Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication
Complete the following procedure to configure JMX for using nodetool, nodesync, dsetool, and DataStax Enterprise (DSE) Advanced Replication with SSL.
|
Make these changes in the |
Prerequisites
|
For production environments, secure an entire cluster using |
Procedure
-
Locate the
cassandra-env.shfile. The location of this file depends on the type of installation:-
Package installations:
/etc/dse/cassandra/cassandra-env.sh -
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra-env.sh
-
-
Open the
cassandra-env.shfile. -
nodetool: To configure the client settings for nodetool, create a .
cassandra/nodetool-ssl.propertiesfile in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.touch ~/.cassandra/nodetool-ssl.propertiesProduction environment:
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>Development environment:
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password> -
nodesync: To configure the client settings for nodesync, create a
.cassandra/nodesync-ssl.propertiesfile in your home or client program directory on the node where you will run the command. Add the following settings to the file.The file for nodesync is equivalent to the
.cassandra/nodetool-ssl.propertiesfile used by nodetool, except that it defines properties shared byJMXandCQL.touch ~/.cassandra/nodesync-ssl.properties-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>The JVM properties for nodesync should be the same as those set for nodetool, but defined in a separate file, such as
nodesync-jvm.options. DataStax recommends maintaining separate option files for nodetool and nodesync. For example, you might need SSL only in theCQLconnection, but not inJMX. In this case, nodetool would not require theJVMproperties, while nodesync would need them defined. -
Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class (for
CQL). If you provide a username option but not a password, you are prompted to enter one.nodetool
nodetool --ssl -u <jmx_username> -pw <jmx_password> <command>nodesync (JMX, CQL, or both)
nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password> <command>nodesync --cql-ssl --cql-username <cql_username> --cql-password <cql_password> <command>nodesync --cql-ssl --cql-auth-provider <cql-auth-provider-ClassName> <command>nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password> --cql-ssl --cql-username <cql_username> --cql-password <cql_password> <command>nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password> --cql-ssl --cql-auth-provider <cql-auth-provider-ClassName> <command>dsetool
dsetool --ssl -a <jmx_username> -b <jmx_password> <command>dse advrep
dse advrep --ssl -u <jmx_username> <command>
