Enabling SSL encryption for DSEFS

DSEFS can use SSL encryption.

There are two parts to enabling SSL encryption for DSEFS: node-to-node encryption, and client-to-node encryption. Enabling node-to-node encryption in DSE automatically enables encrypted communication between DSEFS nodes. DSE nodes with client-to-node encryption enabled allow SSL connections from the DSEFS shell.

Configuring the DSEFS shell to use SSL encryption

In most cases, you don't need to add any DSEFS shell settings to connect using SSL. If a ~/.dse/dsefs-shell.yaml configuration file cannot be found, DSEFS shell will attempt to load server-side configuration and SSL settings from DSE configuration files.

To manually configure SSL, create and edit the DSEFS shell configuration file. The DSEFS shell is configured in the ~/.dse/dsefs-shell.yaml configuration file. Add the following settings to enable SSL encryption:

encryption_options:
  # set to true to enable secure client-server connection
  enabled: true 
  # if optional is true, and enabled is true, ssl will be used if possible, 
  # but will failover to non ssl
  optional: true 
  # path to truststore
  truststore_path: path 
  # optional truststore type; default value: JKS
  truststore_type: 
  # optional, will be prompted for if doesn't exist
  truststore_password: 
  # path to keystore
  keystore_path: path 
  # optional truststore type; default value: JKS
  keystore_type: 
  # optional, will be prompted for if doesn't exist
  keystore_password: 
  # optional protocol name; default value: TLSv1.2
  protocol: 
  # optional keymanager and trustmanager algorithm; default value: SunX509
  algorithm: 
  # optional list of ciphers
  cipher_suites: 
  # set to true to enable checking if the certificate matches endpoint address
  require_endpoint_verification: false 

The same settings can be given as dse fs command-line options, except keystore_password, truststore_password, and cipher_suites. If passwords are not given in the configuration file, they will be prompted for at the DSEFS shell startup. The command line options override settings read from the configuration file.

Note: If a non-optional secure connection is established, a [secure] flag will appear in the prompt of the DSEFS shell.