• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Configuring SSL
  • Securing node-to-node connections

Configuring SSL for Node-to-Node Connections

Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL.

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

  1. Locate the cassandra.yaml file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/cassandra/cassandra.yaml

    • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

  2. Edit cassandra.yaml and make the following changes to the server_encryption_options section to enable SSL:

    1. Set internode_encryption to one of the following options to limit which traffic between nodes is encrypted: + include::partial$ConfigWH-internode_encryption-options.adoc[] +

    2. Set require_client_auth to true to require two-way host certificate validation.

    3. Set require_endpoint_verification to true to verify that the connected node’s IP address matches the certificate.

  3. Configure the keystore and truststore, depending on whether you are using local keystore files or a remote keystore provider. All settings are configured in the server_encryption_options section of cassandra.yaml:

    • Local files: use the following settings.

      server_encryption_options:
          internode_encryption: all
          keystore_type: JKS
          keystore: <path_to_keystore.jks>
          keystore_password: <keystore_password>
          require_client_auth: true
          require_endpoint_verification: true
          truststore_type: JKS
          truststore: <path_to_truststore.jks>
          truststore_password: <truststore_password>

      To encrypt the truststore and keystore passwords for local encryption, see Encrypting configuration file properties. For KMIP see Encrypting configuration file properties.

    • Remote keystore provider: use the following settings. Unused options can be blank or commented out.

      Requires installation of a provider.

      See Using a remote keystore provider.

      server_encryption_options:
         internode_encryption: all
         keystore_type: PKCS12
         require_client_auth: true
         require_endpoint_verification: true
         truststore_type: PKCS12
      internode_encryption

      Encryption options for internode communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for authentication, key exchange, and encryption of data transfers. Use the DHE/ECDHE ciphers, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, if running in Federal Information Processing Standard (FIPS) 140 compliant mode.

      keystore_type

      Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.

      DataStax supports PKCS11 as a keystore_type on nodes with cassandra or advanced workloads. The advanced workload support was added for DSE 6.8.2 and later. If PKCS11 is needed, in server_encryption_options or client_encryption_options, specify the keystore_type as PKCS11 and the keystore as NONE.

      PKCS11 is not supported as a truststore_type.

      Default: JKS

      keystore

      Relative path from the DSE installation directory or the absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE). JSSE is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

      Default: resources/dse/conf/.keystore

      keystore_password

      Password for the keystore. This must match the password used when generating the keystore and truststore.

      Default: cassandra

      require_client_auth

      Enables certificate authentication for node-to-node (internode) encryption.

      Default: false

      require_endpoint_verification

      Whether to verify the connected host and the host IP address in the certificate match. If set to true, then the endpoint that you specify when generating the certificate key must be an IP address. Do not specify a DNS hostname. Example with a correctly specified IP address:

      keytool -genkeypair -keyalg RSA \
          -alias node0 \
          -keystore my_keystore.jks \
          -storepass cassandra \
          -keypass cassandra \
          -validity 730 \
          -keysize 2048 \
          -dname "CN=node0, OU=lacerda-ssl, O=Datastax, C=CC" \
          -ext "san=ip:10.101.35.236"

      Default: false

      truststore_type

      Valid types are JKS, JCEKS, PKCS12. For file-based truststores, use PKCS12.

      Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:

      openssl pkcs12 -export -nokeys -out truststore.pfx -in <intermediate.chain.pem>

      However, truststores generated via Java’s keytool and then converted to PKCS12 work with DSE. Example:

      keytool -importcert -alias <rootca> -file <rootca.pem> -keystore <truststore.jks>
      keytool -importcert -alias <intermediate> -file <intermediate.pem> -keystore <truststore.jks>
      keytool -importkeystore -srckeystore <truststore.jks> -destkeystore <truststore.pfx> -deststoretype pkcs12

      Default: JKS

      truststore

      Relative path from the DSE installation directory or the absolute path to truststore containing the trusted certificate for authenticating remote servers.

      Default: resources/dse/conf/.truststore

      truststore_password

      Password for the truststore.

      Default: cassandra

  4. Save and close the cassandra.yaml file.

  5. Restart DSE.

Local keystore files Securing client-to-node connections

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage