Configure SSL for HCD
Configure SSL for Hyper-Converged Database (HCD) by implementing Client Certificate Authentication. Following this approach, each node verifies the service or client making a request against a local truststore to validate that the certificate was issued by a known Certificate Authority (CA).
Create SSL certificates, keystores, and truststores
You can implement SSL using CA signed certificates signed by well-known CAs, or by creating your own root CA. DataStax recommends using certificates signed by a CA to reduce SSL certificate management tasks. However, you can use self-signed certificates with HCD, which supports SSL certificates in local and external keystores.
Creating your own CA in a production environments typically involves using an intermediary certificate chain, where the root CA signs one or more intermediate certificates with its private key. These intermediary certificates chain together to link back to the root CA, which owns one or more trusted roots.
Where to configure SSL
HCD supports SSL encryption between nodes (node-to-node communication) and between clients and nodes (client-to-node communication). You can use SSL to encrypt in-flight data for the following HCD services and clients.
HCD services
Use SSL to encrypt data in the following node-to-node connections:
-
HCD Core
-
HCD Search with Apache Solr™
-
HCD Analytics with Apache Spark™
-
HCD Graph
HCD clients
Use SSL to secure connections from a client to the coordinator node to establish client-to-node connections:
-
HCD drivers
-
CQL shell (
cqlsh
) -
DataStax Studio
-
DataStax Bulk Loader
-
DataStax Apache Kafka Connector
-
HCD tools
Configure SSL for HCD
Complete the following following procedures to configure SSL for HCD:
-
Create SSL certificates, keystores, and truststores.
-
Configure SSL for HCD services (node-to-node communication).
-
Configure SSL for HCD clients (client-to-node communication).
After creating the necessary SSL certificates and configuring SSL for HCD services, use cqlsh
to connect to your SSL-enabled cluster.