Setting up SSL for nodetool, dsetool, and dse advrep

Using nodetool, dsetool, and dse advrep with SSL encryption.

Using nodetool, dsetool, and dse advrep with SSL requires some JMX setup.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations Installer-Services installations	/etc/dse/cassandra/cassandra.yaml
Tarball installations Installer-No Services installations	`installation_location`/resources/cassandra/conf/cassandra.yaml

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:

Package installations Installer-Services installations	/etc/dse/cassandra/cassandra-env.sh
Tarball installations Installer-No Services installations	`installation_location`/resources/cassandra/conf/cassandra-env.sh

Prerequisites

Complete Setting up SSL certificates. Additionally, configure client-to-node encryption.

A high-level overview of the required configuration to set up nodetool, dsetool, and dse advrep for use with SSL:

Configure JMX SSL on the server side with changes on each node in the cluster.
Restart DSE.
Configure the client settings in your home or client program directory on the node on which the command will run.

Note: Enabling client encryption will encrypt all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, an additional setting must be enabled. The native_transport_port_ssl (default: 9142) sets an additional dedicated port to carry encrypted transmissions, while native_transport_port carries unencrypted transmissions.

Procedure

Configure JMX SSL on the server side:

Important: Make these changes in the file on each node in the cluster.

If the $LOCAL_JMX setting is present, change it to no:
```
"$LOCAL_JMX" = "no"
```

Add the following settings:

Note: You can also use the jvm.options file as described in start-up parameters.

For production:

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
  
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"

For development:

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"

  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0"
  JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"

where:

com.sun.management.jmxremote.ssl=true enables SSL for JMX.
com.sun.management.jmxremote.ssl.need.client.auth=true enables two-way certificate authentication.
com.sun.management.jmxremote.registry.ssl=true creates an RMI registry protected by SSL and configures an out-of-the-box management agent when the Java VM is started.
com.sun.management.jmxremote.registry.ssl=true requires that com.sun.management.jmxremote.ssl.need.client.auth=true is also enabled.

You must:

Set appropriate paths to the keystore and truststore files.
Set the passwords to the passwords set during keystore and truststore generation.

Restart DSE.

To configure the client settings, create a .cassandra/nodetool-ssl.properties file in your home or client program directory with the following settings on the node on which the command will run.

For production:

-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Dcom.sun.management.jmxremote.registry.ssl=true  
-Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore
-Djavax.net.ssl.trustStorePassword=cassandra

For development:

-Djavax.net.ssl.keyStore=keystore.node0
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=truststore.node0
-Djavax.net.ssl.trustStorePassword=cassandra
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.registry.ssl=true

To use nodetool, dsetool, and dse advrep with SSL for an encrypted connection for any operation:

Start the command with the --ssl option.
nodetool example:
```
nodetool --ssl command
```
dsetool example:
```
dsetool --ssl command
```
dse advrep example:
```
dse advrep --ssl command
```
Start the command with the --ssl option for an encrypted connection and specify the username and password for authentication and authorization for any operation. If you do not enter a password, you are prompted to enter one.
nodetool example:
```
nodetool --ssl -u username -pw password command
```
dsetool example:
```
dsetool --ssl -a jmx_username -b jmxpassword command
```
dse advrep example:
```
dse advrep --ssl -u username command
```