Encrypting JMX communication between the DataStax agent and DSE

About this task

Complete the following steps to encrypt JMX communications between the DataStax agent and DataStax Enterprise (DSE). Enabling this encryption causes the DataStax agent to use an SSL-aware socket factory when connecting to DSE, but does not enable encryption for DSE itself.

By default, JMX remote connections are disabled and JMX security authentication is disabled for both local and remote connections in the cassandra-env.sh file:

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"

If you want to configure JMX authentication for DSE, you must Enable DSE Unified Authentication.

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:

Package installations

/etc/dse/cassandra/cassandra-env.sh

Tarball installations

installation_location/resources/cassandra/conf/cassandra-env.sh

Prerequisites

Complete all steps to Set up SSL certificates.

Procedure

  1. Stop DSE on every node in the cluster.

  2. Stop the DataStax agent on each node where it is running.

    • Package installations:

      sudo service datastax-agent stop

    • Tarball installations:

      To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number.

      ps -ef | grep datastax-agent
      sudo kill pid

  3. Navigate to the jvm-server.options file. There are three files that control Java Virtual Machine options:

    • jvm-server.options: options independent of any particular JVM

    • jvm8-server.options: options particular to JVM 8

    • jvm11-server.options: options particular to JVM 11

The location of either the JVM 8 or JVM 11 server.options file depends on the type of installation:

  • Package installations: /etc/dse/cassandra/jvm<release number> -server.options

  • Tarball installations: installation_location/resources/cassandra/conf/jvm<release number> -server.options

    1. Add the following section for SSL settings.

      # SSL settings
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.keyStore=/path_to_keyStore/keyStore_name.jks
-Djavax.net.ssl.keyStorePassword=keyStore_password
-Djavax.net.ssl.trustStore=/path_to_trustStore/trustStore_name.jks
-Djavax.net.ssl.trustStorePassword=trustStore_password

      • com.sun.management.jmxremote.ssl

        Set to true to enable SSL for JMX connections between DSE and the DataStax agent. If enabled, com.sun.management.jmxremote.ssl.need.client.auth must also be set to true to enable full security.

      • com.sun.management.jmxremote.ssl.need.client.auth

        Set to true to enable two-way certificate authentication.

      • keyStore_name

        Name of the SSL keystore.

      • keyStore_password

        Password for the keystore indicated by javax.net.ssl.keyStore.

      • trustStore_name

        Name of the SSL truststore.

      • trustStore_password

        Password for the truststore indicated by javax.net.ssl.trustStore.

    2. Start DSE on each node in the cluster.

      sudo service dse start

      Wait for the nodes to become available before continuing.

    3. To run the DataStax agent with SSL encryption, add the following settings to the datastax-agent-env.sh file with on the nodes where the DataStax agent is running. Locate the datastax-agent-env.sh file. The default location of the DataStax agent environment shell script datastax-agent-env.sh depends on the type of installation:

  • Package installations: /etc/datastax-agent/datastax-agent-env.sh

  • Tarball installations: install_location/agent/conf/datastax-agent-env.sh

    The keystore for DSE is the truststore for the DataStax agent (and vice versa), as shown in the following example. The keyStore variable points to the trustStore, and the keyStorePassword variable uses the trustStore password. The opposite is true for the trustStore variable.

    		 
    JVM_OPTS="$JVM_OPTS -Xmx1024M"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path_to_trustStore/trustStore_name.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=trustStore_password"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path_to_keyStore/keyStore_name.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=keyStore_password"
JVM_OPTS="$JVM_OPTS -Ddatastax.agent.jmx.usessl=true"
    datastax.agent.jmx.usessl

    Add this setting and set to true to enable SSL encryption for the DataStax agent.

    1. Restart the DataStax agent for changes to take effect.

      • Package installations:

        sudo service datastax-agent restart

      • Tarball installations:

        1. To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number:

          ps -ef | grep datastax-agent
          sudo kill pid

        2. Start the Agent:

          Use the -f option to start the Agent in the foreground.

          install_location/bin/datastax-agent

    2. After restarting the DataStax agent on each node where it is running, check OpsCenter to ensure that all DataStax agents are running and that all nodes are available.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com