Client-to-node encryption
https://docs.datastax.com/en/archived/cassandra/3.0/cassandra/configuration/secureCqlshSSL.html
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.
Prerequisites
Prepare SSL certificates with a self-signed CA for production, or prepare SSL certificates for development.
To enable client-to-node SSL, set the client_encryption_options in the cassandra.yaml file.
Procedure
On each node under client_encryption_options:
- Enable encryption.
Enable client_encryption_options
on each node
Modify the cassandra.yaml file with the following settings:
For production clusters:
client_encryption_options:
enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: /usr/local/lib/cassandra/conf/server-keystore.jks
keystore_password: myKeyPass
require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true
truststore: /usr/local/lib/cassandra/conf/server-truststore.jks
truststore_password: truststorePass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
This file uses the certificates prepared with a self-signed CA.
For development clusters:
client_encryption_options:
enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: conf/kserver.keystore
keystore_password: cassandra
require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true
truststore: conf/server.crt
truststore_password: cassandra
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
This file uses the certificates prepared for development.Set appropriate paths to the keystore
and truststore
files. Set the passwords to the passwords set during keystore and truststore generation. If two-way certificate authentication is desired, set require_client_auth
to true
. Enabling two-way certificate authentication allows tools to connect to a remote node. For local access to run cqlsh
on a local node with SSL encryption, require_client_auth
can be set to false
Enabling client encryption will encrypt all traffic on the native_transport_port
(default: 9042). If both encrypted and unencrypted traffic is required, an additional cassandra.yaml setting must be enabled. The native_transport_port_ssl
(default: 9142) sets an additional dedicated port to carry encrypted transmissions, while native_transport_port
carries unencrypted transmissions.Note: It is beneficial to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files if this option is enabled.
Restart cassandra
- Restart cassandra to make changes effective.
kill -9 cassandra_pid cassandra