Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication

Use nodetool, nodesync, dsetool, and DSE Advanced Replication with SSL encryption.

Complete the following procedure to configure JMX for using nodetool, nodesync, dsetool, and DataStax Enterprise (DSE) Advanced Replication with SSL.

Important: Make these changes in the cassandra-env.sh file on each node in the cluster.

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations installation_location/resources/cassandra/conf/cassandra-env.sh

Prerequisites

  1. Create SSL certificates with a self-signed CA.
  2. Configure client-to-node encryption.
  3. Configure JMX on the server side.
Note: For production environments, secure an entire cluster using JKS files. For a single-node development environment, you can use a simpler single-node, local keystore file and truststore file.

Procedure

  1. Open the cassandra-env.sh file.
  2. Restart DSE.
  3. nodetool: To configure the client settings for nodetool, create a .cassandra/nodetool-ssl.properties file in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.
    touch ~/.cassandra/nodetool-ssl.properties

    Production environment:

    -Dcom.sun.management.jmxremote.ssl=true
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=false
    -Dcom.sun.management.jmxremote.registry.ssl=true  
    -Djavax.net.ssl.keyStore=path_to_keystore
    -Djavax.net.ssl.keyStorePassword=keystore-password
    -Djavax.net.ssl.trustStore=path_to_truststore
    -Djavax.net.ssl.trustStorePassword=truststore-password

    Development environment:

    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
    -Dcom.sun.management.jmxremote.registry.ssl=true
    -Djavax.net.ssl.keyStore=path_to_keystore
    -Djavax.net.ssl.keyStorePassword=keystore-password
    -Djavax.net.ssl.trustStore=path_to_truststore
    -Djavax.net.ssl.trustStorePassword=truststore-password
  4. nodesync: To configure the client settings for nodesync, create a .cassandra/nodesync-ssl.properties file in your home or client program directory on the node where you will run the command. Add the following settings to the file.
    Note: The file for nodesync is equivalent to the .cassandra/nodetool-ssl.properties file used by nodetool, except that it defines properties shared by JMX and CQL.
    touch ~/.cassandra/nodesync-ssl.properties
    -Dcom.sun.management.jmxremote.ssl=true
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
    -Djavax.net.ssl.keyStore=path_to_keystore
    -Djavax.net.ssl.keyStorePassword=keystore-password
    -Djavax.net.ssl.trustStore=path_to_truststore
    -Djavax.net.ssl.trustStorePassword=truststore-password

Note: The JVM properties for nodesync should be the same as those set for nodetool, but defined in a separate file, such as nodesync-jvm.options. DataStax recommends maintaining separate option files for nodetool and nodesync. For example, you might need SSL only in the CQL connection, but not in JMX. In this case, nodetool would not require the JVM properties, while nodesync would need them defined.

  1. Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class (for CQL). If you provide a username option but not a password, you are prompted to enter one.

    nodetool

    nodetool --ssl -u jmx_username -pw jmx_password command

    nodesync (JMX, CQL, or both)

    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password command
    nodesync --cql-ssl --cql-username cql_username --cql-password cql_password command
    nodesync --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command
    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password 
               --cql-ssl --cql-username cql_username --cql-password cql_password command
    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password 
               --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command

    dsetool

    dsetool --ssl -a jmx_username -b jmx_password command

    dse advrep

    dse advrep --ssl -u jmx_username command