Enabling SSL Encryption for DSEFS

There are two parts to enabling SSL encryption for the DSE File System (DSEFS):

  • Node-to-node encryption

  • Client-to-node encryption

Enabling node-to-node encryption in DSE automatically enables encrypted communication between DSEFS nodes. DSE nodes with client-to-node encryption enabled allow SSL connections from the DSEFS shell.

Configure the DSEFS shell to use SSL encryption

In most cases, you do not need to add any DSEFS shell settings to connect using SSL. If a ~/.dse/dsefs-shell.yaml configuration file cannot be found, DSEFS shell attempts to load server-side configuration and SSL settings from DSE configuration files.

To manually configure SSL, create and edit the DSEFS shell configuration file. The DSEFS shell is configured in the ~/.dse/dsefs-shell.yaml configuration file. Add the following settings to enable SSL encryption:

encryption_options:
  enabled: true
  optional: true
  truststore:
  truststore_type:
  truststore_password:
  keystore:
  keystore_type:
  keystore_password:
  protocol:
  algorithm:
  cipher_suites:
  require_endpoint_verification: false

The same settings can be given as dse fs command-line options, except keystore_password, truststore_password, and cipher_suites. If passwords are not given in the configuration file, password prompts occur at the DSEFS shell startup. The command line options override settings read from the configuration file.

If a non-optional secure connection is established, a [secure] flag appears in the prompt of the DSEFS shell.
enabled

Enables client-to-node encryption. You must also generate keys and provide the appropriate key and truststore locations and passwords. There are no custom encryption options enabled for DataStax Enterprise (DSE).

Default: false

optional

When optional is true, both encrypted and unencrypted connections over native transport are allowed. This is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections, optional is set to false to enforce native transport encryption.

Default: false

truststore

Relative path from the DSE installation directory or the absolute path to the truststore containing the trusted certificate for authenticating remote servers.

Default: resources/dse/conf/.truststore

Truststore password and path are only required when require_client_auth is set to true.

truststore_type

Valid types are JKS (default), JCEKS, or PKCS12. For file-based truststores, use PKCS12.

Due to an OpenSSL issue, PKCS12 truststores generated with OpenSSL can be incompatible with DSE.

For example, a truststore generated with the following command might not work with DSE:

openssl pkcs12 -export -nokeys -out truststore.pfx -in <intermediate.chain.pem>

However, if you generate a truststore with Java’s keytool, and then convert it to PKCS12, it will work with DSE. For example:

  1. Create the truststore with keytool:

    keytool -importcert -alias <rootca> -file <rootca.pem> -keystore <truststore.jks>

  2. Import the intermediate certificate:

    keytool -importcert -alias <intermediate> -file <intermediate.pem> -keystore <truststore.jks>

  3. Convert the JKS truststore to PKCS12:

    keytool -importkeystore -srckeystore <truststore.jks> -destkeystore <truststore.pfx> -deststoretype pkcs12
truststore_password

Password for the truststore. This must match the password used when generating the keystore and truststore.

Default: cassandra

Truststore password and path are only required when require_client_auth is set to true.

keystore_type

Valid types are JKS (default), JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.

DataStax supports PKCS11 as a keystore_type on nodes with cassandra or advanced workloads.

If you need to use PKCS11, you must specify the keystore_type as PKCS11 and the keystore as NONE in either server_encryption_options or client_encryption_options depending on your use case.

PKCS11 isn’t supported as a truststore_type.
keystore

Relative path from the DSE installation directory or the absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE) (the Java version of the Secure Sockets Layer (SSL)) and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

Default: resources/dse/conf/.keystore

keystore_password

Password for the keystore.

Default: cassandra

protocol

Default: TLS

algorithm

Default: SunX509

cipher_suites

A comma-separated list of cipher suites for encryption. Enclose the list in square brackets. For example, the default value is as follows:

[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]

Supported ciphers include the following:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

require_client_auth

Enables certificate authentication for client-to-node encryption.

  • true: Require certificate authentication for client-to-node encryption. Client certificates must be present on all nodes in the cluster.

  • false (default): Do not require certificate authentication for client-to-node encryption.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM