• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Authentication and authorization
  • Providing credentials from DSE tools
  • Kerberos
  • CQLSH

Providing Kerberos Credentials when Starting CQL Shell

Set up a cqlshrc file to run cqlsh against a Kerberos-enabled cluster.

Example files

DataStax Enterprise provides cqlshrc.sample files and the following examples for adjusting their settings:

  • Kerberos example

  • SSL example

Make changes as appropriate for your environment.

To use Kerberos with SSL, see Kerberos and SSL.

The default location of the cqlshrc.sample file depends on the type of installation:

Table 1. File locations
Filename Package installations Tarball installations

cqlshrc.sample.ssl

/etc/dse/cassandra/cqlshrc.sample.ssl

<installation_location>/resources/cassandra/conf/cqlshrc.sample.ssl

cqlshrc.sample

/etc/dse/cassandra

<installation_location>/resources/cassandra/conf

cqlshrc.sample.kerberos

/etc/dse/cassandra/cqlshrc.sample.kerberos

<installation_location>/resources/cassandra/conf/cqlshrc.sample.kerberos

dse.yaml

/etc/dse/dse.yaml

<installation_location>/resources/dse/conf/dse.yaml

Kerberos example

DataStax Enterprise provides a sample cqlshrc.sample.kerberos file as a starting point.

Required settings for Kerberos authentication:

[connection]
hostname = 192.168.1.2
port = 9042

[kerberos]
service = dse ;; If not set, the default is dse
qops = auth ;; Optional, see the paragraph below

The [connection] hostname and [kerberos] service settings must either match the values in the dse.yaml configuration file or be set as environment variables.

  • In the kerberos_options section of the dse.yaml file, set service_principal. The service_principal setting must be consistent and present everywhere: in the dse.yaml file, in the keytab, and in the cqlshrc file (where service_principal is separated into <service>/<hostname>).

  • The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override the options that are set in dse.yaml.

    The environment variables KRB_SERVICE and QOPS override the options in the .cqlshrc file. The loading order for settings is: environment variable, .cqlshrc setting, default.

The default (auth) is used when qops is not specified. On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection.

  • The client (cqlsh) value list must contain at least one of the QOP values that are specified on the server.

  • The client can have multiple QOP values, while the server can only have a single QOP value that is specified in the dse.yaml file.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file as a starting point.

[authentication]
username = fred
password = !!bang!!$

[connection]
hostname = 127.0.0.1
port = 9042

[ssl]
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer
10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer

When generating the certificate, be sure to set the CN to the hostname of the node.

When validate is enabled, you must create a Policy Enforcement Manager (pem) key which is used in the cqlshrc file. For example:

keytool -importkeystore -srckeystore .keystore -destkeystore <user>.p12 -deststoretype PKCS12
openssl pkcs12 -in <user>.p12 -out <user>.pem -nodes

This pem key is required because the host in the certificate is compared to the host of the machine to which it is connected. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Connecting to SSL-enabled nodes using cqlsh.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_SERVICE, SSL_CERTFILE, and SSL_VALIDATE variables.

dsetool Nodetool

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage