Connect to DSE with client-to-node encryption in OpsCenter and the DataStax Agents

The opscenterd machine and the DataStax Agents act as clients to each DSE machine. Therefore, opscenterd and the DataStax Agents must use their own keystores (to present its certificate) and truststores (to verify the DSE server certificate) during the SSL handshake process.

OpsCenter and DataStax Agents client-to-node encryption

Use these steps to configure OpsCenter and the DataStax Agents to use client-to-node encryption using one-way or two-way authentication:

  1. Enable client-to-node encryption on the DSE cluster. For more information, see Configure SSL/TLS for DSE using LCM and Configure SSL for client-to-node connections.

  2. Create the keystores and truststores (if needed) for all DSE nodes. For more information, see Creating Local SSL Certificate and Keystore Files.

    If two-way authentication is enabled, truststores are required for DSE to verify traffic from opscenterd and the DataStax Agents.

  3. Create a keystore on the opscenterd machine.

    The following command creates a keystore named opscenter.jks in the current directory:

    keytool -genkey -alias opscenter -keyalg RSA -keypass password -storepass password -keystore opscenter.jks

  4. Export the opscenterd certificate.

    The following command exports a certificate named opscenter.crt that was stored in opscenter.jks in the previous step:

    keytool -export -alias opscenter -storepass password -file opscenter.crt -keystore opscenter.jks

  5. Create a truststore on the opscenterd machine and import each node’s public certificate.

    The following command creates a truststore by importing the certificate from node1. Repeat this command using the certificate for each node.

    keytool -import -v -trustcacerts -alias node1 -file node1.crt -keystore truststore.jks -keypass password

  6. If two-way authentication is enabled when using DSE client-to-node encryption, you must import the opscenterd certificate into the truststore on every DSE node in the cluster.

    The following command imports (and trusts) the opscenter.crt certificate into a truststore named dse_truststore.jks:

    keytool -import -v -trustcacerts -alias opscenter -file opscenter.crt -keystore dse_truststore.jks -keypass password

  7. If you are using a truststore, on each node, import the DSE certificate into its truststore so that the DataStax Agent can use the combined truststore and keystore for client-to-node encryption.

    The following command imports node1.crt into the truststore file dse_truststore.jks, which makes dse_truststore.jks a combined truststore and keystore. Repeat this command for each node.

    keytool -import -alias node1 -file node1.crt -keystore dse_truststore.jks -storepass password

    In OpsCenter versions earlier than 6.1.1, the DataStax Agent uses one file as both a keystore and truststore. Therefore, each agent can reuse the same truststore that was created when enabling client-to-node encryption in DSE. However, you must take this additional step to add the certificate to the truststore for the node where the DataStax Agent is monitoring.

  8. Configure OpsCenter and the DataStax Agents to use client-to-node encryption using the UI or by editing the cluster configuration file directly:

    • OpsCenter Monitoring UI: In the Edit Cluster Connection Settings dialog in the OpsCenter Monitoring UI, enter the required values to automatically populate the corresponding configuration options in cluster-specific configuration file (CLUSTER_NAME.conf).

      When client-to-node encryption is enabled for a cluster using Lifecycle Manager, the ssl_truststore and ssl_truststore_password fields are automatically propagated in CLUSTER_NAME.conf with the corresponding values from ssl_keystore and ssl_keystore_password for both opscenterd and the agent. LCM propagates the ssl_keystore value into ssl_keystore and ssl_truststore, and it propagates the ssl_keystore_password value into ssl_keystore_password and ssl_truststore_password.

    • Configure the keystore and truststore options directly in the cluster-specific configuration file (CLUSTER_NAME.conf). This file is located at /etc/opscenter/clusters/ for package installations and at /install_location/conf/clusters/ for tarball installations.

      [cassandra]
# If the truststore and keystore are the same file, enter
# the same path/password for both the keystore and truststore
ssl_keystore = /path/to/keystore/file/on/opsc/machine
ssl_keystore_password = password_of_keystore
ssl_truststore = /path/to/truststore/file/on/opsc/machine
ssl_truststore_password = password_of_truststore

[agents]
# The agent has separate keystore and truststore
# Applicable to OpsCenter versions 6.1.1 and later.
ssl_truststore = /path/to/trusted/certs
ssl_truststore_password = pw_for_agents_to_access_trusted_certs

  9. If you are using a separate storage cluster (recommended), you must create one additional keystore/truststore to hold the certificates for the nodes in the storage cluster, as well as the certificate/key for the DataStax Agent machine. The path and password to this keystore/truststore must go in the [agents] section of the cluster configuration file:

    # Only if using a separate storage cluster
storage_ssl_keystore = /path/to/storage_cluster/keystore/file/on/agent/machine
storage_ssl_keystore_password = password_of_keystore
# Separate truststore options applicable to OpsCenter versions 6.1.1 and later
storage_ssl_truststore = /path/to/trusted/certs
storage_ssl_truststore_password = pw_for_agents_to_access_trusted_certs

  10. Restart OpsCenter.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com