Downloading the generated CA cert 

Download the CA certificate automatically generated by Lifecycle Manager after enabling client-to-node encryption. Configure your CQL clients to use the certificate.

Download the CA certificate automatically generated by Lifecycle Manager after enabling client-to-node encryption. LCM automates the process of setting up SSL certificates using an internal certificate authority. Configure your CQL clients to trust certificates signed by the certificate authority.

Prerequisites

  1. Enable client-to-node encryption in the configuration profile associated with the cluster.
  2. If the cert was not generated, an error message in both the opscenterd.log and the job event details indicate the SSL certificate is not yet valid. Ensure that there is not any clock drift, which can interfere with generating the cert chain properly. Check the clock drift rule in the Best Practice Service to ensure clocks are in sync.

opscenterd.log 

The location of the opscenterd.log file depends on the type of installation:

  • Package installations: /var/log/opscenter/opscenterd.log
  • Tarball installations: install_location/log/opscenterd.log

Procedure

  1. In the Clusters workspace of Lifecycle Manager, select the cluster in the Clusters pane.
    The Cluster Details pane for the cluster appears.

  2. In the Cluster Details pane, click the Download Cert link for CA Certificate.
    The browser downloads the certificate file. By default, the DSE client CA certificate file provided by LCM is named cacert and has a PEM format.
  3. Use the CA Certificate to configure CQL clients to communicate over SSL/TLS. The process for configuring each CQL client is unique. Refer to the steps for configuring SSL/TLS for cqlsh as an example.

    For example, using CQLSH client, you can (SSL) access DSE nodes with the following command:

    SSL_CERTFILE=cacert cqlsh --ssl <DseNode_Host>
    Clients are able to connect to the DataStax Enterprise cluster via CQL over SSL/TLS.