SSL configuration options for OpsCenter
Reference of available configuration options for OpsCenter SSL in one convenient location.
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:- Package installations: /etc/opscenter/clusters/cluster_name.conf
- Tarball installations: install_location/conf/clusters/cluster_name.conf
address.yaml
The location of the address.yaml file depends on the type of installation:- Package installations: /var/lib/datastax-agent/conf/address.yaml
- Tarball installations: install_location/conf/address.yaml
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf
Reference of available SSL configuration options in each level of OpsCenter configuration file (daemon, cluster, agent), sorted by alphabetical order within each section.
OpsCenter daemon (opscenterd) SSL configuration options
SSL configuration options available in opscenterd.conf:
- [agents] agent_certfile
- The location of the certfile sent to the DataStax Agents when using SSL communication between OpsCenter and the DataStax Agents. The default location is /var/lib/opscenter/ssl/agentKeyStore.der for package installations and install_location/ssl/agentKeyStore.der for tarball installations.
- [agents] agent_keyfile
- The location of the keyfile sent to the DataStax Agents when using SSL communication between OpsCenter and the DataStax Agents. The default location is /var/lib/opscenter/ssl/agentKeyStore for package installations and install_location/ssl/agentKeyStore for tarball installations. Note: Do not use the
agent_keyfile
when manually generating and deploying keys. - [agents] agent_keyfile_raw
- The raw keystore file stored in the Java keystore from agent_keyfile. This parameter is required only when configuring high availability, so that the secondary OpsCenter instance can communicate with the primary OpsCenter instance. The failover opscenterd processes on the secondary OpsCenter instance use this key to establish a STOMP connection to the primary opscenterd instance.
- [agents] ssl_certfile
- The location of the SSL certificate used for SSL traffic between OpsCenter and the DataStax Agents. The default location is /var/lib/opscenter/ssl/opscenter.der for package installations and install_location/ssl/opscenter.der for tarball installations.
- [agents] ssl_keyfile
- The location of the SSL key file used for SSL traffic between OpsCenter and the DataStax Agents. The default location is /var/lib/opscenter/ssl/opscenter.key for package installations and install_location/ssl/opscenter.key for tarball installations.
- [agents] use_ssl
- Specifies whether traffic between OpsCenter and the DataStax Agents should use SSL. The default value is False.
- [webserver] ssl_certfile
- The location where the SSL certificate resides. This option requires
ssl_keyfile
and optionallyssl_port
to also be set. - [webserver] ssl_keyfile
- The location where the SSL keyfile resides. This option requires
ssl_certfile
and optionallyssl_port
to also be set. - [webserver] ssl_port
- The port on which to serve SSL traffic. The default port is 8443.
Cluster SSL configuration options
Cluster-specific SSL configuration options available in cluster_name.conf:
- [agents] ssl_keystore
- The SSL keystore location for DataStax Agents to use to connect to CQL on the monitored cluster.
- [agents] ssl_keystore_password
- The SSL keystore password for DataStax Agents to use to connect to CQL on the monitored cluster.
- [agents] ssl_truststore
- The SSL truststore location for DataStax Agents to use for trusted certs.
- [agents] ssl_truststore_password
- The SSL truststore password for DataStax Agents to use for trusted certs.
- [agents] storage_ssl_keystore
- The SSL keystore location for DataStax Agents to use to connect to CQL on the storage cluster.
- [agents] storage_ssl_keystore_password
- The SSL keystore password for DataStax Agents to use to connect to CQL on the storage cluster.
- [agents] storage_ssl_truststore
- The SSL truststore location for DataStax Agents to use for trusted certs on the storage cluster.
- [agents] storage_ssl_truststore_password
- The SSL truststore password for DataStax Agents to use for trusted certs on the storage cluster.
- [cassandra] ssl_keystore
- The SSL keystore location for OpsCenter to use to connect to Cassandra directly.
