How to Configure SSL for DataStax Enterprise
Configure SSL for DataStax Enterprise (DSE) by implementing Client Certificate Authentication. Following this approach, each node verifies the service or client making a request against a local truststore to validate that the certificate was issued by a known Certificate Authority (CA).
Creating SSL certificates, keystores, and truststores
You can implement SSL using CA signed certificates signed by well-known CAs, or by creating your own root CA. DataStax recommends using certificates signed by a CA to reduce SSL certificate management tasks. However, you can use self-signed certificates with DSE, which supports SSL certificates in local and external keystores.
Creating your own CA in a production environments typically involves using an intermediary certificate chain, where the root CA signs one or more intermediate certificates with its private key. These intermediary certificates chain together to link back to the root CA, which owns one or more trusted roots.
Where to configure SSL
DSE supports SSL encryption between nodes (node-to-node communication) and between clients and nodes (client-to-node communication). You can use SSL to encrypt in-flight data for the following DSE services and clients.
Use SSL to encrypt data in the following node-to-node connections:
DSE Search with Apache Solr™
DSE Analytics with Apache Spark™
Use SSL to secure connections from a client to the coordinator node to establish client-to-node connections:
CQL shell (
DataStax Bulk Loader
DataStax Apache Kafka Connector
Configuring SSL for DSE
Complete the following procedures to configure SSL for DSE:
Configure SSL for DSE services (node-to-node communication).
Configure SSL for DSE clients (client-to-node communication).
After creating the necessary SSL certificates and configuring SSL for DSE services, use
cqlsh to connect to your SSL-enabled cluster.