Configuring SSL/TLS for DSE using LCM

Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.

Configure SSL/TLS for a DSE cluster using Lifecycle Manager Config Profile. This is the recommended procedure for a production environment. Follow these steps to enable node-to-node and client-to-node encryption.

When either node-to-node or client-to-node encryption is enabled, LCM creates keystores and truststores for DSE node-to-node and client-to-node SSL/TLS communication with the following default names and locations:

  • /etc/dse/keystores/server.keystore (node-to-node keystore)
  • /etc/dse/keystores/server.truststore (node-to-node truststore)
  • /etc/dse/keystores/client.keystore (client-to-node keystore)
  • /etc/dse/keystores/client.truststore (client-to-node truststore)
When client-to-node SSL encryption is enabled, both the OpsCenter daemon and DataStax agents also need to be SSL-enabled to properly communicate with DSE server nodes. LCM automatically configures the ssl configuration options for that purpose in the cluster-specific configuration file cluster_name.conf:
[agents]
ssl_keystore_password = cassandra
ssl_keystore = /etc/dse/keystores/client.keystore

[cassandra]
ssl_keystore_password = lifecyclemanager
ssl_keystore = /var/lib/opscenter/ssl/lcm/lcm-auto-generated.truststore

The keystore file used for DataStax agents to communicate with DSE nodes is exactly the same as that used by a DSE node connecting to other DSE nodes.

The keystore file used for OpsCenter daemon communicating with DSE nodes is automatically generated by the LCM configuration process and put under the folder /var/lib/opscenter/ssl/lcm.

For information about manually configuring cluster connections (using the OpsCenter UI), see Editing OpsCenter cluster connections for authentication or encryption.

cluster_name.conf

The location of the cluster_name.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

Prerequisites

Review the LCM documentation for Managing DSE Security using LCM.
Important: When enabling node-to-node encryption on an existing cluster, the cluster will experience a network partition during the transition, leading to temporary loss of consistency. If possible, choose whether to employ node-to-node encryption when first creating the cluster.
Note: Enabling require_client_auth for client_encryption_options requires special steps due to an LCM limitation. For more information, refer to the Knowledge Base Article.

Procedure

  1. Click Config Profiles from the Lifecycle Manager navigation menu.
  2. Click the edit icon for the config profile you want to edit, or click Add config profile if you have not already created a profile.
  3. In the Config Profile pane under the Cassandra section, click cassandra.yaml.

    cassandra.yaml security options in LCM config profiles

  4. In the Security pane under server_encryption_options, select an option for internode_encryption.
    Available options for node-to-node encryption:
    • all: All inter-node communication is encrypted. Recommended and strongest option.
    • dc: Traffic between DCs is encrypted. Select this option if there is concern about a performance impact of encrypting traffic locally, but encryption is still required for inter-dc traffic that might transit untrusted links.
    • rack: Traffic between racks is encrypted.

    Encrypt all traffic between DSE nodes

    Tip: For more details about available configuration options, see server_encryption_options in the DSE Admin documentation.
  5. In the Security pane, select the enabled option for client_encryption_options.

    Enable client_encryption_options

    Tip: For more details about available configuration options, see client_encryption_options in the DSE Admin documentation.
  6. Click Save to save the Config Profile.

What's next