Configuring SSL for node-to-node connections

Node-to-node (internode) encryption protects data in-flight between database nodes in a cluster.

Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

  1. Edit cassandra.yaml and make the following changes to the server_encryption_options section to enable SSL:
    1. Set internode_encryption to one of the following options to limit which traffic between nodes is encrypted:
      • all - Encrypt all inter-node communications
      • none - No encryption
      • dc - Encrypt the traffic between the datacenters
      • rack - Encrypt the traffic between the racks
    2. Set require_client_auth to true to require two-way host certificate validation.
    3. Set require_endpoint_verification to true to verify that the connected node's IP address matches the certificate.
  2. Configure the keystore and truststore. All settings are configured in the server_encryption_options section of cassandra.yaml:
    • Local files: use the following settings.
      server_encryption_options:
    internode_encryption: all
    store_type: JKS
    keystore: path_to_keystore.jks
    keystore_password: keystore_password
    require_client_auth: true
    require_endpoint_verification: true
    truststore_type: JKS
    truststore: path_to_truststore.jks
    truststore_password: truststore_password
      Tip: To encrypt the truststore and keystore passwords for local encryption, see Encrypting configuration file properties or for KMIP see Encrypting configuration file properties.
    internode_encryption
    Encryption options for of inter-node communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for authentication, key exchange, and encryption of data transfers. Use the DHE/ECDHE ciphers, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA if running in (Federal Information Processing Standard) FIPS 140 compliant mode.
    store_type
    Valid types are JKS, JCEKS, and PKCS12.
    Note: PKCS11 is not supported.

    Default: commented out (JKS)

    keystore
    Relative path from DSE installation directory or absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

    Default: resources/dse/conf/.keystore

    keystore_password
    Password for the keystore. This must match the password used when generating the keystore and truststore.

    Default: cassandra

    require_client_auth
    Whether to enable certificate authentication for node-to-node (internode) encryption. When not set, the default is false.

    Default: commented out (false)

    require_endpoint_verification
    Whether to verify the connected host and the host IP address in the certificate match. If set to true, the endpoint that you specify when generating the certificate key must be an IP address. Do not specify a DNS hostname. Example with a correctly specified IP address:
    keytool -genkeypair -keyalg RSA \
    -alias node0 \
    -keystore my_keystore.jks \
    -storepass cassandra \
    -keypass cassandra \
    -validity 730 \
    -keysize 2048 \
    -dname "CN=node0, OU=lacerda-ssl, O=Datastax, C=CC" \
    -ext "san=ip:10.101.35.236"

    Default: false

    truststore_type
    Valid types are JKS, JCEKS, and PKCS12.
    Attention: PKCS11 is not supported. Also, due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:
    openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem
    However, truststores generated via Java's keytool and then converted to PKCS12 work with DSE. Example:
    keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
    keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
    keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12

    Default: commented out (JKS)

    truststore
    Relative path from DSE installation directory or absolute path to truststore containing the trusted certificate for authenticating remote servers.

    Default: resources/dse/conf/.truststore

    truststore_password
    Password for the truststore.

    Default: cassandra

  3. Save and close the cassandra.yaml file.
  4. Restart DSE.