Configuring SSL/TLS for DSE using LCM

Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.

Configure SSL/TLS for a DataStax Enterprise (DSE) cluster using a Lifecycle Manager (LCM) Config Profile. This is the recommended procedure for a production environment. LCM can configure DSE clusters to use either node-to-node or client-to-node encryption.
  • Client-to-node encryption is enabled by default, and can use certificates generated by the internal certificate authority in LCM, or certificates generated outside of LCM.
  • Node-to-node encryption is enabled by default, but can be configured by enabling internode communication.

When either node-to-node or client-to-node encryption is enabled, LCM creates keystores and truststores for DSE node-to-node and client-to-node SSL/TLS communication with the following default names and locations:

Client-to-node
  • /etc/dse/keystores/client.keystore (client-to-node keystore)
  • /etc/dse/keystores/client.truststore (client-to-node truststore)
Node-to-node
  • /etc/dse/keystores/server.keystore (node-to-node keystore)
  • /etc/dse/keystores/server.truststore (node-to-node truststore)
When client-to-node SSL encryption is enabled, both the OpsCenter daemon and DataStax Agents also need to be SSL-enabled to properly communicate with DSE server nodes. LCM automatically configures the SSL configuration options for that purpose in the cluster-specific configuration file cluster_name.conf:
[agents]
ssl_keystore_password = cassandra
ssl_keystore = /etc/dse/keystores/client.keystore

[cassandra]
ssl_keystore_password = lifecyclemanager
ssl_keystore = /var/lib/opscenter/ssl/lcm/lcm-auto-generated.truststore

The keystore file used for DataStax Agents to communicate with DSE nodes is exactly the same as that used by a DSE node connecting to other DSE nodes.

The keystore file used for the OpsCenter daemon communicating with DSE nodes is automatically generated by the LCM configuration process and put under the folder /var/lib/opscenter/ssl/lcm.

For information about manually configuring cluster connections (using the OpsCenter UI), see Editing OpsCenter cluster connections for authentication or encryption.

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

Prerequisites

Review the LCM documentation for Configuring DSE security using LCM.
Important: When enabling node-to-node encryption on an existing cluster, the cluster will experience a network partition during the transition, leading to temporary loss of consistency. If possible, choose whether to employ node-to-node encryption when first creating the cluster.
Note: Enabling require_client_auth for client_encryption_options requires special steps due to an LCM limitation. For more information, refer to this Knowledge Base Article.

Procedure

  1. Click Config Profiles from the Lifecycle Manager navigation menu.
  2. Click the edit icon for the configuration profile to edit, or click Add config profile if you have not already created a profile.
  3. In the Config Profile pane under the Cassandra section, select cassandra.yaml.

    cassandra.yaml security options in LCM config profiles

  4. In the Security pane under server_encryption_options, select one of the following options for internode_encryption.
    • all: All inter-node communication is encrypted. (Recommended and strongest option.)
    • dc: Traffic between datacenters is encrypted. Select this option if there is concern about a performance impact of encrypting traffic locally, but encryption is still required for inter-datacenter traffic that might transit untrusted links.
    • rack: Traffic between racks is encrypted.
    Tip: For more details about available configuration options, see /en/dse/6.7/dse-admin/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__server_encryption_options.
  5. Re-enter keystore and truststore passwords for confirmation.
  6. In the Security pane, select the enabled option for client_encryption_options.

    Enable client_encryption_options

    Tip: For more details about available configuration options, see /en/dse/6.7/dse-admin/datastax_enterprise/config/configCassandra_yaml.html#configCassandra_yaml__client_encryption_options.
  7. Re-enter keystore and truststore passwords for confirmation.
  8. Click Save to save the Config Profile.

What's next

  1. Go to the Clusters workspace in Lifecycle Manager and select the configuration profile to apply at the cluster level.
  2. If an install job has not been run yet on the cluster, Run an Install Job. Otherwise, Run a configure job to apply the configuration profile changes.
  3. Monitor the job. When the job completes successfully, SSL/TLS setup for the DSE cluster is enabled.
  4. Download the generated CA cert for use with the DSE client SSL connection.