Configure SSL/TLS between OpsCenter and the DataStax Agents

OpsCenter uses Transport Layer Security (TLS), referred to as its predecessor Secure Socket Layer (SSL), to encrypt the communication protocol and authenticate traffic between DataStax Agents and the main OpsCenter daemon. By default, SSL is disabled.

Running OpsCenter without SSL should only be done when running OpsCenter and DataStax Enterprise (DSE) under the following conditions:

  • On a secure internal network.

  • In a development environment where DataStax Agents and OpsCenter run on the same computer protected from network threats.

  • In a situation where there is no concern about someone listening to OpsCenter traffic.

Otherwise, configuring SSL between OpsCenter and DataStax Agents is strongly recommended as a security best practice.

Enable SSL/TLS for OpsCenter and agent communication

  • Package installations

  • Tarball installations

Enable SSL between OpsCenter and DataStax Agents by editing the opscenterd.conf file.

  1. If you need to regenerate SSL key files, do the following preparatory steps. Otherwise, the SSL key generation process is done automatically at package install time.

    1. Locate opscenterd.conf and address.yaml at /etc/opscenter/opscenterd.conf and /var/lib/datastax-agent/conf/address.yaml.

    2. Because OpsCenter requires the .der file format for SSL, if the existing agents ssl_certfile in opscenterd.conf is in a .pem format, run the following command to convert the format:

      openssl x509 -outform der -in /var/lib/opscenter/ssl/opscenter.pem -out /var/lib/opscenter/ssl/opscenter.der

      For more information about SSL cert file formats, see convert SSL certificates.

    3. Because the setup.py script uses /usr/share/opscenter/conf/ssl.conf, which dictates the certificate common name, modify the ssl.conf values before using setup.py:

      Example ssl.conf
      [ req ]
prompt=no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = country_name
ST = state_abbreviation
L = city_name
O = company_name
OU = division_name
CN = common_certificate_name
emailAddress = opscenter.admin@email.com

    4. If the SSL files already exist in the /usr/share/opscenter/ssl directory, they are not automatically recreated. Before running setup.py, remove the old SSL files from that directory.

    5. Make sure that the /tmp directory does not have the noexec flag set.

      The setup.py script requires the /tmp directory to have exec permissions. See Set and secure the /tmp directory for the DataStax Agent.

    6. Run the OpsCenter setup.py script:

      sudo /usr/share/opscenter/bin/setup.py

      The script generates the SSL keys and certificates used by the OpsCenter daemon and the DataStax Agents to communicate with one another in the following directory: /usr/share/opscenter/ssl.

    7. Copy the following files to /var/lib/opscenter/ssl:

      • opscenter.key: OpsCenter SSL private key

      • opscenter.der: OpsCenter SSL certificate

      • agentKeyStore: DataStax Agent keystore

      • agentKeyStore.der: DataStax Agent SSL certificate

      • agentKeyStore.key: DataStax Agent keyfile

        The agentKeyStore.key keyfile is necessary only when configuring high availability (HA), so that the secondary OpsCenter instance can communicate with the primary OpsCenter instance. The failover opscenterd processes on the secondary OpsCenter instance use this key to establish a STOMP connection to the primary opscenterd instance.

        sudo cp /usr/share/opscenter/ssl/opscenter.key /var/lib/opscenter/ssl
        sudo cp /usr/share/opscenter/ssl/opscenter.der /var/lib/opscenter/ssl
        sudo cp /usr/share/opscenter/ssl/agentKeyStore /var/lib/opscenter/ssl
        sudo cp /usr/share/opscenter/ssl/agentKeyStore.der /var/lib/opscenter/ssl
        sudo cp /usr/share/opscenter/ssl/agentKeyStore.key /var/lib/opscenter/ssl

    8. Change ownership of the files copied in the previous step to the opscenter user and the opscenter group:

      sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.key
      sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.der
      sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore
      sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore.der

    9. If configuring HA, change the ownership for the agentKeyStore.key keyfile as well:

      sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore.key

  2. Edit opscenterd.conf to add an [agents] section with the use_ssl option set to true:

    sudo vi /etc/opscenter/opscenterd.conf
    opscenterd.conf
    [agents]
use_ssl = true
ssl_keyfile =  /var/lib/opscenter/ssl/opscenter.key
ssl_certfile = /var/lib/opscenter/ssl/opscenter.der
agent_keyfile = /var/lib/opscenter/ssl/agentKeyStore
agent_keyfile_raw = /var/lib/opscenter/ssl/agentKeyStore.key
agent_certfile = /var/lib/opscenter/ssl/agentKeyStore.der

    The agent_keyfile_raw file is used only HA configurations.

