Configuring SSL for nodetool, nodesync, dsetool, and Advanced Replication
Use nodetool, nodesync, dsetool, and DSE Advanced Replication with SSL encryption.
Complete the following procedure to configure JMX for using nodetool, nodesync, dsetool, and DataStax Enterprise (DSE) Advanced Replication with SSL.
Important: Make these changes in the
cassandra-env.sh file on each node in the
cluster.
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra-env.sh |
Tarball installations | installation_location/resources/cassandra/conf/cassandra-env.sh |
Prerequisites
- Create SSL certificates with a self-signed CA.
- Configure client-to-node encryption.
- Configure JMX on the server side.
Note: For production environments, secure an entire cluster using JKS files. For a
single-node development environment, you can use a simpler single-node, local
keystore file and truststore file.
Procedure
- Open the cassandra-env.sh file.
- Restart DSE.
-
nodetool: To configure the client settings for nodetool, create a
.cassandra/nodetool-ssl.properties file in your home or
client program directory on the node where you will run the command. Add the
following settings, depending on whether you are running the command in a
production or development environment.
touch ~/.cassandra/nodetool-ssl.properties
Production environment:
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.keyStorePassword=keystore-password -Djavax.net.ssl.trustStore=path_to_truststore -Djavax.net.ssl.trustStorePassword=truststore-password
Development environment:
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.keyStorePassword=keystore-password -Djavax.net.ssl.trustStore=path_to_truststore -Djavax.net.ssl.trustStorePassword=truststore-password
-
nodesync: To configure the client settings for nodesync, create a
.cassandra/nodesync-ssl.properties file in your home or
client program directory on the node where you will run the command. Add the
following settings to the file.
Note: The file for nodesync is equivalent to the .cassandra/nodetool-ssl.properties file used by nodetool, except that it defines properties shared by JMX and CQL.
touch ~/.cassandra/nodesync-ssl.properties
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.keyStorePassword=keystore-password -Djavax.net.ssl.trustStore=path_to_truststore -Djavax.net.ssl.trustStorePassword=truststore-password
Note: The JVM properties for nodesync should be the same as those set for nodetool, but defined in a
separate file, such as nodesync-jvm.options. DataStax
recommends maintaining separate option files for nodetool and nodesync. For
example, you might need SSL only in the CQL connection, but not in JMX. In this
case, nodetool would not require the JVM properties, while nodesync would need
them defined.
-
Start the appropriate tool using the following options to establish an
encrypted connection with username and password credentials, or an auth provider
class (for CQL). If you provide a username option but not a password, you are
prompted to enter one.
nodetool
nodetool --ssl -u jmx_username -pw jmx_password command
nodesync (JMX, CQL, or both)
nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password command
nodesync --cql-ssl --cql-username cql_username --cql-password cql_password command
nodesync --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command
nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password --cql-ssl --cql-username cql_username --cql-password cql_password command
nodesync --jmx-ssl --jmx-username jmx_username --jmx-password jmx_password --cql-ssl --cql-auth-provider cql-auth-provider-ClassName command
dsetool
dsetool --ssl -a jmx_username -b jmx_password command
dse advrep
dse advrep --ssl -u jmx_username command