Securing internal transactional node connections

Node-to-node (internode) encryption protects data that is transferred between nodes in a cluster using SSL.

Node-to-node (internode) encryption protects data transferred between nodes in a cluster using SSL (Secure Sockets Layer). For information about generating SSL certificates, see Setting up SSL certificates.

OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cassandra.yaml

Procedure

To enable node-to-node SSL encryption:
  1. Set the server_encryption_options in the cassandra.yaml file on each node:
    • internode_encryption: Encrypts traffic between nodes, options: none, all, dc, or rack.
    • keystore: Relative path from DSE installation directory or absolute path to the keystore file.
    • keystore_password: Password to access the keystore.
    • truststore: Relative path from DSE installation directory or absolute path to truststore file.
    • truststore_password: Password to access truststore.
    • require_client_auth: Enable two way encryption. After enabling you must configure clients, such as nodetool and cqlsh to use SSL.
    • require_endpoint_verification: Optional, verify the connected host and the host name in the certificate match.
    Note: To encrypt the truststore and keystore passwords with KMIP, see Encrypting table data.
    server_encryption_options:
       internode_encryption: all
       keystore: resources/dse/conf/keystore.jks
       keystore_password: myPassKey
       truststore: resources/dse/conf/truststore.jks
       truststore_password: truststorePass
       require_client_auth: true
       require_endpoint_verification: true
  2. Restart DSE.