Using a remote keystore provider
Implement additional providers such as PKCS12.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
DataStax Enterprise (DSE) database uses the Java Cryptography API (JCA) to implement SSL
providers. The JCA is a pluggable architecture that abstracts the actual cryptography
implementation from the algorithm requested. To support swapping out different
implementations, DSE database uses Cipher.getInstance("AES")
.
keystore_type
on nodes with
cassandra
or advanced
workloads.
The advanced
workload support was added for DSE 6.8.2
and later. If PKCS11
is needed, in
server_encryption_options
or
client_encryption_options
, specify the
keystore_type
as PKCS11
and the
keystore
as NONE
. PKCS11 is not
supported as a
truststore_type.
The DSE database keystore type parameter in cassandra.yaml determines which SPI to use.
keytool
.
Differences between PKCS11 and PKCS12
PKCS11 and PKCS12 are part of the RSA Public Key Cryptography Standards for storing private key and certificate information.
PKCS12 is typically used to store private key and
certificate information on files. The default keystore type in Java is JKS, though you can
specify PKCS12 with the -storetype
option when creating a keystore with
keytool
.
keystore_type
on nodes with
cassandra
or advanced
workloads.
The advanced
workload support was added for DSE 6.8.2
and later. If PKCS11
is needed, in
server_encryption_options
or
client_encryption_options
, specify the
keystore_type
as PKCS11
and the
keystore
as NONE
. PKCS11 is not
supported as a
truststore_type.
Installing additional providers
Install providers using the java.security
configuration that comes with
the JRE.
java.security
configuration file, which is located
in $JAVA_HOME/lib/security/java.security. For an
environment where PKCS11
is the keystore type and a Cassandra-only
workload, use:
security.provider.10=sun.security.pkcs11.SunPKCS11 path-to-pkcs11-provider-config-file
Example:
security.provider.10=sun.security.pkcs11.SunPKCS11 /opt/bar/cfg/pkcs11.cfg
For details, see the Oracle JDK 8 PKCS#11 Reference Guide.