Securing internal transactional node connections

Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.

Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL (Secure Sockets Layer).
Tip: For information about generating SSL certificates, see Setting up SSL certificates.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Procedure

To enable node-to-node SSL encryption:

  1. Set the server_encryption_options in the cassandra.yaml file on each node:
    server_encryption_options:
       internode_encryption: all
       keystore: resources/dse/conf/keystore.jks
       keystore_password: myPassKey
       truststore: resources/dse/conf/truststore.jks
       truststore_password: truststorePass
       require_client_auth: true
       require_endpoint_verification: true
    Required settings:
    • internode_encryption - To enable choose one of the following:
      • all
      • dc
      • rack
    • keystore: Relative path from DSE installation directory or absolute path to the keystore file.
    • keystore_password: Password to access the keystore.
    • truststore: Relative path from DSE installation directory or absolute path to truststore file.
    • truststore_password: Password to access truststore.
    • require_client_auth: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL.
    • require_endpoint_verification: Optional, verify the connected host and the host name in the certificate match.
  2. Restart DSE.