  3. Restart the OpsCenter daemon.

  4. If you need to connect to a cluster in which DataStax Agents have already been deployed, log in to each of the nodes and reconfigure the address.yaml file.

    If you do not want to manually edit all of the node configuration files, follow the procedure to install DataStax Agents automatically.

    1. Copy /var/lib/opscenter/ssl/agentKeyStore from the OpsCenter machine to /var/lib/datastax-agent/ssl/agentKeyStore on each node in the cluster:

      scp /var/lib/opscenter/ssl/agentKeyStore USER@NODE:/var/lib/datastax-agent/ssl/

      Replace USER with the user ID on the node, and replace NODE with the node name or IP address of the node.

    2. Log in to each node in the cluster using SSH:

      ssh USER@NODE

    3. Edit the address.yaml file, changing use_ssl to 1:

      sudo vi /var/lib/datastax-agent/conf/address.yaml
      address.yaml
      use_ssl: 1

    4. If your keystore and truststore files reside in a different location from the default, define the following parameters to indicate the location of the keystore and truststore, plus the password for each:

      address.yaml
      opscenter_ssl_truststore: /etc/datastax-agent/key/dse-truststore.jks
opscenter_ssl_truststore_password: truststore_password
opscenter_ssl_keystore: /etc/datastax-agent/key/keystore.jks
opscenter_ssl_keystore_password: keystore_password

    5. Restart the DataStax Agent:

      sudo service datastax-agent restart

  5. After opscenterd and all DataStax Agents have been configured and restarted, verify proper connection through the Agent Status tab.

To enable SSL for tarball installations, edit the configuration file and run a script to generate the keys used by OpsCenter and the DataStax Agents.

  1. Because OpsCenter requires the .der file format for SSL, if the existing agents ssl_certfile in opscenterd.conf is in a .pem format, run the following command to convert the format:

    openssl x509 -outform der -in /INSTALL_DIRECTORY/ssl/opscenter.pem -out /INSTALL_DIRECTORY/ssl/opscenter.der

    For more information about SSL cert file formats, see convert SSL certificates.

  2. If the SSL files already exist in the INSTALL_DIRECTORY/ssl directory, they are not automatically recreated. Before running setup.py, remove the old SSL files from that directory.

  3. Run the OpsCenter setup.py script:

    sudo /INSTALL_DIRECTORY/bin/jython/setup.py

    The script generates the SSL keys and certificates used by the OpsCenter daemon and the DataStax Agents to communicate with one another in the /ssl directory.

  4. Locate the opscenterd.conf file at INSTALL_DIRECTORY/conf/opscenterd.conf.

  5. Open opscenterd.conf in an editor, and then add an [agents] section with the use_ssl option set to true:

    sudo vi INSTALL_DIRECTORY/conf/opscenterd.conf
    opscenterd.conf
    [agents]
use_ssl = true
ssl_keyfile =  INSTALL_DIRECTORY/ssl/opscenter.key
ssl_certfile = INSTALL_DIRECTORY/ssl/opscenter.der
agent_keyfile = INSTALL_DIRECTORY/ssl/agentKeyStore
agent_keyfile_raw = INSTALL_DIRECTORY/ssl/agentKeyStore.key
agent_certfile = INSTALL_DIRECTORY/ssl/agentKeyStore.der

    The agent_keyfile_raw file is used only HA configurations.

  6. Restart the OpsCenter daemon.

  7. If you need to connect to a cluster in which DataStax Agents have already been deployed, log in to each of the nodes and reconfigure the address.yaml file.

    If you do not want to manually edit all of the node configuration files, follow the procedure to install DataStax Agents automatically.

