Configure SSL for client-to-node in production environments

Set up SSL for client-to-node connections for a cluster in a production environment.

Set up SSL for client-to-node connections for a cluster in a production environment.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Procedure

Perform these steps on each node:

Note: DSE Search and Spark nodes require the truststore entries in cassandra.yaml.

  1. Enable SSL. In the client_encryption_options section, set enabled to true.
  2. Only allow SSL connections. Set optional to false (default is false).
  3. Require two-way host certificate validation. Set require_client_auth to true.
  4. Configure the keystore and truststore:
    • Local files - use the following settings:
      Example with local files:
      client_encryption_options:
          enabled: true
          keystore_type: PKCS12
          keystore: resources/dse/conf/.keystore
          keystore_password: cassandra
          require_client_auth: true
          truststore_type: PKCS12
          truststore: resources/dse/conf/.truststore
          truststore_password: cassandra
          protocol: ssl
          algorithm: SunX509
          store_type: JKS
          cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
    • Remote device using custom provider:
      Note: Requires installation of a provider. See Using a remote PKCS11 keystore provider.
      Example with remote:
      client_encryption_options:
          enabled: true
          keystore_type: PKCS12
          keystore: resources/dse/conf/.keystore
          keystore_password: cassandra
          require_client_auth: false
          protocol: ssl
          algorithm: SunX509
          store_type: JKS
          cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
  5. Restart DataStax Enterprise.