Configuring DSE security using LCM

Authentication for DataStax Enterprise clusters is enabled by default in a Lifecycle Manager (LCM) configuration profile. Configuration profiles use the DseAuthenticator by default. To modify the authentication type, click Config Profile, select cassandra.yaml under the Cassandra section, and modify the authenticator.

The following links provide more information about the available security options in the cassandra.yaml configuration file:

Internal Certificate Authority generated by LCM

The process of manually preparing certificates and deploying them can be a barrier to the adoption of security features. To simplify deployments, Lifecycle Manager optionally generates certificates using an internal certificate authority.

  • When LCM first starts, it creates a self-signed 2048 bit RSA certificate authority that is stored in the [lifecycle_manager].cacerts_directory in opscenterd.conf.

    The location of the opscenterd.conf file depends on the type of installation:

    • Package installations: /etc/opscenter/opscenterd.conf

    • Tarball installations: install_location/conf/opscenterd.conf

  • When running install or configure jobs, LCM generates a keystore and truststore for each node if necessary. Certificate generation occurs if either node-to-node or client-to-node encryption is enabled, and if there is no pre-existing keystore or truststore in the locations specified by the configuration profile.

  • When generating a keystore for each node, LCM creates a certificate signing request for the node, signs the request with the internal certificate authority, and packages the resulting certificate in a JKS-formatted keystore.

  • When generating a truststore for each node, LCM packages the CA certificate in a JKS-formatted truststore. The same CA is used to sign certificates for all nodes in all clusters, and it enables validation of all automatically generated certificates.

To use certificates not generated by LCM, see Using non-LCM generated certificates.