Enabling SSL Encryption for DSEFS
There are two parts to enabling SSL encryption for the DSE File System (DSEFS
):
-
Node-to-node encryption
-
Client-to-node encryption
Enabling node-to-node encryption in DSE automatically enables encrypted communication between DSEFS
nodes.
DSE nodes with client-to-node encryption enabled allow SSL connections from the DSEFS
shell.
Configuring the DSEFS
shell to use SSL encryption
In most cases, you do not need to add any DSEFS
shell settings to connect using SSL.
If a ~/.dse/dsefs-shell.yaml
configuration file cannot be found, DSEFS
shell attempts to load server-side configuration and SSL settings from DSE configuration files.
To manually configure SSL, create and edit the DSEFS
shell configuration file.
The DSEFS
shell is configured in the ~/.dse/dsefs-shell.yaml
configuration file.
Add the following settings to enable SSL encryption:
encryption_options:
enabled: true
optional: true
truststore:
truststore_type:
truststore_password:
keystore:
keystore_type:
keystore_password:
protocol:
algorithm:
cipher_suites:
require_endpoint_verification: false
The same settings can be given as dse fs
command-line options, except keystore_password
, truststore_password
, and cipher_suites
.
If passwords are not given in the configuration file, password prompts occur at the DSEFS
shell startup.
The command line options override settings read from the configuration file.
If a non-optional secure connection is established, a |
- enabled
-
Enables client-to-node encryption.
Default: false
- optional
-
When
optional
is selected, both encrypted and unencrypted connections over native transport are allowed. That is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections,optional
is unselected in order to enforce native transport encryption.Default:
false
- truststore
-
Relative path from DSE installation directory or absolute path to truststore containing the trusted certificate for authenticating remote servers.
Truststore password and path is only required when require_client_auth is set to
true
.Default:
resources/dse/conf/.truststore
- truststore_type
-
Valid types are
JKS
(default),JCEKS
, orPKCS12
. For file-based truststores, usePKCS12
.Due to an OpenSSL issue, PKCS12 truststores generated with OpenSSL can be incompatible with DSE.
For example, a truststore generated with the following command might not work with DSE:
openssl pkcs12 -export -nokeys -out truststore.pfx -in <intermediate.chain.pem>
However, if you generate a truststore with Java’s
keytool
, and then convert it to PKCS12, it will work with DSE. For example:-
Create the truststore with
keytool
:keytool -importcert -alias <rootca> -file <rootca.pem> -keystore <truststore.jks>
-
Import the intermediate certificate:
keytool -importcert -alias <intermediate> -file <intermediate.pem> -keystore <truststore.jks>
-
Convert the JKS truststore to PKCS12:
keytool -importkeystore -srckeystore <truststore.jks> -destkeystore <truststore.pfx> -deststoretype pkcs12
-
- truststore_password
-
Password for the truststore. This must match the password used when generating the keystore and truststore.
Truststore password and path is only required when require_client_auth is set to
true
.Default:
cassandra
- keystore_type
-
Valid types are
JKS
,JCEKS
,PKCS11
, orPKCS12
. For file-based keystores, usePKCS12
.DataStax supports
PKCS11
as akeystore_type
on nodes withcassandra
oradvanced
workloads. Theadvanced
workload support was added for DSE 6.8.2 and later. IfPKCS11
is needed, inserver_encryption_options
orclient_encryption_options
, specify thekeystore_type
asPKCS11
and thekeystore
asNONE
.PKCS11
is not supported as atruststore_type.
Default:
JKS
- keystore
-
Relative path from DSE installation directory or absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.
Default:
resources/dse/conf/.keystore
- keystore_password
-
Password for the keystore.
Default:
cassandra
- protocol
-
Default:
TLS
- algorithm
-
Default:
SunX509
- cipher_suites
-
Supported ciphers:
-
TLS_RSA_WITH_AES_128_CBC_SHA
-
TLS_RSA_WITH_AES_256_CBC_SHA
-
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Default: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
-
- require_client_auth
-
Enables certificate authentication for client-to-node encryption.
-
true - Require certificate authentication for client-to-node encryption. Client certificates must be present on all nodes in the cluster.
-
false - Do not require certificate authentication for client-to-node encryption.
Default: false
-