Configure SSL for nodetool and hcd
Complete the following procedure to configure JMX for using nodetool
and hcd
with SSL.
Make these changes in the |
Prerequisites
For production environments, secure an entire cluster using |
Update the cassandra-env.sh
file
To configure SSL for nodetool
and hcd
, do the following:
-
Locate the
cassandra-env.sh
file. The location of this file depends on the type of installation:-
Package installations:
/etc/hcd/cassandra/cassandra-env.sh
-
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra-env.sh
-
-
Open the
cassandra-env.sh
file. -
nodetool: To configure the client settings for
nodetool
, create a .cassandra/nodetool-ssl.properties
file in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.touch ~/.cassandra/nodetool-ssl.properties
Production environment:
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>
Development environment:
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>
-
Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class for
CQL
. If you provide a username option but not a password, you are prompted to enter one.nodetool
nodetool --ssl -u JMX_USERNAME -pw JMX_PASSWORD COMMAND
Replace the following:
-
JMX_USERNAME
: The username for the JMX connection -
JMX_PASSWORD
: The password for the JMX connection -
COMMAND
: The command to run
hcd
hcd -a JMX_USERNAME -b JMX_PASSWORD nodetool COMMAND
Replace the following:
-
JMX_USERNAME
: The username for the JMX connection -
JMX_PASSWORD
: The password for the JMX connection -
COMMAND
: The command to run