• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Configuring SSL
  • Securing client-to-node connections

Configuring SSL for Client-to-Node Connections

Client-to-node encryption protects in-flight data from client machines to a database cluster using SSL (Secure Sockets Layer) and establishes a secure channel between the client and the coordinator node.

Complete the following procedure on every node in the cluster to configure SSL for client-to-node connections.

On a DSE Search node, enabling SSL for the database automatically enables SSL in the DSE Search web.xml file and configures an SSL connector in Tomcat using the authentication or authorization filters. No changes are required for the web.xml or server.xml files.

If the TomcatSolrRunner does not find a connector in server.xml, it creates a default connector. The default connector binds to the native_transport_address.

The default location of the Tomcat server.xml file depends on the installation type:

  • Package installations: /etc/dse/tomcat/conf/server.xml

  • Tarball installations: <installation_location>/resources/tomcat/conf/server.xml

If you are not using the JCE Unlimited Strength Jurisdiction Policy, then make sure that your ticket granting principal does not use AES-256. Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161. If your ticket granting principal uses AES-256, you might see a warning like this in the logs:

 
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

Procedure

  1. Locate the cassandra.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/cassandra/cassandra.yaml

    • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

  2. Edit cassandra.yaml and make the following changes in the client_encryption_options to enable SSL:

    1. Set enabled to true to enable SSL.

    2. Set optional to false (default) to only allow SSL connections.

    3. Set require_client_auth to true to require two-way host certificate validation.

  3. Configure the keystore and truststore, depending on whether you are using local keystore files or a remote keystore provider. All settings are configured in the client_encryption_options section of cassandra.yaml:

    • Local files: use the following settings.

      The store_type option is deprecated. Instead, use keystore_type and truststore_type.

      		 
      client_encryption_options:
    enabled: true
    optional: false
    keystore_type: JKS
    keystore: <path_to_keystore>
    keystore_password: <keystore_password>
    require_client_auth: true
    truststore_type: JKS
    truststore: <path_to_truststore>
    truststore_password: <truststore_password>
    protocol: ssl
    algorithm: SunX509
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]

    • Remote keystore provider: use the following settings.

      The store_type option is deprecated. Instead, use keystore_type and truststore_type.

      Unused options can be blank or commented out.

      Requires installation of a provider.

      See Using a remote keystore provider.

      client_encryption_options:
    enabled: true
    optional: false
    keystore_type: PKCS12
    require_client_auth: true
    truststore_type: PKCS12
    protocol: ssl
    algorithm: SunX509
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
      enabled

      Enables client-to-node encryption.

      Default: false

      optional

      When optional is selected, both encrypted and unencrypted connections over native transport are allowed. That is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections, optional is unselected in order to enforce native transport encryption.

      Default: false

      keystore_type

      Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.

      DataStax supports PKCS11 as a keystore_type on nodes with cassandra or advanced workloads. The advanced workload support was added for DSE 6.8.2 and later. If PKCS11 is needed, in server_encryption_options or client_encryption_options, specify the keystore_type as PKCS11 and the keystore as NONE.

      PKCS11 is not supported as a truststore_type.

      Default: JKS

      keystore

      Relative path from DSE installation directory or absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

      Default: resources/dse/conf/.keystore

      keystore_password

      Password for the keystore.

      Default: cassandra

      require_client_auth

      Enables certificate authentication for client-to-node encryption.

      • true - Require certificate authentication for client-to-node encryption. Client certificates must be present on all nodes in the cluster.

      • false - Do not require certificate authentication for client-to-node encryption.

      Default: false

      truststore_type

      Valid types are JKS, JCEKS, or PKCS12. For file-based truststores, use PKCS12.

      Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command does not work with DSE:

      		 
      openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem

      However, truststores generated via Java’s keytool and then converted to PKCS12 work with DSE. Example:

      keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
      keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
      keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12

      Default: JKS

      truststore

      Relative path from DSE installation directory or absolute path to truststore containing the trusted certificate for authenticating remote servers.

      Truststore password and path is only required when require_client_auth is set to true.

      Default: resources/dse/conf/.truststore

      truststore_password

      Password for the truststore. This must match the password used when generating the keystore and truststore.

      Truststore password and path is only required when require_client_auth is set to true.

      Default: cassandra

  4. Save and close the cassandra.yaml file.

  5. Complete a rolling DSE restart.

Configuring JMX on the server side

Configure JMX on the server side to enable SSL connections.

Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication

Use nodetool, nodesync, dsetool, and DSE Advanced Replication with SSL encryption.

Setting up SSL for JConsole (JMX)

Use J`Console` with SSL encryption.

Connecting SSTableloader to a secured cluster

Steps (for a development environment) to configure the sstableloader (bulk loader) with Kerberos or SSL.

Connecting to SSL-enabled nodes using cqlsh

Connect cqlsh to an SSL-enabled node by setting up SSL with environment variables or cqlshrc parameters.

Securing node-to-node connections Configuring JMX on the server side

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage