Downloading the generated CA cert
Download the CA certificate automatically generated by Lifecycle Manager after enabling client-to-node encryption. Configure your CQL clients to use the certificate.
Download the CA certificate automatically generated by Lifecycle Manager after
enabling client-to-node encryption. LCM automates the process of setting up SSL certificates using an internal certificate
authority. Configure your CQL clients to trust certificates signed by the
certificate authority.
opscenterd.log
The location of the opscenterd.log file depends on the type of installation:- Package installations: /var/log/opscenter/opscenterd.log
- Tarball installations: install_location/log/opscenterd.log
Prerequisites
- Enable client-to-node encryption in the configuration profile associated with the cluster.
- If the cert was not generated, an error message in both the opscenterd.log and the job event details indicate the SSL certificate is not yet valid. Ensure that there is not any clock drift, which can interfere with generating the cert chain properly. Check the clock drift rule in the Best Practice Service to ensure clocks are in sync.
Procedure
-
In the Clusters workspace of Lifecycle Manager, select the
cluster in the Clusters pane.
The Cluster Details pane for the cluster appears.
-
In the Cluster Details pane, click the Download
Cert link for CA Certificate.
The browser downloads the certificate file. By default, the DSE client CA certificate file provided by LCM is named cacert and has a PEM format.
-
Use the CA Certificate to configure CQL clients to communicate over SSL/TLS.
The process for configuring each CQL client is unique. Refer to the steps for
configuring SSL/TLS for cqlsh as an
example.
For example, using CQLSH client, you can (SSL) access DSE nodes with the following command:
SSL_CERTFILE=cacert cqlsh --ssl <DseNode_Host>
Clients are able to connect to the DataStax Enterprise cluster via CQL over SSL/TLS.