Configuring SSL/TLS for DSE using LCM
Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.
Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.
When either node-to-node or client-to-node encryption is enabled, LCM creates keystores and truststores for DSE node-to-node and client-to-node SSL/TLS communication with the following default names and locations:
- /etc/dse/keystores/server.keystore (node-to-node keystore)
- /etc/dse/keystores/server.truststore (node-to-node truststore)
- /etc/dse/keystores/client.keystore (client-to-node keystore)
- /etc/dse/keystores/client.truststore (client-to-node truststore)
[agents]
ssl_keystore_password = cassandra
ssl_keystore = /etc/dse/keystores/client.keystore
[cassandra]
ssl_keystore_password = lifecyclemanager
ssl_keystore = /var/lib/opscenter/ssl/lcm/lcm-auto-generated.truststore
The keystore file used for DataStax agents to communicate with DSE nodes is exactly the same as that used by a DSE node connecting to other DSE nodes.
The keystore file used for OpsCenter daemon communicating with DSE nodes is automatically generated by the LCM configuration process and put under the folder /var/lib/opscenter/ssl/lcm.
For information about manually configuring cluster connections (using the OpsCenter UI), see Editing OpsCenter cluster connections for authentication or encryption.
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:- Package installations: /etc/opscenter/clusters/cluster_name.conf
- Tarball installations: install_location/conf/clusters/cluster_name.conf
Prerequisites
Procedure
- Click Config Profiles from the Lifecycle Manager navigation menu.
- Click the edit icon for the config profile you want to edit, or click Add config profile if you have not already created a profile.
-
In the Config Profile pane under the
Cassandra section, click
cassandra.yaml.
-
In the Security pane under
server_encryption_options, select an option for
internode_encryption.
Available options for node-to-node encryption:
- all: All inter-node communication is encrypted. Recommended and strongest option.
- dc: Traffic between DCs is encrypted. Select this option if there is concern about a performance impact of encrypting traffic locally, but encryption is still required for inter-dc traffic that might transit untrusted links.
- rack: Traffic between racks is encrypted.
Tip: For more details about available configuration options, see server_encryption_options in the DSE Admin documentation. -
In the Security pane, select the
enabled option for
client_encryption_options.
Tip: For more details about available configuration options, see client_encryption_options in the DSE Admin documentation.
- Click Save to save the Config Profile.
What's next
- Go to the Clusters workspace in Lifecycle Manager and select the config profile to apply at the cluster level.
- If an install job has not been run yet on the cluster, Run an Install Job. Otherwise, Run a configure job to apply the config profile changes.
- Monitor the job. When the job completes successfully, SSL/TLS setup for the DSE cluster is done.
- Download the generated CA cert for use with the DSE client SSL connection.