Setting up SSL for nodetool, dsetool, and dse advrep
Using nodetool, dsetool, and dse advrep with SSL encryption.
Using nodetool, dsetool, and dse advrep with SSL requires some JMX setup.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations |
/etc/dse/cassandra/cassandra.yaml |
Tarball installations |
installation_location/resources/cassandra/conf/cassandra.yaml |
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:
Package installations |
/etc/dse/cassandra/cassandra-env.sh |
Tarball installations |
installation_location/resources/cassandra/conf/cassandra-env.sh |
Prerequisites
- Configure JMX SSL on the server side with changes on each node in the cluster.
- Restart DSE.
- Configure the client settings in your home or client program directory on the node on which the command will run.
Note: Enabling client encryption will encrypt all traffic on
the
native_transport_port
(default: 9042
). If both
encrypted and unencrypted traffic is required, an additional
cassandra.yaml setting must be enabled. The
native_transport_port_ssl
(default: 9142
) sets an
additional dedicated port to carry encrypted transmissions, while
native_transport_port
carries unencrypted transmissions.Procedure
Configure JMX SSL on the server side:
Important: Make these
changes in the cassandra-env.sh file on each
node in the cluster.
-
If the
$LOCAL_JMX
setting is present, change it to no:"$LOCAL_JMX" = "no"
-
Add the following settings:
Note: You can also use the jvm.options file as described in start-up parameters.For production:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/usr/local/lib/cassandra/conf/server-keystore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=myKeyPass" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/server-truststore.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=truststorePass"
For development:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=keystore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=cassandra" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=truststore.node0" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=cassandra"
where:com.sun.management.jmxremote.ssl=true
enables SSL for JMX.com.sun.management.jmxremote.ssl.need.client.auth=true
enables two-way certificate authentication.com.sun.management.jmxremote.registry.ssl=true
creates an RMI registry protected by SSL and configures an out-of-the-box management agent when the Java VM is started.com.sun.management.jmxremote.registry.ssl=true
requires thatcom.sun.management.jmxremote.ssl.need.client.auth=true
is also enabled.
- Set appropriate paths to the
keystore
andtruststore
files. - Set the passwords to the passwords set during keystore and truststore generation.
- Restart DSE.
-
To configure the client settings, create a
.cassandra/nodetool-ssl.properties
file in your home or client program directory with the following settings on the node on which the command will run.For production:-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=/usr/local/lib/dse/resources/dse/conf/.keystore -Djavax.net.ssl.keyStorePassword=cassandra -Djavax.net.ssl.trustStore=/usr/local/lib/cassandra/conf/.truststore -Djavax.net.ssl.trustStorePassword=cassandra
For development:
-Djavax.net.ssl.keyStore=keystore.node0 -Djavax.net.ssl.keyStorePassword=cassandra -Djavax.net.ssl.trustStore=truststore.node0 -Djavax.net.ssl.trustStorePassword=cassandra -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true
To use nodetool, dsetool, and dse advrep with SSL for an encrypted
connection for any operation:
-
Start the command with the --ssl option.
nodetool example:
nodetool --ssl command
dsetool example:dsetool --ssl command
dse advrep example:dse advrep --ssl command
-
Start the command with the --ssl option for an encrypted
connection and specify the username and password for authentication and
authorization for any operation. If you do not enter a password, you are
prompted to enter one.
nodetool example:
nodetool --ssl -u username -pw password command
dsetool example:dsetool --ssl -a jmx_username -b jmxpassword command
dse advrep example:dse advrep --ssl -u username command