Enabling SSL encryption for DSEFS
DSEFS can use SSL encryption.
- Node-to-node encryption
- Client-to-node encryption
Configuring the DSEFS shell to use SSL encryption
In most cases, you don't need to add any DSEFS shell settings to connect using SSL. If a ~/.dse/dsefs-shell.yaml configuration file cannot be found, DSEFS shell attempts to load server-side configuration and SSL settings from DSE configuration files.
To manually configure SSL, create and edit the DSEFS shell configuration file. The DSEFS shell is configured in the ~/.dse/dsefs-shell.yaml configuration file. Add the following settings to enable SSL encryption:
encryption_options: enabled: true optional: true truststore: truststore_type: truststore_password: keystore: keystore_type: keystore_password: protocol: algorithm: cipher_suites: require_endpoint_verification: false
The same settings can be given as dse fs command-line options, except
keystore_password
, truststore_password
, and
cipher_suites
. If passwords are not given in the configuration file, they
will be prompted for at the DSEFS shell startup. The command line options override settings
read from the configuration file.
[secure]
flag
will appear in the prompt of the DSEFS shell.- enabled
- Enables client-to-node encryption.
Default: false
- optional
- When
optional
is selected, both encrypted and unencrypted connections over native transport are allowed. That is a necessary transition state to facilitate enabling client to node encryption on live clusters without inducing an outage for existing unencrypted clients. Typically, once existing clients are migrated to encrypted connections,optional
is unselected in order to enforce native transport encryption.Default:
false
- truststore
- Relative path from DSE installation directory or absolute path to truststore
containing the trusted certificate for authenticating remote servers.Note: Truststore password and path is only required when require_client_auth is set to
true
.Default: resources/dse/conf/.truststore
- truststore_type
- Valid types are JKS, JCEKS, or PKCS12. For file-based truststores, use
PKCS12. Attention: Due to an OpenSSL issue, you cannot use a PKCS12 truststore that was generated via OpenSSL. For example, a truststore generated via the following command will not work with DSE:
openssl pkcs12 -export -nokeys -out truststore.pfx -in intermediate.chain.pem
However, truststores generated via Java'skeytool
and then converted to PKCS12 work with DSE. Example:keytool -importcert -alias rootca -file rootca.pem -keystore truststore.jks
keytool -importcert -alias intermediate -file intermediate.pem -keystore truststore.jks
keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.pfx -deststoretype pkcs12
Default: JKS
- truststore_password
- Password for the truststore. This must match the password used when
generating the keystore and truststore.Note: Truststore password and path is only required when require_client_auth is set to
true
.Default: cassandra
- keystore_type
- Valid types are JKS, JCEKS, PKCS11, or PKCS12. For file-based keystores, use
PKCS12.Attention: DataStax supports PKCS11 as a
keystore_type
on nodes withcassandra
oradvanced
workloads. Thecassandra
workload support is specific to DSE 6.7.7 and later releases. Theadvanced
workload support is specific to DSE 6.7.9 and later. If PKCS11 is needed, inserver_encryption_options
orclient_encryption_options
, specify thekeystore_type
asPKCS11
and thekeystore
asNONE
. PKCS11 is not supported in DSE 6.0.x and 5.1.x releases. PKCS11 is not supported as atruststore_type.
Default: JKS
- keystore
- Relative path from DSE installation directory or absolute path to the Java
keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE),
which is the Java version of the Secure Sockets Layer (SSL), and Transport
Layer Security (TLS) protocols. The keystore contains the private key used
to encrypt outgoing
messages.
Default: resources/dse/conf/.keystore
- keystore_password
- Password for the keystore.
Default: cassandra
- protocol
-
Default: TLS
- algorithm
-
Default: SunX509
- cipher_suites
- Supported ciphers:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Default: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- require_client_auth
- Enables certificate authentication for client-to-node encryption.
- true - Require certificate authentication for client-to-node encryption. Client certificates must be present on all nodes in the cluster.
- false - Do not require certificate authentication for client-to-node encryption.
Default: false