Configuring SSL for client-to-node connections
Use SSL to secure connections from a client node to the coordinator node.
Complete the following procedure on every node in the cluster to configure SSL for client-to-node connections.
Note: On a DSE Search node,
enabling SSL for the database automatically enables SSL in the DSE Search
web.xml file and configures an SSL connector in Tomcat
using the authentication/authorization filters. No changes are required for the
web.xml or server.xml
files.
If the TomcatSolrRunner
doesn't find a connector
in server.xml, it creates a default connector.
The default connector binds to the .
CAUTION: If you are not using the JCE Unlimited Strength
Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256. Starting in JDK 8u161, JCE Unlimited
is enabled by default. Refer to the Release Notes for JDK 8u161. If your ticket
granting principal uses AES-256, you might see a warning like this in the logs:
WARN [StreamConnectionEstablisher:18] 2015-06-22 14:12:18,589 SSLFactory.java (line 162) Filtering out
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra.yaml |
Tarball installations | installation_location/resources/cassandra/conf/cassandra.yaml |
server.xml
The default location of the Tomcat server.xml file depends on the installation type:Package installations | /etc/dse/tomcat/conf/server.xml |
Tarball installations | installation_location/resources/tomcat/conf/server.xml |
Prerequisites
Procedure
-
Edit cassandra.yaml and make the following
changes in the client_encryption_options to enable SSL:
-
Set enabled to
true
to enable SSL. -
Set optional to
false
(default) to only allow SSL connections. -
Set require_client_auth to
true
to require two-way host certificate validation.
-
Set enabled to
-
Configure the keystore and truststore, depending on whether you are using local
keystore files or a remote keystore provider. All settings are configured in the
client_encryption_options
section of cassandra.yaml:- Local files: use the following settings.Note: The
store_type
option is deprecated. Instead, usekeystore_type
andtruststore_type
.client_encryption_options: enabled: true optional: false keystore_type: PKCS12 keystore: path_to_keystore keystore_password: keystore_password require_client_auth: true truststore_type: PKCS12 truststore: path_to_truststore truststore_password: truststore_password protocol: ssl algorithm: SunX509 cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
- Remote keystore provider: use the following settings. Note: TheUnused options can be blank or commented out.
store_type
option is deprecated. Instead, usekeystore_type
andtruststore_type
.Note: Requires installation of a provider. See Using a remote keystore provider.client_encryption_options: enabled: true optional: false keystore_type: PKCS12 require_client_auth: true truststore_type: PKCS12 protocol: ssl algorithm: SunX509 cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
- enabled
- Enables client-to-node encryption.
Default: false
- optional
- When
optional
is selected, both encrypted and unencrypted connections over native transport are allowed. That is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections,optional
is unselected in order to enforce native transport encryption.Default:
false
- keystore_type
- Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use
PKCS12.Attention: DataStax supports PKCS11 as a
keystore_type
on nodes withcassandra
oradvanced
workloads. Thecassandra
workload support is specific to DSE 6.7.7 and later releases. Theadvanced
workload support is specific to DSE 6.7.9 and later. If PKCS11 is needed, inserver_encryption_options
orclient_encryption_options
, specify thekeystore_type
asPKCS11
and thekeystore
asNONE
. PKCS11 is not supported in DSE 6.0.x and 5.1.x releases. PKCS11 is not supported as atruststore_type.
Default: JKS
- keystore
- Relative path from DSE installation directory or absolute path to the Java
keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE),
which is the Java version of the Secure Sockets Layer (SSL), and Transport
Layer Security (TLS) protocols. The keystore contains the private key used
to encrypt outgoing
messages.
Default: resources/dse/conf/.keystore
- keystore_password
- Password for the keystore.
Default: cassandra
- require_client_auth
- Enables certificate authentication for client-to-node encryption.
- true - Require certificate authentication for client-to-node encryption. Client certificates must be present on all nodes in the cluster.
- false - Do not require certificate authentication for client-to-node encryption.
Default: false
- truststore_type
- Valid types are JKS, JCEKS, or PKCS12. For file-based truststores, use
PKCS12. Attention: Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:
openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem
However, truststores generated via Java'skeytool
and then converted to PKCS12 work with DSE. Example:keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12
Default: JKS
- truststore
- Relative path from DSE installation directory or absolute path to truststore
containing the trusted certificate for authenticating remote servers.Note: Truststore password and path is only required when require_client_auth is set to
true
.Default: resources/dse/conf/.truststore
- truststore_password
- Password for the truststore. This must match the password used when
generating the keystore and truststore.Note: Truststore password and path is only required when require_client_auth is set to
true
.Default: cassandra
- Local files: use the following settings.
- Save and close the cassandra.yaml file.
- Complete a rolling DSE restart.