Using CQL shell (cqlsh) with SSL

Establish connections to clusters with Kerberos, internal or external authentication, and SSL enabled.


The default location of the cqlshrc.sample files depends on the type of installation:

Package installations
Installer-Services installations


Tarball installations
Installer-No Services installations


To use cqlsh with Kerberos and SSL, use the sample files as a starting point and make changes as appropriate for your environment.

Example files

DataStax Enterprise provides sample files and examples to help configure authentication for Kerberos, SSL, and Kerberos and SSL:

Make changes as appropriate for your environment.

See the cqlshrc.sample.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.

username = fred
password = !!bang!!$

hostname =
port = 9042
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.  

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section. = /etc/dse/cassandra/conf/dsenode0.cer = /etc/dse/cassandra/conf/dsenode1.cer
cqlsh does not work with the certfile in the original format generated. If require_client_auth = true, use openssl to generate a PEM file of the certificate with no keys (user.cer.pem) and a PEM file of the key with no certificate (user.key.pem). Add the following lines to [ssl] in ~/.cassandra/cqlshrc
# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file
userkey = ~/user.key.pem 
usercert = ~/user.cer.pem 
The keystore is imported in PKCS12 format to a destination keystore (user.p12).
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
Convert the two PEM files. When validate is enabled, you must create a PEM key to be used in the cqlshrc file.
openssl pkcs12 -in user.p12 -nokeys -out user.cer.pem -passin pass:cassandra
openssl pkcs12 -in user.p12 -nodes -nocerts -out user.key.pem -passin pass:cassandra

In cqlshrc.sample.ssl, ensure the userkey points to user.key.pem and the usercert points to user.cer.pem.

This PEM key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.

For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_SERVICE, SSL_CERTFILE, and SSL_VALIDATE variables.

Debugging cqlsh authentication

Use the --debug option to troubleshoot authentication problems with cqlsh. Pass the --debug option to cqlsh to populate the debug log message with the type of authentication that cqlsh is attempting.