Instructions for setting up OpsCenter and the DataStax Agents for connecting to DSE when
client-to-node encryption is enabled.
The opscenterd machine and the DataStax Agents act as clients to each DSE machine.
Therefore, opscenterd and the DataStax Agents need to use their own keystores (to present its
certificate) and truststores (to verify the DSE server certificate) during the SSL handshake
process. If two-way auth is enabled, DSE needs to verify traffic from opscenterd and the
DataStax Agents using a truststore. Follow these instructions to set up OpsCenter and the
DataStax Agents to use client-to-node encryption using one-way or two-way auth.
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:
- Package installations:
/etc/opscenter/clusters/cluster_name.conf
- Tarball installations:
install_location/conf/clusters/cluster_name.conf
Procedure
-
Create a keystore on the opscenterd machine.
$ keytool -genkey -alias opscenter -keyalg RSA -keypass password -storepass password -keystore opscenter.jks
This command creates a keystore named opscenter.jks in the
current directory.
-
Export the opscenterd certificate.
$ keytool -export -alias opscenter -storepass password -file opscenter.crt -keystore opscenter.jks
This command exports the certificate named opscenter.crt
that was stored in opscenter.jks in the current
directory.
-
Create a truststore on the opscenterd machine and import each node's public
certificate.
$ keytool -import -v -trustcacerts -alias node1 -file node1.crt -keystore truststore.jks -keypass password
The command creates a truststore by importing node1's certificate. Repeat this
command using the certificate from each node.
- Optional:
Note: This is optional and should be done only if two-way-auth is enabled when using DSE client-to-node encryption. This should be done on every node in the cluster.
Import the opscenterd certificate into the truststore on every DSE node.
$ keytool -import -v -trustcacerts -alias opscenter -file opscenter.crt -keystore dse_truststore.jks -keypass password
This command imports (and trusts) the opscenter.crt certificate into a
truststore named dse_truststore.jks
-
Note: The DataStax Agent uses one file as both a keystore and truststore. Therefore, each
agent can reuse the same truststore that was created when enabling client-to-node
encryption in DSE. The only additional step is to add the certificate to the truststore
for the node in which the DataStax Agent is monitoring.
Import the DSE certificate into its truststore so that the DataStax Agent can use the
combined truststore and keystore for client-to-node encryption. Repeat for each
node.
$ keytool -import -alias node1 -file node1.crt -keystore dse_truststore.jks -storepass password
This command imports node1.crt into the truststore file
dse_truststore.jks, thus making dse_truststore.jks
both a truststore and keystore. Repeat this process on every DSE machine.
-
Configure OpsCenter and the DataStax agents to use client-to-node encryption.
-
Configure the client-to-node settings using the Edit Cluster Connection
Settings dialog in the OpsCenter monitoring UI. See Configuring cluster
settings.
-
Configure the cluster configuration file
.
Edit the cluster configuration file and enter the information for the SSL keystore
and SSL truststore created in previous steps.
Note: If using a
separate storage cluster
(recommended), one additional keystore/truststore needs to be created that holds the
certs of the nodes in the storage cluster as well as the cert/key for the agent
machine. The path and password to said keystore/truststore should go in the
[agents]
section of the cluster configuration file.
cluster_name.conf
[cassandra]
# Note: If the truststore and keystore are the same file, enter the same path/password
# for both the keystore and truststore
ssl_keystore = /path/to/keystore/file/on/opsc/machine
ssl_keystore_password = password_of_keystore
ssl_truststore = /path/to/truststore/file/on/opsc/machine
ssl_truststore_password = password_of_truststore
[agents]
# The agent uses one keystore/truststore file that operates as both a keystore and a truststore
ssl_keystore = /path/to/dse/truststore/file/on/agent/machine
ssl_keystore_password = password_of_keystore
# Optional if using a separate storage cluster
storage_ssl_keystore = /path/to/storage_cluster/keystore/file/on/agent/machine
storage_ssl_keystore_password = password_of_keystore
-
Restart OpsCenter.