Using CQL shell (cqlsh) with SSL

To use cqlsh with Kerberos and SSL, use the sample files as a starting point and make changes as appropriate for your environment.

Example files

DataStax Enterprise provides sample files and examples to help configure authentication for Kerberos, SSL, and Kerberos and SSL:

Make changes as appropriate for your environment.

See the cqlshrc.sample.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.

username = fred
password = !!bang!!$

hostname =
port = 9042

certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. = /etc/dse/cassandra/conf/dsenode0.cer = /etc/dse/cassandra/conf/dsenode1.cer

cqlsh does not work with the certfile in the original format generated. If require_client_auth = true, use openssl to generate a PEM file of the certificate with no keys (<user>.cer.pem) and a PEM file of the key with no certificate (<user>.key.pem). Add the following lines to [ssl] in ~/.cassandra/cqlshrc

# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file
userkey = ~/<user>.key.pem
usercert = ~/<user>.cer.pem

The keystore is imported in PKCS12 format to a destination keystore (<user>.p12).

keytool -importkeystore -srckeystore .keystore -destkeystore <user>.p12 -deststoretype PKCS12

Convert the two PEM files. When validate is enabled, you must create a PEM key to be used in the cqlshrc file.

openssl pkcs12 -in <user>.p12 -nokeys -out <user>.cer.pem -passin pass:cassandra
openssl pkcs12 -in <user>.p12 -nodes -nocerts -out <user>.key.pem -passin pass:cassandra

In cqlshrc.sample.ssl, ensure the userkey points to <user>.key.pem and the usercert points to <user>.cer.pem.

This PEM key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.

For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_SERVICE, SSL_CERTFILE, and SSL_VALIDATE variables.

Debugging cqlsh authentication

Use the --debug option to troubleshoot authentication problems with cqlsh. Pass the --debug option to cqlsh to populate the debug log message with the type of authentication that cqlsh is attempting.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,