Configure SSL for nodetool and hcd

Complete the following procedure to configure JMX for using nodetool and hcd with SSL.

Make these changes in the cassandra-env.sh file on each node in the cluster.

Prerequisites

  1. Create SSL certificates with a self-signed CA.

  2. Configure client-to-node encryption.

  3. Configure JMX on the server side.

For production environments, secure an entire cluster using JKS files. For a single-node development environment, you can use a simpler single-node, local keystore file and truststore file.

Update the cassandra-env.sh file

To configure SSL for nodetool and hcd, do the following:

  1. Locate the cassandra-env.sh file. The location of this file depends on the type of installation:

    • Package installations: /etc/hcd/cassandra/cassandra-env.sh

    • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra-env.sh

  2. Open the cassandra-env.sh file.

  3. nodetool: To configure the client settings for nodetool, create a .cassandra/nodetool-ssl.properties file in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.

    touch ~/.cassandra/nodetool-ssl.properties

    Production environment:

    -Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=<path_to_keystore>
-Djavax.net.ssl.keyStorePassword=<keystore-password>
-Djavax.net.ssl.trustStore=<path_to_truststore>
-Djavax.net.ssl.trustStorePassword=<truststore-password>

    Development environment:

    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=<path_to_keystore>
-Djavax.net.ssl.keyStorePassword=<keystore-password>
-Djavax.net.ssl.trustStore=<path_to_truststore>
-Djavax.net.ssl.trustStorePassword=<truststore-password>

  4. Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class for CQL. If you provide a username option but not a password, you are prompted to enter one.

    nodetool
    nodetool --ssl -u JMX_USERNAME -pw JMX_PASSWORD COMMAND

    Replace the following:

    • JMX_USERNAME: The username for the JMX connection

    • JMX_PASSWORD: The password for the JMX connection

    • COMMAND: The command to run

    hcd
    hcd -a JMX_USERNAME -b JMX_PASSWORD nodetool COMMAND

    Replace the following:

    • JMX_USERNAME: The username for the JMX connection

    • JMX_PASSWORD: The password for the JMX connection

    • COMMAND: The command to run

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com