Enabling SSL encryption for DSEFS

Configuring the DSEFS shell to use SSL encryption

In most cases, you don't need to add any DSEFS shell settings to connect using SSL. If a ~/.dse/dsefs-shell.yaml configuration file cannot be found, DSEFS shell attempts to load server-side configuration and SSL settings from DSE configuration files.

To manually configure SSL, create and edit the DSEFS shell configuration file. The DSEFS shell is configured in the ~/.dse/dsefs-shell.yaml configuration file. Add the following settings to enable SSL encryption:

encryption_options:
  enabled: true 
  optional: true 
  truststore:  
  truststore_password: 
  store_type:
  keystore:     
  keystore_password: 
  protocol: 
  algorithm: 
  cipher_suites: 
  require_client_auth: false 

The same settings can be given as dse fs command-line options, except keystore_password, truststore_password, and cipher_suites. If passwords are not given in the configuration file, they will be prompted for at the DSEFS shell startup. The command line options override settings read from the configuration file.

enabled

Whether to enable client-to-node encryption.

Default: false

optional

When optional is selected, both encrypted and unencrypted connections over native transport are allowed. That is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections, optional is unselected in order to enforce native transport encryption.

Default: false

truststore

Relative path from DSE installation directory or absolute path to truststore containing the trusted certificate for authenticating remote servers.

Default: resources/dse/conf/.truststore

truststore_type

Valid types are JKS, JCEKS, and PKCS12.

Attention: PKCS11 is not supported. Also, due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:

openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem

However, truststores generated via Java's keytool and then converted to PKCS12 work with DSE. Example:

keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks

keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks

keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12 

Default: commented out (JKS)

truststore_password

Password for the truststore. This must match the password used when generating the keystore and truststore.

Note: Truststore password and path is only required when require_client_auth is set to true.

Default: cassandra

store_type

Valid types are JKS, JCEKS and PKCS12. For file-based keystores, use PKCS12.

Note: PKCS11 is not supported.

Default: commented out (JKS)

keystore

Relative path from DSE installation directory or absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

Default: resources/dse/conf/.keystore

keystore_password

Password for the keystore.

Default: cassandra

protocol

Default: commented out (TLS)

algorithm

Default: commented out (SunX509)

cipher_suites

Supported ciphers:

• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Default: commented out

require_client_auth

Whether to enable certificate authentication for client-to-node encryption. When not set, the default is false.

Note: When set to true, client certificates must be present on all nodes in the cluster.

Default: commented out (false)