Securing internal transactional node connections
Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.
Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Setting up SSL certificates.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:|
Package installations |
/etc/dse/cassandra/cassandra.yaml |
|
Tarball installations |
installation_location/resources/cassandra/conf/cassandra.yaml |
Procedure
To enable node-to-node SSL encryption:
-
Set the server_encryption_options in the
cassandra.yaml file on each node:
- internode_encryption: Encrypts traffic between nodes,
options:
none,all,dc, orrack. - keystore: Relative path from DSE installation directory or absolute path to the keystore file.
- keystore_password: Password to access the keystore.
- truststore: Relative path from DSE installation directory or absolute path to truststore file.
- truststore_password: Password to access truststore.
- require_client_auth: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL.
- require_endpoint_verification: Optional, verify the connected node's IP address matches the certificate.
Note: To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.server_encryption_options: internode_encryption: all keystore: resources/dse/conf/keystore.jks keystore_password: myPassKey truststore: resources/dse/conf/truststore.jks truststore_password: truststorePass require_client_auth: true require_endpoint_verification: true - internode_encryption: Encrypts traffic between nodes,
options:
- Restart DSE.