Encrypt JMX communication between the DataStax agent and DSE

Complete the following steps to encrypt JMX communications between the DataStax agent and DataStax Enterprise (DSE). Enabling this encryption causes the DataStax agent to use an SSL-aware socket factory when connecting to DSE, but does not enable encryption for DSE itself.

By default, JMX remote connections are disabled and JMX security authentication is disabled for both local and remote connections in the cassandra-env.sh file:

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"

To configure JMX authentication for DSE, you must enable DSE unified authentication.

The location of the cassandra-env.sh file depends on the type of installation. For package installations, the file is located at /etc/dse/cassandra/cassandra-env.sh, and for tarball installations, the file is located at INSTALL_DIRECTORY/resources/cassandra/conf/cassandra-env.sh.

  1. Complete all steps to set up SSL certificates.

  2. Stop DSE on every node in the cluster.

  3. Stop the DataStax agent on each node where it is running:

    • Package installations:

      sudo service datastax-agent stop

    • Tarball installations: To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number:

      ps -ef | grep datastax-agent
      sudo kill PID

  4. Navigate to the jvm-server.options file. There are three files that control Java Virtual Machine options:

    • jvm-server.options: options independent of any particular JVM

    • jvm8-server.options: options particular to JVM 8

    • jvm11-server.options: options particular to JVM 11

    The location of either the JVM 8 or JVM 11 server.options file depends on the type of installation. For package installations, the file is located at /etc/dse/cassandra/jvmRELEASE_NUMBER-server.options. For tarball installations, the file is located at INSTALL_DIRECTORY/resources/cassandra/conf/jvmRELEASE_NUMBER-server.options.

  5. Add the following section for SSL settings:

    # SSL settings
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.keyStore=/path_to_keyStore/keyStore_name.jks
-Djavax.net.ssl.keyStorePassword=keyStore_password
-Djavax.net.ssl.trustStore=/path_to_trustStore/trustStore_name.jks
-Djavax.net.ssl.trustStorePassword=trustStore_password

    • com.sun.management.jmxremote.ssl: Set to true to enable SSL for JMX connections between DSE and the DataStax agent. If enabled, com.sun.management.jmxremote.ssl.need.client.auth must also be set to true to enable full security.

    • com.sun.management.jmxremote.ssl.need.client.auth: Set to true to enable two-way certificate authentication.

    • keyStore_name: Name of the SSL keystore.

    • keyStore_password: Password for the keystore indicated by javax.net.ssl.keyStore.

    • trustStore_name: Name of the SSL truststore.

    • trustStore_password: Password for the truststore indicated by javax.net.ssl.trustStore.

  6. Start DSE on each node in the cluster:

    sudo service dse start

    Wait for the nodes to become available before continuing.

  7. To run the DataStax agent with SSL encryption, add the following settings to the datastax-agent-env.sh file with on the nodes where the DataStax agent is running. Locate the datastax-agent-env.sh file. The default location of the DataStax agent environment shell script datastax-agent-env.sh depends on the type of installation. For package installations, the file is located at /etc/datastax-agent/datastax-agent-env.sh, and for tarball installations, the file is located at INSTALL_DIRECTORY/agent/conf/datastax-agent-env.sh.

    The keystore for DSE is the truststore for the DataStax agent (and vice versa), as shown in the following example. The keyStore variable points to the trustStore, and the keyStorePassword variable uses the trustStore password. The opposite is true for the trustStore variable.

    		 
    JVM_OPTS="$JVM_OPTS -Xmx1024M"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path_to_trustStore/trustStore_name.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=trustStore_password"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path_to_keyStore/keyStore_name.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=keyStore_password"
JVM_OPTS="$JVM_OPTS -Ddatastax.agent.jmx.usessl=true"

    datastax.agent.jmx.usessl: Add this setting and set to true to enable SSL encryption for the DataStax agent.

  8. Restart the DataStax agent for changes to take effect:

    • Package installations:

      sudo service datastax-agent restart

    • Tarball installations: To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number:

      ps -ef | grep datastax-agent
      sudo kill PID

      Then, start the agent. Use the -f option to start the Agent in the foreground.

      INSTALL_DIRECTORY/bin/datastax-agent

  9. After restarting the DataStax agent on each node where it is running, check OpsCenter to ensure that all DataStax agents are running and that all nodes are available.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use ·  Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com