Connect to DSE with client-to-node encryption in OpsCenter and the DataStax Agents

Instructions for setting up OpsCenter and the DataStax Agents for connecting to DSE when client-to-node encryption is enabled.

The opscenterd machine and the DataStax Agents act as clients to each DSE machine. Therefore, opscenterd and the DataStax Agents need to use their own keystores (to present its certificate) and truststores (to verify the DSE server certificate) during the SSL handshake process.
Note: If two-way authentication is enabled, DSE needs to verify traffic from opscenterd and the DataStax Agents using a truststore.

Follow these instructions to configure OpsCenter and the DataStax Agents to use client-to-node encryption using one-way or two-way authentication.

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

Prerequisites

Figure 1. Client-to-node encryption
OpsCenter and DataStax Agents client-to-node encryption

Procedure

  1. Create a keystore on the opscenterd machine.
    keytool -genkey -alias opscenter -keyalg RSA -keypass password -storepass password -keystore opscenter.jks
    This command creates a keystore named opscenter.jks in the current directory.
  2. Export the opscenterd certificate.
    keytool -export -alias opscenter -storepass password -file opscenter.crt -keystore opscenter.jks
    This command exports the certificate named opscenter.crt that was stored in opscenter.jks in the current directory.
  3. Create a truststore on the opscenterd machine and import each node's public certificate.
    keytool -import -v -trustcacerts -alias node1 -file node1.crt -keystore truststore.jks -keypass password
    The command creates a truststore by importing node1's certificate. Repeat this command using the certificate from each node.
  4. Optional: Import the opscenterd certificate into the truststore on every DSE node.
    Note: This step is optional and should be done only if two-way authentication is enabled when using DSE client-to-node encryption. If using two-way authentication, this step must be done on every node in the cluster.
    keytool -import -v -trustcacerts -alias opscenter -file opscenter.crt -keystore dse_truststore.jks -keypass password
    This command imports (and trusts) the opscenter.crt certificate into a truststore named dse_truststore.jks.
  5. Optional: Import the DSE certificate into its truststore so that the DataStax Agent can use the combined truststore and keystore for client-to-node encryption. Repeat for each node.
    Note: The DataStax Agent uses one file as both a keystore and truststore for OpsCenter versions earlier than 6.1.1. Therefore, each agent can reuse the same truststore that was created when enabling client-to-node encryption in DSE. The only additional step is to add the certificate to the truststore for the node in which the DataStax Agent is monitoring.
    keytool -import -alias node1 -file node1.crt -keystore dse_truststore.jks -storepass password
    This command imports node1.crt into the truststore file dse_truststore.jks, thus making dse_truststore.jks both a truststore and keystore. Repeat this process on every DSE machine.
  6. Choose one of the following options to configure OpsCenter and the DataStax Agents to use client-to-node encryption.
    When client-to-node encryption is enabled for a cluster using Lifecycle Manager, the ssl_truststore and ssl_truststore_password fields are automatically propagated in cluster_name.conf with the corresponding values from ssl_keystore and ssl_keystore_password for both opscenterd and the agent: LCM propagates the ssl_keystore value into ssl_keystore and ssl_truststore; and the ssl_keystore_password value into ssl_keystore_password and ssl_truststore_password.
    • Configure the client-to-node settings using the Edit Cluster Connection Settings dialog in the OpsCenter Monitoring UI. Entering the values in the UI populates the corresponding configuration options in cluster_name.conf. See Editing OpsCenter cluster connections for authentication or encryption.
    • Configure the options directly in the cluster configuration file cluster_name.conf. Edit the cluster configuration file and enter the information for the SSL keystore and SSL truststore created in previous steps.
      Note: If using a separate storage cluster (recommended), one additional keystore/truststore needs to be created that holds the certificates of the nodes in the storage cluster, as well as the certificate/key for the DataStax Agent machine. The path and password to this keystore/truststore must go in the [agents] section of the cluster configuration file.
      [cassandra]
      # Note: If the truststore and keystore are the same file, enter 
      # the same path/password
      # for both the keystore and truststore
      ssl_keystore = /path/to/keystore/file/on/opsc/machine
      ssl_keystore_password = password_of_keystore
      ssl_truststore = /path/to/truststore/file/on/opsc/machine
      ssl_truststore_password = password_of_truststore
      
      [agents]
      # The agent has separate keystore and truststore
      # Applicable to OpsCenter versions 6.1.1 and later.
      ssl_truststore = /path/to/trusted/certs 
      ssl_truststore_password = pw_for_agents_to_access_trusted_certs
      
      # Optional if using a separate storage cluster
      storage_ssl_keystore = /path/to/storage_cluster/keystore/file/on/agent/machine
      storage_ssl_keystore_password = password_of_keystore
      # Separate truststore options applicable to OpsCenter versions 6.1.1 and later 
      storage_ssl_truststore = /path/to/trusted/certs
      storage_ssl_truststore_password = pw_for_agents_to_access_trusted_certs
      
      
  7. Restart OpsCenter.