Using CQL shell (cqlsh) with SSL
Establish connections to clusters with Kerberos, internal or external authentication, and SSL enabled.
cqlshrc.sample
The default location of the cqlshrc.sample files depends on the type of installation:
Package installations |
/etc/dse/cassandra |
Tarball installations |
installation_location/resources/cassandra/conf |
To use cqlsh
with Kerberos and SSL, use the sample files as a starting
point and make changes as appropriate for your environment.
Example files
DataStax Enterprise provides sample files and examples to help configure authentication for Kerberos, SSL, and Kerberos and SSL:Make changes as appropriate for your environment.
See the cqlshrc.sample.
SSL example
DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.
[authentication]
username = fred
password = !!bang!!$
[connection]
hostname = 127.0.0.1
port = 9042
[ssl]
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.
[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer
10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer
cqlsh
does not work with the certfile
in the
original format generated. If require_client_auth = true
, use
openssl
to generate a PEM file of the certificate with no keys
(user.cer.pem
) and a PEM file of the key
with no certificate (user.key.pem
). Add the
following lines to [ssl]
in
~/.cassandra/cqlshrc# The next 2 lines must be provided when require_client_auth = true in the cassandra.yaml file userkey = ~/user.key.pem usercert = ~/user.cer.pem
user.p12
).
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
openssl pkcs12 -in user.p12 -nokeys -out user.cer.pem -passin pass:cassandra openssl pkcs12 -in user.p12 -nodes -nocerts -out user.key.pem -passin pass:cassandra
In cqlshrc.sample.ssl, ensure the userkey
points to user.key.pem
and the
usercert
points to
user.cer.pem
.
This PEM key is required because the host in the certificate is compared to the host
of the machine that it is connected to. The SSL certificate must be provided either
in the configuration file or as an environment variable. The environment variables
(SSL_CERTFILE
and SSL_VALIDATE
) override any
options set in this file.
Kerberos and SSL
DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.
For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.
The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.
The supported environmental variables are KRB_SERVICE
,
SSL_CERTFILE
, and SSL_VALIDATE
variables.
Debugging cqlsh authentication
Use the --debug
option to troubleshoot authentication problems with
cqlsh
. Pass the --debug
option to cqlsh
to populate the debug log message with the type of authentication that
cqlsh
is attempting.