Configure transitional mode for node-to-node connections
In DataStax Enterprise (DSE) 6.9.7 or later, transitional mode permits node-to-node communication within a cluster between nodes that use internode encryption and nodes that do not. Use this mode as a temporary measure to enable both types of nodes to communicate with each other. To complete the transition, enable node-to-node encryption gracefully on all nodes in the cluster.
Prerequisites
Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.
Enable transitional mode
-
Enable transitional mode.
-
Locate the
cassandra.yaml
file. The location of this file depends on the type of installation:-
Package installations:
/etc/dse/cassandra/cassandra.yaml
-
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra.yaml
-
-
Edit the
cassandra.yaml
file to enable transitional mode. In theserver_encryption_options
section, setoptional
totrue
. -
Save and close the
cassandra.yaml
file.
-
-
Enable node-to-node encryption.
-
In the
server_encryption_options
section of thecassandra.yaml
file, setinternode_encryption
to your choice ofdc|rack|all
. -
Set
require_client_auth
totrue
to require two-way host certificate validation. -
Set
require_endpoint_verification
totrue
to verify that the connected node’s IP address matches the certificate. -
Save and close the
cassandra.yaml
file.
-
-
Disable transitional mode.
-
In the
server_encryption_options
section of thecassandra.yaml
file, setoptional
tofalse
. -
Save and close the
cassandra.yaml
file.
-
You need to modify the upgrade process if your cluster uses any form of internode encryption, including when you enable transitional mode to permit an internode encryption-based cluster to interact with unencrypted nodes.
In DSE 6.9.7 or later, the To enable the cluster to continue to function during an upgrade to DSE 6.9.7 or later, do the following:
|