How to configure SSL for DataStax Enterprise

Securing data in-flight on DataStax Enterprise.

Configure SSL for DataStax Enterprise (DSE) by implementing Client Certificate Authentication. Following this approach, each node verifies the service or client making a request against a local truststore to validate that the certificate was issued by a known Certificate Authority (CA).

Creating SSL certificates, keystores, and truststores

You can implement SSL using CA signed certificates signed by well-known CAs, or by creating your own root CA. DataStax recommends using certificates signed by a CA to reduce SSL certificate management tasks. However, you can use self-signed certificates with DSE, which supports SSL certificates in local and external keystores.

Creating your own CA in a production environments typically involves using an intermediary certificate chain, where the root CA signs one or more intermediate certificates with its private key. These intermediary certificates chain together to link back to the root CA, which owns one or more trusted roots.

Where to configure SSL

DSE supports SSL encryption between nodes (node-to-node communication) and between clients and nodes (client-to-node communication). You can use SSL to encrypt in-flight data for the following DSE services and clients.

DSE services

Use SSL to encrypt data in the following node-to-node connections:

  • DSE Core
  • DSE Search with Apache Solr
  • DSE Analytics with Apache Spark
  • DSE Graph

DSE clients

Use SSL to secure connections from a client to the coordinator node to establish client-to-node connections:

  • DSE drivers
  • CQL shell (cqlsh)
  • DataStax Studio
  • DataStax Bulk Loader
  • DataStax Apache Kafka Connector
  • DSE tools

Configuring SSL for DSE

Complete the following procedures to configure SSL for DSE:
  1. Create SSL certificates, keystores, and truststores.
  2. Configure SSL for DSE services (node-to-node communication).
  3. Configure SSL for DSE clients (client-to-node communication).

After creating the necessary SSL certificates and configuring SSL for DSE services, use cqlsh to connect to your SSL-enabled cluster.