Configure SSL for nodetool and hcd
Complete the following procedure to configure JMX for using nodetool and hcd with SSL.
|
Make these changes in the |
Prerequisites
|
For production environments, secure an entire cluster using |
Update the cassandra-env.sh file
To configure SSL for nodetool and hcd, do the following:
-
Locate the
cassandra-env.shfile.The location of this file depends on your installation type.
-
Package installations:
/etc/hcd/cassandra/cassandra-env.sh -
Tarball installations:
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra-env.sh
-
-
Open the
cassandra-env.shfile. -
To configure the client settings for
nodetool, create acassandra/nodetool-ssl.propertiesfile in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.touch ~/.cassandra/nodetool-ssl.propertiesProduction environment:
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>Development environment:
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.keyStorePassword=<keystore-password> -Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password> -
Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class for
CQL. If you provide a username option but not a password, you are prompted to enter one.nodetool-
nodetool --ssl -u JMX_USERNAME -pw JMX_PASSWORD COMMANDReplace the following:
-
JMX_USERNAME: The username for the JMX connection -
JMX_PASSWORD: The password for the JMX connection -
COMMAND: The command to run
-
hcd-
hcd -a JMX_USERNAME -b JMX_PASSWORD nodetool COMMANDReplace the following:
-
JMX_USERNAME: The username for the JMX connection -
JMX_PASSWORD: The password for the JMX connection -
COMMAND: The command to run
-
JDK 17 hostname verification
By default, JDK 17 enables hostname verification for SSL/TLS connections.
Therefore, when you connect to a node using nodetool --ssl, you must specify a hostname that exactly matches one of the DNS names in the server certificate’s Subject Alternative Name (SAN) field.
For example, if the server certificate SAN contains the EC2 internal DNS name ip-192-0-2-1.us-west-2.compute.internal, you must use that exact name when you connect with nodetool:
nodetool --ssl -u cassandra -pw cassandra -h ip-192-0-2-1.us-west-2.compute.internal status|
If you attempt to connect with an IP address or a DNS name that is not present in the SAN, the connection fails with a hostname verification error. |
Troubleshoot hostname verification errors
To troubleshoot hostname verification errors, do the following:
-
Verify the DNS names in your server certificate SAN field.
-
Ensure that you connect using one of those exact DNS names.
-
If necessary, regenerate certificates with the appropriate SAN entries for your connection method, such as IP addresses or DNS names.
For more information about configuring certificates with SAN entries, see Create SSL certificates, keystores, and truststores.
