Configuring SSL for node-to-node connections
Node-to-node (internode) encryption protects data in-flight between database nodes in a cluster.
Node-to-node (internode) encryption protects data in-flight between nodes in a cluster using SSL.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
Prerequisites
Procedure
-
Edit cassandra.yaml and make the following
changes to the server_encryption_options section to enable SSL:
-
Configure the keystore and truststore, depending on whether you are using local
keystore files or a remote keystore provider. All settings are configured in the
server_encryption_options
section of cassandra.yaml:- Local files: use the following
settings.
server_encryption_options: internode_encryption: all keystore_type: PKCS12 keystore: path_to_keystore keystore_password: keystore_password require_client_auth: true require_endpoint_verification: true truststore_type: PKCS12 truststore: path_to_truststore truststore_password: truststore_password
Tip: To encrypt the truststore and keystore passwords for local encryption, see Encrypting configuration file properties or for KMIP see Encrypting configuration file properties. - Remote keystore provider: use the following settings. Unused
options can be blank or commented out.Note: Requires installation of a provider. See Using a remote keystore provider.
server_encryption_options: internode_encryption: all keystore_type: PKCS12 require_client_auth: true require_endpoint_verification: true truststore_type: PKCS12
- internode_encryption
- Encryption options for of internode communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for authentication, key exchange, and encryption of data transfers. Use the DHE/ECDHE ciphers, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA if running in Federal Information Processing Standard (FIPS) 140 compliant mode.
- keystore_type
- Valid types are JKS, JCEKS, PKCS11, PKCS12. For file-based keystores, use PKCS12.
Attention: DataStax supports PKCS11 as a
keystore_type
on nodes withcassandra
oradvanced
workloads. Thecassandra
workload support is specific to DSE 6.7.7 and later releases. Theadvanced
workload support is specific to DSE 6.7.9 and later. If PKCS11 is needed, inserver_encryption_options
orclient_encryption_options
, specify thekeystore_type
asPKCS11
and thekeystore
asNONE
. PKCS11 is not supported in DSE 6.0.x and 5.1.x releases. PKCS11 is not supported as atruststore_type.
Default: JKS
- keystore
- Relative path from DSE installation directory or absolute path to the Java
keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE),
which is the Java version of the Secure Sockets Layer (SSL), and Transport
Layer Security (TLS) protocols. The keystore contains the private key used
to encrypt outgoing
messages.
Default: resources/dse/conf/.keystore
- keystore_password
- Password for the keystore. This must match the password used when generating
the keystore and truststore.
Default: cassandra
- require_client_auth
- Enables certificate authentication for node-to-node (internode) encryption.
Default: false
- require_endpoint_verification
- Whether to verify the connected host and the host IP address in the
certificate match. If set to
true
, the endpoint that you specify when generating the certificate key must be an IP address. Do not specify a DNS hostname. Example with a correctly specified IP address:keytool -genkeypair -keyalg RSA \ -alias node0 \ -keystore my_keystore.jks \ -storepass cassandra \ -keypass cassandra \ -validity 730 \ -keysize 2048 \ -dname "CN=node0, OU=lacerda-ssl, O=Datastax, C=CC" \ -ext "san=ip:10.101.35.236"
Default: false
- truststore_type
- Valid types are JKS, JCEKS, PKCS12. For file-based truststores, use
PKCS12.Attention: Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:
openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem
However, truststores generated via Java'skeytool
and then converted to PKCS12 work with DSE. Example:keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12
Default: JKS
- truststore
- Relative path from DSE installation directory or absolute path to truststore
containing the trusted certificate for authenticating remote servers.
Default: resources/dse/conf/.truststore
- truststore_password
- Password for the truststore.
Default: cassandra
- Local files: use the following
settings.
- Save and close the cassandra.yaml file.
- Restart DSE.