Configuring DSE security using LCM
Authentication for DataStax Enterprise clusters is enabled by default in a Lifecycle Manager configuration profile.
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf
The following
links provide more information about the available security options in the cassandra.yaml configuration file:
- authenticator
- authorizer
- role_manager
- /en/dse/6.0/dse-admin/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__server_encryption_options (internode_encryption)
- /en/dse/6.0/dse-admin/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__client_encryption_options
- transparent_data_encryption_options
Internal Certificate Authority generated by LCM
The process of manually preparing certificates and deploying them can be a barrier to the
adoption of security features. To simplify deployments, Lifecycle Manager
optionally generates certificates using an internal certificate authority.
- When LCM first starts, it creates a self-signed 2048 bit RSA certificate authority
that is stored in the
[lifecycle_manager].cacerts_directory
in opscenterd.conf. - When running install or configure jobs, LCM generates a keystore and truststore for each node if necessary. Certificate generation occurs if either node-to-node or client-to-node encryption is enabled, and if there is no pre-existing keystore or truststore in the locations specified by the configuration profile.
- When generating a keystore for each node, LCM creates a certificate signing request for the node, signs the request with the internal certificate authority, and packages the resulting certificate in a JKS-formatted keystore.
- When generating a truststore for each node, LCM packages the CA certificate in a JKS-formatted truststore. The same CA is used to sign certificates for all nodes in all clusters, and it enables validation of all automatically generated certificates.
To use certificates not generated by LCM, see Using non-LCM generated certificates.