Configuring SSL for client-to-node connections

Use SSL to secure connections from a client node to the coordinator node.

Client-to-node encryption protects in-flight data from client machines to a database cluster using SSL (Secure Sockets Layer) and establishes a secure channel between the client and the coordinator node.

Complete the following procedure on every node in the cluster to configure SSL for client-to-node connections.

Note: On a DSE Search node, enabling SSL for the database automatically enables SSL in the DSE Search web.xml file and configures an SSL connector in Tomcat using the authentication/authorization filters. No changes are required for the web.xml or server.xml files.

If the TomcatSolrRunner doesn't find a connector in server.xml, it creates a default connector. The default connector binds to the native_transport_address.

CAUTION: If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256. Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161. If your ticket granting principal uses AES-256, you might see a warning like this in the logs:
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 (line 162) Filtering out 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket


The default location of the Tomcat server.xml file depends on the installation type:
Package installations /etc/dse/tomcat/conf/server.xml
Tarball installations installation_location/resources/tomcat/conf/server.xml


The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml


Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.


  1. Edit cassandra.yaml and make the following changes in the client_encryption_options to enable SSL:
    1. Set enabled to true to enable SSL.
    2. Set optional to false (default) to only allow SSL connections.
    3. Set require_client_auth to true to require two-way host certificate validation.
  2. Configure the keystore and truststore, depending on whether you are using local keystore files or a remote keystore provider. All settings are configured in the client_encryption_options section of cassandra.yaml:
    • Local files: use the following settings.
          enabled: true
          optional: false
          keystore_type: PKCS12
          keystore: path_to_keystore
          keystore_password: keystore_password
          require_client_auth: true
          truststore_type: PKCS12
          truststore: path_to_truststore
          truststore_password: truststore_password
          protocol: ssl
          algorithm: SunX509
          store_type: JKS
          cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
    • Remote keystore provider: use the following settings. Unused options can be blank or commented out.
      Note: Requires installation of a provider. See Using a remote keystore provider.
          enabled: true
          optional: false
          keystore_type: PKCS12
          require_client_auth: true
          truststore_type: PKCS11
          protocol: ssl
          algorithm: SunX509
          store_type: JKS
          cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
    Whether to enable client-to-node encryption.

    Default: false

    Whether to allow unsecured connections when client encryption is enabled.

    Default: false

    Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.
    Attention: DataStax supports PKCS11 as a keystore_type only on nodes with cassandra workloads. The support is specific to DSE 6.7.7 and later releases. For example, PKCS11 is not supported as a keystore_type in DSE 6.7.6, 6.7.5, or earlier 6.7.x releases. PKCS11 is not supported in DSE 6.0.x and 5.1.x releases.

    PKCS11 is not supported as a truststore_type.

    Default: JKS

    Relative path from DSE installation directory or absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

    Default: resources/dse/conf/.keystore

    Password for the keystore.

    Default: cassandra

    Whether to enable certificate authentication for client-to-node encryption. When not set, the default is false.
    Note: When set to true, client certificates must be present on all nodes in the cluster.

    Default: commented out (false)

    Valid types are JKS, JCEKS, or PKCS12. For file-based truststores, use PKCS12.
    Attention: Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:
    openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem
    However, truststores generated via Java's keytool and then converted to PKCS12 work with DSE. Example:
    keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
    keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
    keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12 

    Default: JKS

    Relative path from DSE installation directory or absolute path to truststore containing the trusted certificate for authenticating remote servers.
    Note: Truststore password and path is only required when require_client_auth is set to true.

    Default: resources/dse/conf/.truststore

    Password for the truststore. This must match the password used when generating the keystore and truststore.
    Note: Truststore password and path is only required when require_client_auth is set to true.

    Default: cassandra

  3. Save and close the cassandra.yaml file.
  4. Complete a rolling DSE restart.