Enabling Cassandra Encrypted (SSL) Client-Server communication


Client-node interaction happens in one of the two ways- without encryption or secure data passage using encryption. This blog aims to enable SSL for communication between client and server for development cluster. We are going to create/use a self-signed certificate.

Throughout this blog, I will be using {cassandra_home} which is to refer to Cassandra installation directory.

Cassandra Setup and enable SSL

  • Download Cassandra from here and install using the steps mentioned.
  • Generate a self-signed certificate using java keytool. More on keytool. First, we will create and navigate to the following directory:
    • $ cd {cassandra_home}
    • $ mkdir ca_cert
    • $ cd ca_cert
  • Generate key pair using the following command:
    • $ keytool -genkeypair -alias cassandra -keyalg RSA -validity 365  -keysize 2048 -keystore cassandra.jks
  • Modify cassandra.yaml – Cassandra.yaml is the main configuration file for cassandra and available at {cassandra_home}/conf directory. By default communication between client-server is non-encrypted. To change that we are going to perform the following steps. Search for client_encryption_options in the yaml file and make the following changes.
    • enabled: true     #Default -false, This property enables encryption
    • optional: false     #If set to false it will allow both encrypted and non-encrypted connection. We will change it to true later
    • keystore: ../ca_cert/cassandra.jks     #Path of key generated in step 2
    • keystore_password: cassandra     #Keystore password
  • Start Cassandra using the following command
    • $ {cassandra_home}/bin/cassandra


Enable CQLSH for SSL connection

Now that we have enabled SSL in cassandra, we are going to setup cqlsh for ssl connection

  • First, we need to export generated keypair into a cert file. We need to change dir to {cassandra_home}/ca_cert and run following command
    • $ keytool -export -alias cassandra -keystore cassandra.jks  -rfc -file cassandra.cert
  • Create a cqlshrc file at {user_home_dirctory}/.cassandra directory with the following entry Sample is available at {cassandra_home}/conf folder
    • [SSL]
    • certfile = {cassandra_home}/ca_cert/cassandra.cert
  • Now we can connect to cassandra using –ssl flag
    • $ {cassandra_home}/bin/cqlsh –ssl –debug


The current setup will allow both ssl/non-ssl connection. Alternatively, optional flag can be set to true (as mentioned above) to allow only SSL connection. Happy Learning!