- [cassandra] ssl_keystore_password
- The SSL keystore password for OpsCenter to use to connect to Cassandra directly.
- [cassandra] ssl_truststore
- The SSL truststore location for OpsCenter to use to connect to Cassandra directly.
- [cassandra] ssl_truststore_password
- The SSL truststore password for OpsCenter to use to connect to Cassandra directly.
- [storage_cassandra] ssl_keystore
- The SSL keystore location for OpsCenter to use to connect to Cassandra directly.
- [storage_cassandra] ssl_keystore_password
- The SSL keystore password for OpsCenter to use to connect to Cassandra directly.
- [storage_cassandra] ssl_truststore
- The SSL truststore location for OpsCenter to use to connect to Cassandra directly.
- [storage_cassandra] ssl_truststore_password
- The SSL truststore password for OpsCenter to use to connect to Cassandra directly.
Agent configuration options
SSL configuration options available for agents in address.yaml:
- monitored_ssl_keystore
- The SSL keystore location for the monitored cluster that agents use to connect to CQL. Example:
monitored_ssl_keystore: /etc/dse/conf/.keystore
- monitored_ssl_keystore_password
- The SSL keystore password for the monitored cluster that agents use to connect to CQL. Example:
monitored_ssl_keystore_password: keystore-pass
[This field may be encrypted for additional security.] - monitored_ssl_truststore
- The SSL truststore location for the monitored cluster that agents use to connect to CQL. Example:
monitored_ssl_truststore: /etc/dse/conf/.truststore
- monitored_ssl_truststore_password
- The SSL truststore password for the monitored cluster that agents use to connect to CQL. Example:
monitored_ssl_truststore_password: truststore-pass
[This field may be encrypted for additional security.] - opscenter_ssl_keystore
- On target nodes where DataStax Agents are running, the path to the SSL keystore file that the Agents use to connect to opscenterd. Example:
opscenter_ssl_keystore: /usr/share/opscenter/ssl/agentKeystore
- opscenter_ssl_keystore_password
- The SSL keystore password that the agents use to connect to opscenterd. Example:
opscenter_ssl_keystore_password: keystore-pass
[This field may be encrypted for additional security.] - opscenter_ssl_truststore
- The path to the truststore file that the agents use to connect to opscenterd. Example:
opscenter_ssl_truststore: /usr/share/opscenter/ssl/trustStore
- opscenter_ssl_truststore_password
- The SSL truststore password that the agents use to connect to opscenterd. Default: Uses the keystore password if an SSL truststore password is not specified. Example:
opscenter_ssl_truststore_password: trust-pass
[This field may be encrypted for additional security.] - opscenter_ssl_strict_subject_validation
- Instructs the agent to reject certificates from opscenterd when the certificate subject does not match the server's ip. This option is false by default, which means the agent attempts subject validation first. If that fails, the agent logs a warning and retries the connection without subject validation. In a later version of OpsCenter, the default will change to true. Example:
opscenter_ssl_strict_subject_validation: true
- ssl_keystore
- The SSL keystore location for the storage cluster that agents use to connect to CQL. Example:
ssl_keystore: /etc/dse/conf/.keystore
- ssl_keystore_password
- The SSL keystore password for the storage cluster that agents use to connect to CQL. Example:
ssl_keystore_password: keystore-pass
[This field may be encrypted for additional security.] - ssl_truststore
- The SSL truststore location for the storage cluster that agents use to connect to CQL. Example:
ssl_truststore: /etc/dse/conf/.truststore
- ssl_truststore_password
- The SSL truststore password for the storage cluster that agents use to connect to CQL. Example:
ssl_truststore_password: truststore-pass
[This field may be encrypted for additional security.] - use_ssl
- Whether or not to use SSL communication between the agent and opscenterd. Affects both the STOMP connection and agent HTTP server. Corresponds to [agents].use_ssl in opscenterd.conf. Setting this option to true turns on SSL connections. Example:
use_ssl: true