Search tips
Lists of security measures required for protecting a DataStax Enterprise database.
Database security checklist
Secure transactional nodes using DataStax Enterprise security features.
Search security checklist
Securing DSE Search.
Analytics security checklist
Securing DSE Analytics.
Graph security checklist
Secure DSE Graph data completely or partially using DataStax Enterprise security features.
To fully protect your data, ensure that your network is secure and temporary files are secure.
Securing ports
Lock down all unnecessary ports, and create IP security rules that allow internode and client communications.
Securing the TMP directory
Map JNA to a different executable directory before mounting the TMP directory with the noexe flag.
Detailed steps to set up authentication and authorization in a DataStax Enterprise environment.
About DSE Unified Authentication
Describes supported authentication and authorization methods.
Setting security keyspaces replication factors
Prerequisite, increase replication factors (RF) for security keyspaces which manage authentication and authorization to prevent lockouts and ensure consistency across the cluster.
Setting up Kerberos
DataStax Enterprise authentication with Kerberos protocol uses tickets to prove identity for nodes that communicate over non-secure networks.
Enabling DSE Unified Authentication
Steps to enable and configure the DSE Unified Authentication.
Configuring JMX authentication
Enable JMX authentication for connections from the localhost or a remote host.
Managing credentials, role, and permissions cache settings
Change the amount of time and refresh rate for the credentials, role, and permissions cache.
Setting up local or DSE managed JMX user authentication.
About client connections
After enabling DataStax Unified Authentication provide credentials in connection requests.
Providing credentials with DSE tools
Authentication works with any combination of DSE authentication, LDAP pass-through authentication, and Kerberos authentication.
Providing credentials with nodetool
Using nodetool with JMX authentication enabled.
Providing credentials with JConsole
How to use JConsole with authentication.
Providing credentials with cqlsh
Create a cqlshrc file to use credentials when launching a CQL shell session.
Using dsetool with Kerberos enabled cluster
Steps to enable dsetool to use Kerberos authentication.
Using cqlsh with Kerberos or user authentication
Configuration steps to use cqlsh with DataStax Unified Authentication.
Loading data into a remote Kerberos enabled cluster
Configure sstableloader with Kerberos to load data from an sstable into a remote DataStax Enterprise cluster with Kerberos enabled.
Providing credentials for DSE Graph
To run DataStax Enterprise Graph with DSE Unified Authentication, configure a user name and password or Kerberos in the Graph remote.yaml.
Running Spark jobs with Kerberos
Spark jobs may be run against a Kerberos enabled DataStax Enterprise database.
Manage access to database objects using role-based access control (RBAC).
About roles
Define roles and configure permissions to control access to database resources for authenticated users.
Creating superuser accounts
After enabling role-based access control, create your own superuser account and disable or drop the default cassandra account.
Creating roles for internal mode
Create roles that match the user name.
Creating roles for LDAP mode
Create roles that match group names in the LDAP server to manage role assignment with LDAP.
Creating roles for Kerberos principals
Create roles to match Kerberos principal name.
Binding a role to an authentication scheme
Prevent unintentional role assignment when a group name or user name is found in multiple schemes.
Configuring proxy roles for applications
Proxy roles allow an authenticated account (role) to run CQL statements using a different role.
Configure roles and assign permissions to manage access to database resources for authenticated users.
About permissions
Permissions control access to database resources.
Managing keyspace and table permissions
Provides examples on how to manage access to keyspaces and tables.
Setting row-level permissions
Set up row-level access control on a table and grant permissions on rows to users.
Managing access to DSE Graph keyspaces
Manage permission to access Graph data.
Authorizing remote procedure calls for CQL execution
Steps to configure RPC permissions for external clients.
JMX MBean permissions
Set up access to MBeans for authenticated JMX users.
Search index permissions
Assign access privileges to roles for search index management.
Managing Spark application permissions
Authorize Spark application submissions, management, and use.
Information about enabling and configuring data auditing in DataStax Enterprise.
Enabling data auditing
Steps to enable data auditing in DataStax Enterprise.
Configuring audit logging
Steps to configure audit logging in DataStax Enterprise.
Configuring audit logging to a database table
Steps to configure audit logging to output to a database table.
Configuring auditing for DSE Search
Steps to configure auditing for DSE Search with the filter-mapping element in the Apache Solr™ web.xml file.
Configure transparent data encryption (TDE) on sensitive data stored in tables and in configuration files.
About Transparent Data Encryption
Protects sensitive at-rest data stored in configuration files and in database tables.
Configuring local encryption
Use locally stored symmetric encryption keys to protect sensitive system resources, configuration file properties and/or database tables.
Configuring KMIP encryption
Protect sensitive data using encryption keys from a remote KMIP (Key Management Interoperability Protocol).
Encrypting Search indexes
DSE Search index encryption shares the setup with SSTable encryption.
Migrating encrypted tables from earlier versions
Encrypted tables require specific actions to migrate to later versions of DataStax Enterprise.
Bulk loading data between TDE-enabled clusters
Bulk loading data between TDE-enabled clusters requires the correct deployment of encryption keys.
Securing data inflight for DataStax Enterprise components.
About SSL
Securing data in-flight on DataStax Enterprise.
Setting up SSL certificates
General steps for generating certificate signing requests, signing, and creating a keystore and truststore for development and production environments.
Securing internal transactional node connections
Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.
Securing client to cluster connections
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL and establishes a secure channel between the client and the coordinator node.
Securing Spark connections
Communication between Spark applications and transactional nodes, masters and workers, and intercommunication between Spark drivers and executors can be encrypted.
Using CQL shell (cqlsh) with SSL
Establish connections to clusters with Kerberos, internal or external authentication, and SSL enabled.
Setting up SSL for nodetool, dsetool, and dse advrep
Using nodetool, dsetool, and dse advrep with SSL encryption.
Setting up SSL for jconsole (JMX)
Using jconsole with SSL encryption.
Connecting sstableloader to a secured cluster
Steps (for a development environment) to configure the sstableloader (bulk loader) with Kerberos or SSL.
Enabling SSL encryption for DSEFS
DSEFS can use SSL encryption.
Security FAQs
DataStax Enterprise security features frequently asked questions.