Configure transitional mode for node-to-node connections

In DataStax Enterprise (DSE) 6.9.7 or later, transitional mode permits node-to-node communication within a cluster between nodes that use internode encryption and nodes that do not. Use this mode as a temporary measure to enable both types of nodes to communicate with each other. To complete the transition, enable node-to-node encryption gracefully on all nodes in the cluster.

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

Enable transitional mode

  1. Enable transitional mode.

    1. Locate the cassandra.yaml file. The location of this file depends on the type of installation:

      • Package installations: /etc/dse/cassandra/cassandra.yaml

      • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

    2. Edit the cassandra.yaml file to enable transitional mode. In the server_encryption_options section, set optional to true.

    3. Save and close the cassandra.yaml file.

    4. Restart the nodes.

  2. Enable node-to-node encryption.

    1. In the server_encryption_options section of the cassandra.yaml file, set internode_encryption to your choice of dc|rack|all.

    2. Set require_client_auth to true to require two-way host certificate validation.

    3. Set require_endpoint_verification to true to verify that the connected node’s IP address matches the certificate.

    4. Save and close the cassandra.yaml file.

    5. Restart the nodes.

  3. Disable transitional mode.

    1. In the server_encryption_options section of the cassandra.yaml file, set optional to false.

    2. Save and close the cassandra.yaml file.

    3. Restart the nodes.

You need to modify the upgrade process if your cluster uses any form of internode encryption, including when you enable transitional mode to permit an internode encryption-based cluster to interact with unencrypted nodes. In DSE 6.9.7 or later, the ssl_storage_port is deprecated and the storage_port permits encrypted, unencrypted, and mixed encryption node-to-node communication.

To enable the cluster to continue to function during an upgrade to DSE 6.9.7 or later, do the following:

  1. Edit the cassandra.yaml file.

  2. In the server_encryption_options section, set the enable_legacy_ssl_storage_port option to true. This configuration enables listening on the deprecated ssl_storage_port.

  3. When you complete the upgrade for the cluster, set the enable_legacy_ssl_storage_port option to false. This configuration disables listening on the deprecated ssl_storage_port.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM