Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication

Complete the following procedure to configure JMX for using nodetool, nodesync, dsetool, and DataStax Enterprise (DSE) Advanced Replication with SSL.

Make these changes in the file on each node in the cluster.


For production environments, secure an entire cluster using JKS files. For a single-node development environment, you can use a simpler single-node, local keystore file and truststore file.


  1. Locate the file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/cassandra/

    • Tarball installations: <installation_location>/resources/cassandra/conf/

  2. Open the file.

  3. Restart DSE.

  4. nodetool: To configure the client settings for nodetool, create a .cassandra/ file in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.

    touch ~/.cassandra/

    Production environment:<path_to_keystore><keystore-password><path_to_truststore><truststore-password>

    Development environment:<path_to_keystore><keystore-password><path_to_truststore><truststore-password>
  5. nodesync: To configure the client settings for nodesync, create a .cassandra/ file in your home or client program directory on the node where you will run the command. Add the following settings to the file.

    The file for nodesync is equivalent to the .cassandra/ file used by nodetool, except that it defines properties shared by JMX and CQL.

    touch ~/.cassandra/<path_to_keystore><keystore-password><path_to_truststore><truststore-password>

    The JVM properties for nodesync should be the same as those set for nodetool, but defined in a separate file, such as nodesync-jvm.options. DataStax recommends maintaining separate option files for nodetool and nodesync. For example, you might need SSL only in the CQL connection, but not in JMX. In this case, nodetool would not require the JVM properties, while nodesync would need them defined.

  6. Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class (for CQL). If you provide a username option but not a password, you are prompted to enter one.


    nodetool --ssl -u <jmx_username> -pw <jmx_password> <command>

    nodesync (JMX, CQL, or both)

    nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password> <command>
    nodesync --cql-ssl --cql-username <cql_username> --cql-password <cql_password> <command>
    nodesync --cql-ssl --cql-auth-provider <cql-auth-provider-ClassName> <command>
    nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password>
               --cql-ssl --cql-username <cql_username> --cql-password <cql_password> <command>
    nodesync --jmx-ssl --jmx-username <jmx_username> --jmx-password <jmx_password>
               --cql-ssl --cql-auth-provider <cql-auth-provider-ClassName> <command>


    dsetool --ssl -a <jmx_username> -b <jmx_password> <command>

    dse advrep

    dse advrep --ssl -u <jmx_username> <command>

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,