Configuring SSL for node-to-node connections

Node-to-node (internode) encryption protects data in-flight between database nodes in a cluster.

Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL (Secure Sockets Layer).
Tip: For information about generating SSL certificates, see Using local SSL certificate and keystore files.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Procedure

To enable node-to-node SSL encryption, set the server_encryption_options in the cassandra.yaml file on each node:

  1. Limit which traffic between nodes is encrypted. Set internode_encryption to one of the following options:
    • all - Encrypt all inter-node communications
    • none - No encryption
    • dc - Encrypt the traffic between the datacenters (server only)
    • rack - Encrypt the traffic between the racks (server only)
  2. Require client-to-node encryption. Set require_client_auth to true .
    Tip: After enabling you must configure clients, such as nodetool and cqlsh to use SSL.
  3. Verify that the connected hostname matches the certificate. Set require_endpoint_verification to true.
  4. Configure the keystore and truststore:
    • Local keystore and truststore files:
      • keystore_type: PKCS12
      • keystore: Relative path from DSE installation directory or absolute path to the keystore file.
      • keystore_password: Password to access the keystore.
      • truststore_type: PKCS12
      • truststore: Relative path from DSE installation directory or absolute path to truststore file.
      • truststore_password: Password to access truststore.
      Example with local files:
      server_encryption_options:
         internode_encryption: all
         keystore_type: PKCS12
         keystore: resources/dse/conf/keystore.jks
         keystore_password: myPassKey
         truststore_type: PKCS12
         truststore: resources/dse/conf/truststore.jks
         truststore_password: truststorePass
         require_client_auth: true
         require_endpoint_verification: true
      Tip: To encrypt the truststore and keystore passwords, for local encryption see Encrypting configuration file properties or for KMIP see Encrypting configuration file properties.
    • Remote keystore and truststore:
      Note: Requires installation of a provider. See Using a remote PKCS11 keystore provider.
      Example with remote:
      server_encryption_options:
         internode_encryption: all
         keystore_type: PKCS11
         keystore: 
         keystore_password: 
         truststore_type: PKCS11
         truststore: 
         truststore_password: 
         require_client_auth: 
         require_endpoint_verification:
  5. Restart DSE.