Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication

Use nodetool, nodesync, dsetool, and DSE Advanced Replication with SSL encryption.

Complete the following procedure to configure JMX for using nodetool, nodesync, dsetool, and DataStax Enterprise (DSE) Advanced Replication with SSL.

Important: Make these changes in the file on each node in the cluster.

The location of the file depends on the type of installation:
Package installations /etc/dse/cassandra/
Tarball installations installation_location/resources/cassandra/conf/


  1. Create SSL certificates with a self-signed CA.
  2. Configure client-to-node encryption.
  3. Configure JMX on the server side.
Note: For production environments, secure an entire cluster using JKS files. For a single-node development environment, you can use a simpler single-node, local keystore file and truststore file.


  1. Open the file.
  2. Restart DSE.
  3. nodetool: To configure the client settings for nodetool, create a .cassandra/ file in your home or client program directory on the node where you will run the command. Add the following settings, depending on whether you are running the command in a production or development environment.
    touch ~/.cassandra/

    Production environment:

    Development environment:
  4. nodesync: To configure the client settings for nodesync, create a .cassandra/ file in your home or client program directory on the node where you will run the command. Add the following settings to the file.
    Note: The file for nodesync is equivalent to the .cassandra/ file used by nodetool, except that it defines properties shared by JMX and CQL.
    touch ~/.cassandra/
Note: The JVM properties for nodesync should be the same as those set for nodetool, but defined in a separate file, such as nodesync-jvm.options. DataStax recommends maintaining separate option files for nodetool and nodesync. For example, you might need SSL only in the CQL connection, but not in JMX. In this case, nodetool would not require the JVM properties, while nodesync would need them defined.
  1. Start the appropriate tool using the following options to establish an encrypted connection with username and password credentials, or an auth provider class (for CQL). If you provide a username option but not a password, you are prompted to enter one.


    nodetool --ssl -u jmx_username -pw jmx_password command

    nodesync (JMX, CQL, or both)

    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password command
    nodesync --cql-ssl --cql-username cql_username --cql-password cql_password command
    nodesync --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command
    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password 
               --cql-ssl --cql-username cql_username --cql-password cql_password command
    nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password 
               --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command


    dsetool --ssl -a jmx_username -b jmx_password command

    dse advrep

    dse advrep --ssl -u jmx_username command