/dse/conf/truststore.jks** truststore_password: **truststorePass** require_client_auth: **true** require_endpoint_verification: **true**
-