Cassandra Client-to-node encryption

Client-to-node encryption

https://docs.datastax.com/en/archived/cassandra/3.0/cassandra/configuration/secureCqlshSSL.html

Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.

Prerequisites

Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.

To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.

Procedure

On each node under client_encryption_options:

  1. Enable encryption.

Enable client_encryption_options on each node

Modify the cassandra.yaml file with the following settings:

For production clusters:

client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
    keystore_password: myKeyPass
    
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
    truststore_password: truststorePass
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

This file uses the certificates prepared with a self-signed CA.

For development clusters:

client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: conf/kserver.keystore 
    keystore_password: cassandra
    
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: conf/server.crt
    truststore_password: cassandra
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

This file uses the certificates prepared for development.Set appropriate paths to the keystore and truststore files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth to true. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to run cqlsh on a local node with SSL encryption, require_client_auth can be set to falseEnabling client encryption will encrypt all traffic on the native_transport_port (default: 9042). If both encrypted and unencrypted traffic is required, an additional cassandra.yaml setting must be enabled. The native_transport_port_ssl (default: 9142) sets an additional dedicated port to carry encrypted transmissions, while native_transport_port carries unencrypted transmissions.Note: It is beneficial to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files if this option is enabled.

Restart cassandra

  1. Restart cassandra to make changes effective.
kill -9 cassandra_pid 
cassandra

Leave a Reply

Your email address will not be published. Required fields are marked *