Configure SSL for node-to-node connections

Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL.

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

OpsCenter Lifecycle Manager can configure Hyper-Converged Database (HCD) clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

  1. Locate the cassandra.yaml file. The location of this file depends on the installation type.

    • Package installations

    • Tarball installations

    /etc/hcd/cassandra/cassandra.yaml
    INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

    Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

  2. Edit cassandra.yaml and make the following changes to the server_encryption_options section to enable SSL:

    1. Set internode_encryption to one of the following options to limit which traffic between nodes is encrypted:

    2. Set require_client_auth to true to require two-way host certificate validation.

    3. Set require_endpoint_verification to true to verify that the connected node’s IP address matches the certificate.

  3. Configure the keystore and truststore, depending on whether you are using local keystore files or a remote keystore provider. All settings are configured in the server_encryption_options section of cassandra.yaml.

    • Local files

    • Remote provider

    Use the following settings:

    server_encryption_options:
    internode_encryption: all
    keystore_type: JKS
    keystore: <path_to_keystore.jks>
    keystore_password: <keystore_password>
    require_client_auth: true
    require_endpoint_verification: true
    truststore_type: JKS
    truststore: <path_to_truststore.jks>
    truststore_password: <truststore_password>

    To encrypt the truststore and keystore passwords for local encryption, see Encrypt tables with Transparent Data Encryption (TDE).

    Use the following settings. Unused options can be blank or commented out.

    Requires installation of a provider.

    See Use a remote keystore provider.

    server_encryption_options:
   internode_encryption: all
   keystore_type: PKCS12
   require_client_auth: true
   require_endpoint_verification: true
   truststore_type: PKCS12

include::ROOT:partial$start-stop/start-stop-hcd-contents.adoc[Restart HCD].

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com