Using a remote keystore provider
Implement additional providers such as PKCS12.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
DataStax Enterprise (DSE) database uses the Java Cryptography API (JCA) to implement SSL
providers. The JCA is a pluggable architecture that abstracts the actual cryptography
implementation from the algorithm requested. To support swapping out different
implementations, DSE database use Cipher.getInstance("AES")
.
openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pemHowever, truststores generated via Java's
keytool
and then
converted to PKCS12 work with DSE. Example:keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12
PKCS12 is typically used to store private key and
certificate information on files. The default keystore type in Java is JKS, though you can
specify PKCS12 with the -storetype
option when creating a keystore with
keytool
.
The DSE database keystore type parameter in cassandra.yaml determines which SPI to use.
See related information about PKCS12 as a truststore_type.
Installing additional providers
Install providers using the java.security
configuration that comes with
the JRE.
java.security
configuration file, which is located
in $JAVA_HOME/lib/security/java.security. For an
environment where PKCS12
is the keystore type and a Cassandra-only
workload, use:
security.provider.10=sun.security.pkcs12.SunPKCS12 path-to-pkcs12-provider-config-file
Example:
security.provider.10=sun.security.pkcs12.SunPKCS12 /opt/bar/cfg/pkcs12.cfg
For details, see the Oracle Java Secure Socket Extension (JSSE) Reference Guide.