Downloading the generated CA cert
About this task
Download the CA certificate automatically generated by Lifecycle Manager (LCM) after enabling client-to-node encryption. LCM automates the process of Creating local SSL certificate and keystore files using an internal certificate authority. Configure your CQL clients to trust certificates signed by the certificate authority.
opscenterd.log
The location of the opscenterd.log file depends on the type of installation:
-
Package installations: /var/log/opscenter/opscenterd.log
-
Tarball installations: install_location/log/opscenterd.log
Prerequisites
-
Enable client-to-node encryption in the configuration profile associated with the cluster.
-
If the cert was not generated, an error message in both the opscenterd.log and the job event details indicate the SSL certificate is not yet valid. Ensure that there is not any clock drift, which can interfere with generating the cert chain properly. Check the clock drift rule in the Best Practice Service to ensure clocks are in sync.
Procedure
-
In the Clusters workspace of Lifecycle Manager, select the cluster in the Clusters pane.
-
In the Cluster Details pane, click the Download Cert link for CA Certificate.
The browser downloads the certificate file. By default, the DSE client CA certificate file provided by LCM is named
cacert
and has a PEM format. -
Use the CA Certificate to configure CQL clients to communicate over SSL/TLS. The process for configuring each CQL client is unique. Refer to the steps for Connecting to SSL-enabled nodes using cqlsh for an example.
For example, using CQLSH client, you can (SSL) access DSE nodes with the following command:
SSL_CERTFILE=cacert cqlsh --ssl <DseNode_Host>
Clients are able to connect to the DataStax Enterprise cluster using CQL over SSL/TLS.