Configuring SSL/TLS for DSE using LCM

Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.

When either node-to-node or client-to-node encryption is enabled, LCM creates keystores and truststores for DSE node-to-node and client-to-node SSL/TLS communication with the following default names and locations:

/etc/dse/keystores/server.keystore (node-to-node keystore)
/etc/dse/keystores/server.truststore (node-to-node truststore)
/etc/dse/keystores/client.keystore (client-to-node keystore)
/etc/dse/keystores/client.truststore (client-to-node truststore)

When client-to-node SSL encryption is enabled, both the OpsCenter daemon and DataStax agents also need to be SSL-enabled to properly communicate with DSE server nodes. LCM automatically configures the ssl configuration options for that purpose in the cluster-specific configuration file :

[agents]
ssl_keystore_password = cassandra
ssl_keystore = /etc/dse/keystores/client.keystore

[cassandra]
ssl_keystore_password = lifecyclemanager
ssl_keystore = /var/lib/opscenter/ssl/lcm/lcm-auto-generated.truststore

The keystore file used for DataStax agents to communicate with DSE nodes is exactly the same as that used by a DSE node connecting to other DSE nodes.

The keystore file used for OpsCenter daemon communicating with DSE nodes is automatically generated by the LCM configuration process and put under the folder /var/lib/opscenter/ssl/lcm.

For information about manually configuring cluster connections (using the OpsCenter UI), see Editing OpsCenter cluster connections for authentication or encryption.

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:

Package installations: /etc/opscenter/clusters/cluster_name.conf
Tarball installations: install_location/conf/clusters/cluster_name.conf

Prerequisites

Review the LCM documentation for Managing DSE Security using LCM.

Important: When enabling node-to-node encryption on an existing cluster, the cluster will experience a network partition during the transition, leading to temporary loss of consistency. If possible, choose whether to employ node-to-node encryption when first creating the cluster.

Note: Enabling require_client_auth for client_encryption_options requires special steps due to an LCM limitation. For more information, refer to the Knowledge Base Article.

Procedure

Click Config Profiles from the Lifecycle Manager navigation menu.
Click the edit icon for the config profile you want to edit, or click Add config profile if you have not already created a profile.
In the Config Profile pane under the Cassandra section, click cassandra.yaml.
In the Security pane under server_encryption_options, select an option for internode_encryption.
Available options for node-to-node encryption:
- all: All inter-node communication is encrypted. Recommended and strongest option.
- dc: Traffic between DCs is encrypted. Select this option if there is concern about a performance impact of encrypting traffic locally, but encryption is still required for inter-dc traffic that might transit untrusted links.
- rack: Traffic between racks is encrypted.
Tip: For more details about available configuration options, see server_encryption_options in the DSE Admin documentation.
In the Security pane, select the enabled option for client_encryption_options.

Tip: For more details about available configuration options, see client_encryption_options in the DSE Admin documentation.
Click Save to save the Config Profile.

What's next

Go to the Clusters workspace in Lifecycle Manager and select the config profile to apply at the cluster level.
If an install job has not been run yet on the cluster, Run an Install Job. Otherwise, Run a configure job to apply the config profile changes.
Monitor the job. When the job completes successfully, SSL/TLS setup for the DSE cluster is done.
Download the generated CA cert for use with the DSE client SSL connection.