Configure transitional mode for node-to-node connections

Transitional mode permits node-to-node communication within a cluster between nodes that use internode encryption and nodes that do not. Use this mode as a temporary measure to enable both types of nodes to communicate with each other. To complete the transition, enable node-to-node encryption gracefully on all nodes in the cluster.

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

Enable transitional mode

  1. Enable transitional mode.

    1. Locate the cassandra.yaml file. The location of this file depends on the type of installation:

      • Package installations: /etc/dse/cassandra/cassandra.yaml

      • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

    2. Edit the cassandra.yaml file to enable transitional mode. In the server_encryption_options section, set optional to true.

    3. Save and close the cassandra.yaml file.

    4. Restart the nodes.

  2. Enable node-to-node encryption.

    1. In the server_encryption_options section of the cassandra.yaml file, set internode_encryption to your choice of dc|rack|all.

    2. Set require_client_auth to true to require two-way host certificate validation.

    3. Set require_endpoint_verification to true to verify that the connected node’s IP address matches the certificate.

    4. Save and close the cassandra.yaml file.

    5. Restart the nodes.

  3. Disable transitional mode.

    1. In the server_encryption_options section of the cassandra.yaml file, set optional to false.

    2. Save and close the cassandra.yaml file.

    3. Restart the nodes.

Transitional mode impacts the upgrade process for clusters with encryption enabled. To enable the encrypted cluster to continue functioning during the upgrade, set the enable_legacy_ssl_storage_port to true to enable listening on the original ssl_storage_port. After you upgrade the cluster, disable listening by setting the enable_legacy_ssl_storage_port to false.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com