Using CQL shell (cqlsh) with SSL

Establish connections to clusters with Kerberos, internal or external authentication, and SSL enabled.


The default location of the cqlshrc.sample files depends on the type of installation:

Package installations
Installer-Services installations


Tarball installations
Installer-No Services installations


To use cqlsh with Kerberos and SSL, use the sample files as a starting point and make changes as appropriate for your environment.

Example files

DataStax Enterprise provides sample files and examples to help configure authentication for Kerberos, SSL, and Kerberos and SSL:

Make changes as appropriate for your environment.

See the cqlshrc.sample.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.

username = fred
password = !!bang!!$

hostname =
port = 9042
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.    

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. = /etc/dse/cassandra/conf/dsenode0.cer = /etc/dse/cassandra/conf/dsenode1.cer
When validate is enabled, you must create a PEM key which is used in the cqlshrc file. For example:
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
openssl pkcs12 -in user.p12 -out user.pem -nodes

This PEM key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.

For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_SERVICE, SSL_CERTFILE, and SSL_VALIDATE variables.

Debugging cqlsh authentication

Use the --debug option to troubleshoot authentication problems with cqlsh. Pass the --debug option to cqlsh to populate the debug log message with the type of authentication that cqlsh is attempting.