Configure SSL/TLS for DSE using LCM

One of the ways that you can configure DSE security using Lifecycle Manager (LCM) is by enabling SSL/TLS encryption for a cluster using a LCM Configuration Profile. This is the recommended process for production environments.

Encryption options

LCM can configure DSE clusters to use node-to-node and client-to-node encryption.

  • Client-to-node encryption

  • Node-to-node encryption

Client-to-node encryption is disabled by default, and can use certificates generated by the internal certificate authority in LCM, or certificates generated outside of LCM.

When client-to-node encryption is enabled, LCM creates keystores and truststores for SSL/TLS communication with the following default names and locations:

  • Keystore: /etc/dse/keystores/client.keystore

  • Truststore: /etc/dse/keystores/client.truststore

When client-to-node SSL encryption is enabled, both the OpsCenter daemon and DataStax Agents must also be SSL-enabled to properly communicate with DSE server nodes. LCM automatically configures the SSL configuration options for that purpose in the cluster-specific configuration file:

[agents]
ssl_keystore_password = cassandra
ssl_keystore = /etc/dse/keystores/client.keystore

[cassandra]
ssl_keystore_password = lifecyclemanager
ssl_keystore = /var/lib/opscenter/ssl/lcm/lcm-auto-generated.truststore

The agents.ssl_keystore file is the keystore used by DataStax Agents to communicate with DSE nodes, and it is the same keystore file used by a DSE node connecting to other DSE nodes.

The cassandra.ssl_keystore file is the keystore used by the OpsCenter daemon to communicate with DSE nodes. The LCM configuration process automatically generates this keystore file at the default location /var/lib/opscenter/ssl/lcm/.

The cluster-specific configuration file (CLUSTER_NAME.conf) is located at /etc/opscenter/clusters/ for package installations, and at INSTALL_DIRECTORY/conf/clusters/ for tarball installations.

For information about manually configuring cluster connections with the OpsCenter UI, see Edit OpsCenter cluster connections for authentication or encryption.

Node-to-node encryption is disabled by default, and it can be configured by enabling internode communication.

When node-to-node encryption is enabled, LCM creates keystores and truststores for SSL/TLS communication with the following default names and locations:

  • Keystore: /etc/dse/keystores/server.keystore

  • Truststore: /etc/dse/keystores/server.truststore

When enabling node-to-node encryption on an existing cluster, the cluster experiences a network partition during the transition, which leads to temporary loss of consistency. If possible, enable node-to-node encryption when you first create the cluster.

Enable encryption in a configuration profile

  1. Click Config Profiles from the Lifecycle Manager navigation menu.

  2. Edit an existing configuration profile or click Add config profile to create a new one.

  3. In the Config Profile menu, find the Cassandra section, and then select cassandra.yaml.

    In the next steps, you will configure the server_encryption_options and client_encryption_options settings in cassandra.yaml.

    cassandra.yaml security options in LCM config profiles

  4. In the Security section, find server_encryption_options, and then select an option for internode_encryption:

    • all (Recommended): All inter-node communication is encrypted.

    • dc: Traffic between datacenters is encrypted. Select this option if you are concerned about the performance impact of encrypting traffic locally, but encryption is still required for inter-datacenter traffic that might transit untrusted links.

    • rack: Traffic between racks is encrypted.

    • none (Default): No inter-node communication is encrypted.

  5. Re-enter your keystore and truststore passwords.

  6. Enable client_encryption_options. If possible, certificates automatically populate in the keystore and truststore fields.

    Due to a known limitation when enabling client-to-node encryption, you must manually provide certificates and enable require_client_auth in client_encryption_options after the cluster is created. For instructions, see Lifecycle Manager: Setting require_client_auth=true.

    Enable client_encryption_options

  7. Re-enter your keystore and truststore passwords.

  8. Click Save to save the changes.

Apply configuration changes

  1. Go to the Clusters workspace in Lifecycle Manager and select the configuration profile to apply at the cluster level.

  2. If you haven’t already done so, run an install job on the cluster. Otherwise, run a configure job to apply the configuration profile changes.

  3. Monitor the job. When the job completes successfully, SSL/TLS is enabled for the DSE cluster.

  4. Download the generated CA cert for use with SSL-encrypted DSE client connections.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com