Client-to-node encryption

LCM can configure DSE clusters to use client-to-node encryption with certificates generated by LCM or another certificate authority.

Lifecycle Manager (LCM) can configure DataStax Enterprise (DSE) clusters to use client-to-node encryption, which is disabled by default. See Configuring SSL/TLS for DSE using LCM for step-by-step instructions for enabling client encryption using LCM Config Profiles. To configure SSL manually and externally from LCM for DSE clusters not managed by LCM, see Configuring SSL for client-to-node connections.

When client-to-node encryption is enabled, Lifecycle Manager automates the process of preparing server certificates, exactly as it does for node-to-node encryption. To enable client-to-node encryption, select a Config Profile, click cassandra.yaml, navigate to the Security pane, and select enabled for client_encryption_options.

Some organizations might not want to use the internal certificate authority in LCM, and can manually deploy the keystore and truststore as described for node-to-node encryption.

Before drivers, cqlsh, and other CQL clients can connect to a cluster with client-to-node encryption enabled, they typically must be configured to trust the appropriate certificates. The process is different for each CQL client and Lifecycle Manager does not automatically configure CQL clients. After enabling client-to-node encryption, configure your CQL clients to use the appropriate certificates.

If certificates were generated by the internal certificate authority in Lifecycle Manager, download the CA certificate.
If certificates were generated outside of Lifecycle Manager, acquire the appropriate CA certificate or self-signed certificates. See Using non-LCM generated certificates.

Note: Enabling require_client_auth for client_encryption_options requires special steps due to an LCM limitation. For more information, refer to this Knowledge Base Article.