    1. On each node in the cluster, copy INSTALL_DIRECTORY/ssl/agentKeyStore from the OpsCenter machine to the ssl/agenKeyStore on the node (AGENT_INSTALL_DIRECTORY/ssl/agentKeyStore).

      scp /opt/opscenter/ssl/agentKeyStore  USER@NODE:AGENT_INSTALL_DIRECTORY/ssl/agentKeyStore

      Replace USER with the user ID on the node, and replace NODE with the node’s host name or IP address.

    2. Log in to each node in the cluster using SSH:

      ssh USER@NODE

    3. Locate the address.yaml file at INSTALL_DIRECTORY/conf/address.yaml.

    4. Edit the address.yaml file, changing the value of use_ssl to 1:

      sudo vi /var/lib/datastax-agent/conf/address.yaml
      use_ssl: 1

    5. If your keystore and truststore files reside in a different location from the default, define the following parameters to indicate the location of the keystore and truststore, plus the password for each:

      opscenter_ssl_truststore: /etc/datastax-agent/key/dse-truststore.jks
opscenter_ssl_truststore_password: truststore_password
opscenter_ssl_keystore: /etc/datastax-agent/key/keystore.jks
opscenter_ssl_keystore_password: keystore_password

    6. Restart the DataStax Agent:

      sudo INSTALL_DIRECTORY/bin/datastax-agent

  8. After opscenterd and all DataStax Agents have been configured and restarted, verify proper connection through the Agent Status tab.

Disable SSL/TLS for OpsCenter and agent communication

  • Package installations

  • Tarball installations

To disable SSL for package installations, modify the OpsCenter configuration file and restart OpsCenter.

By default SSL is turned off in OpsCenter. Perform this task if you have configured the DataStax Agents on a cluster to use SSL previously and now need to turn SSL off.

  1. Locate the opscenterd.conf file at /etc/opscenter/opscenterd.conf.

  2. Open opscenterd.conf in an editor, and then set the value of the use_ssl option to false to disable SSL:

    sudo vi /etc/opscenter/opscenterd.conf
    opscenterd.conf
    [agents]
use_ssl = false

  3. Restart the OpsCenter daemon.

  4. Reconfigure the DataStax Agents.

    If you do not want to manually edit all of the node configuration files, follow the procedure to automatically install DataStax Agents.

    1. Log in to each node in the cluster using SSH:

      ssh USER@NODE

      Replace USER with the user ID on the node, and replace NODE with the node name or IP address of the node.

    2. Edit the address.yaml file (/var/lib/datastax-agent/conf/address.yaml) to set the value of use_ssl to 0:

      sudo vi /var/lib/datastax-agent/conf/address.yaml
      use_ssl: 0

    3. Restart the DataStax Agent:

      sudo service datastax-agent restart

  5. After opscenterd.conf and all DataStax Agents have been configured and restarted, verify proper connection through the Agent Status tab.

To disable SSL for tarball installations, modify the OpsCenter configuration file and restart OpsCenter.

By default, SSL is turned off in OpsCenter. You only need to perform this task if you have previously configured the DataStax Agents on a cluster to use SSL and now want to turn SSL off.

  1. Locate the opscenterd.conf file at INSTALL_DIRECTORY/conf/opscenterd.conf.

  2. Open opscenterd.conf in an editor, and then set the value of the use_ssl option to false to disable SSL:

    vi INSTALL_DIRECTORY/conf/opscenterd.conf
    opscenterd.conf
    [agents]
use_ssl = false

  3. Restart the OpsCenter daemon.

  4. Reconfigure the DataStax Agents.

    If you do not want to manually edit all of the node configuration files, follow the procedure to automatically install DataStax Agents.

    1. Log in to each node in the cluster using SSH:

      ssh USER@NODE

      Replace USER with the user ID on the node, and replace NODE with the node name or IP address of the node.

    2. Locate the address.yaml file at INSTALL_DIRECTORY/conf/address.yaml.

    3. Edit the address.yaml file, changing the value of use_ssl to 0:

      sudo vi INSTALL_DIRECTORY/conf/address.yaml
      use_ssl: 0

    4. Restart the DataStax Agent:

      sudo INSTALL_DIRECTORY/bin/datastax-agent

  5. After opscenterd and all DataStax Agents have been configured and restarted, verify proper connection through the Agent Status tab.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use ·  Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com