Encrypting JMX communication between the DataStax agent and DSE
Enable encryption for JMX communication between the DataStax agent and DSE.
Complete the following steps to encrypt JMX communications between the DataStax agent and DataStax Enterprise (DSE). Enabling this encryption causes the DataStax agent to use an SSL-aware socket factory when connecting to DSE, but does not enable encryption for DSE itself.
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
If you want to configure JMX authentication for DSE, you must Enable DSE Unified Authentication.
jvm.options
The location of the jvm.options file depends on the type of installation:
Package installations |
/etc/dse/cassandra/jvm.options |
Tarball installations |
installation_location/resources/cassandra/conf/jvm.options |
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:
Package installations |
/etc/dse/cassandra/cassandra-env.sh |
Tarball installations |
installation_location/resources/cassandra/conf/cassandra-env.sh |
- The cassandra-env.sh file is located in the installation_location/conf directory.
datastax-agent-env.sh
The default location of the DataStax agent environment shell script datastax-agent-env.sh depends on the type of installation:- Package installations: /etc/datastax-agent/datastax-agent-env.sh
- Tarball installations: install_location/agent/conf/datastax-agent-env.sh
Prerequisites
Procedure
- Stop DSE on every node in the cluster.
-
Stop the DataStax agent on each node where it is running.
- Package
installations:
sudo service datastax-agent stop
- Tarball installations:
To stop the DataStax agent, find the DataStax agent Java process ID (PID) and kill the process using its PID number.
ps -ef | grep datastax-agent
sudo kill pid
- Package
installations:
-
Navigate to the jvm.options file and add the
following section for SSL settings.
# SSL settings -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.keyStore=/path_to_keyStore/keyStore_name.jks -Djavax.net.ssl.keyStorePassword=keyStore_password -Djavax.net.ssl.trustStore=/path_to_trustStore/trustStore_name.jks -Djavax.net.ssl.trustStorePassword=trustStore_password
com.sun.management.jmxremote.ssl
- Set to
true
to enable SSL for JMX connections between DSE and the DataStax agent. If enabled,com.sun.management.jmxremote.ssl.need.client.auth
must also be set totrue
to enable full security. com.sun.management.jmxremote.ssl.need.client.auth
- Set to
true
to enable two-way certificate authentication. keyStore_name
- Name of the SSL keystore.
keyStore_password
- Password for the keystore indicated by
javax.net.ssl.keyStore
. trustStore_name
- Name of the SSL truststore.
trustStore_password
- Password for the truststore indicated by
javax.net.ssl.trustStore
.
-
Start DSE on each node in the cluster.
sudo service dse start
Wait for the nodes to become available before continuing.
-
To run the DataStax agent with SSL encryption, add the following settings to
the datastax-agent-env.sh file with on the
nodes where the DataStax agent is running.
Important: The keystore for DSE is the truststore for the DataStax agent (and vice versa), as shown in the following example. The
keyStore
variable points to the trustStore, and thekeyStorePassword
variable uses the trustStore password. The opposite is true for thetrustStore
variable.JVM_OPTS="$JVM_OPTS -Xmx1024M" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path_to_trustStore/trustStore_name.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=trustStore_password" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path_to_keyStore/keyStore_name.jks" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=keyStore_password" JVM_OPTS="$JVM_OPTS -Ddatastax.agent.jmx.usessl=true"
datastax.agent.jmx.usessl
- Add this setting and set to
true
to enable SSL encryption for the DataStax agent.
-
Restart the DataStax agent for changes to take effect.
- Package installations:
sudo service datastax-agent restart
- Tarball installations:
- To stop the DataStax agent, find the DataStax agent Java process ID
(PID) and kill the process using its PID
number:
ps -ef | grep datastax-agent
sudo kill pid
- Start the agent:
Use the
-f
option to start the agent in the foreground.install_location/bin/datastax-agent
- To stop the DataStax agent, find the DataStax agent Java process ID
(PID) and kill the process using its PID
number:
- Package installations:
- After restarting the DataStax agent on each node where it is running, check OpsCenter to ensure that all DataStax agents are running and that all nodes are available.