Setting up SSL for nodetool, dsetool, and dse advrep

To set up nodetool, dsetool, and dse advrep for use with SSL, you must configure JMX SSL on the server side with changes on each node in the cluster, restart DSE, and then configure the client settings in your home or client program directory on the node on which the command will run.

Enabling client encryption will encrypt all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, an additional cassandra.yaml setting must be enabled. The native_transport_port_ssl (default: 9142) sets an additional dedicated port to carry encrypted transmissions, while native_transport_port carries unencrypted transmissions.

Prerequisites

Procedure

Configure JMX SSL on the server side:

Make these changes in the cassandra-env.sh file on each node in the cluster.

  1. If the $LOCAL_JMX setting is present, change it to no:

    "$LOCAL_JMX" = "no"

  2. Add the following settings:

    You can also use the jvm.options file as described in start-up parameters.

    For production:

    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"

    For development:

    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"

    where:

    • com.sun.management.jmxremote.ssl=true enables SSL for JMX.

    • com.sun.management.jmxremote.ssl.need.client.auth=true enables two-way certificate authentication.

    • com.sun.management.jmxremote.registry.ssl=true creates an RMI registry protected by SSL and configures an out-of-the-box management agent when the Java VM is started.

    • com.sun.management.jmxremote.registry.ssl=true requires that com.sun.management.jmxremote.ssl.need.client.auth=true is also enabled. You must:

    • Set appropriate paths to the keystore and truststore files.

    • Set the passwords to the passwords set during keystore and truststore generation.

  3. Restart DSE.

  4. To configure the client settings, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the node on which the command will run.

    For production:

    -Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra

    For development:

    -Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true

To use nodetool, dsetool, and dse advrep with SSL for an encrypted connection for any operation:

  1. Start the command with the --ssl option.

    nodetool example:

    nodetool --ssl <command>

    dsetool example:

    dsetool --ssl <command>

    dse advrep example:

    dse advrep --ssl <command>

  2. Start the command with the --ssl option for an encrypted connection and specify the username and password for authentication and authorization for any operation. If you do not enter a password, you are prompted to enter one.

    nodetool example:

    nodetool --ssl -u <username> -pw <password> <command>

    dsetool example:

    dsetool --ssl -a <jmx_username> -b <jmxpassword> <command>

    dse advrep example:

    dse advrep --ssl -u <username> <command>

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM