Encrypting JMX communication between the DataStax agent and DSE

Enable encryption for JMX communication between the DataStax agent and DSE.

Complete the following steps to encrypt JMX communications between the DataStax agent and DataStax Enterprise (DSE). Enabling this encryption causes the DataStax agent to use an SSL-aware socket factory when connecting to DSE, but does not enable encryption for DSE itself.

By default, JMX remote connections are disabled and JMX security authentication is disabled for both local and remote connections in the cassandra-env.sh file:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"

If you want to configure JMX authentication for DSE, you must Enable DSE Unified Authentication.

datastax-agent-env.sh

The default location of the DataStax agent environment shell script datastax-agent-env.sh depends on the type of installation:
  • Package installations: /etc/datastax-agent/datastax-agent-env.sh
  • Tarball installations: install_location/agent/conf/datastax-agent-env.sh

jvm.options

The location of the jvm.options file depends on the type of installation:
Package installations /etc/dse/cassandra/jvm.options
Tarball installations installation_location/resources/cassandra/conf/jvm.options

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations installation_location/resources/cassandra/conf/cassandra-env.sh

Prerequisites

Complete all steps to Set up SSL certificates.

Procedure

  1. Stop DSE on every node in the cluster.
  2. Stop the DataStax agent on each node where it is running.
    • Package installations:
      sudo service datastax-agent stop
    • Tarball installations:

      To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number.

      ps -ef | grep datastax-agent
      sudo kill pid
  3. Navigate to the jvm.options file and add the following section for SSL settings.
    # SSL settings
    -Dcom.sun.management.jmxremote.ssl=true
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
    -Djavax.net.ssl.keyStore=/path_to_keyStore/keyStore_name.jks
    -Djavax.net.ssl.keyStorePassword=keyStore_password
    -Djavax.net.ssl.trustStore=/path_to_trustStore/trustStore_name.jks
    -Djavax.net.ssl.trustStorePassword=trustStore_password
    com.sun.management.jmxremote.ssl
    Set to true to enable SSL for JMX connections between DSE and the DataStax agent. If enabled, com.sun.management.jmxremote.ssl.need.client.auth must also be set to true to enable full security.
    com.sun.management.jmxremote.ssl.need.client.auth
    Set to true to enable two-way certificate authentication.
    keyStore_name
    Name of the SSL keystore.
    keyStore_password
    Password for the keystore indicated by javax.net.ssl.keyStore.
    trustStore_name
    Name of the SSL truststore.
    trustStore_password
    Password for the truststore indicated by javax.net.ssl.trustStore.
  4. Start DSE on each node in the cluster.
    sudo service dse start

    Wait for the nodes to become available before continuing.

  5. To run the DataStax agent with SSL encryption, add the following settings to the datastax-agent-env.sh file with on the nodes where the DataStax agent is running.
    Important: The keystore for DSE is the truststore for the DataStax agent (and vice versa), as shown in the following example. The keyStore variable points to the trustStore, and the keyStorePassword variable uses the trustStore password. The opposite is true for the trustStore variable.
    JVM_OPTS="$JVM_OPTS -Xmx1024M"
    JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path_to_trustStore/trustStore_name.jks"
    JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=trustStore_password"
    JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path_to_keyStore/keyStore_name.jks"
    JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=keyStore_password"
    JVM_OPTS="$JVM_OPTS -Ddatastax.agent.jmx.usessl=true"
    datastax.agent.jmx.usessl
    Add this setting and set to true to enable SSL encryption for the DataStax agent.
  6. Restart the DataStax agent for changes to take effect.
    • Package installations:
      sudo service datastax-agent restart
    • Tarball installations:
      1. To stop the DataStax Agent, find the DataStax Agent Java process ID (PID) and kill the process using its PID number:
        ps -ef | grep datastax-agent
        sudo kill pid
      2. Start the Agent:

        Use the -f option to start the Agent in the foreground.

        install_location/bin/datastax-agent
  7. After restarting the DataStax agent on each node where it is running, check OpsCenter to ensure that all DataStax agents are running and that all nodes are available.