Enabling Cassandra Encrypted (SSL) Client-Server communication
Overview
Client-node interaction happens in one of the two ways- without encryption or secure data passage using encryption. This blog aims to enable SSL for communication between client and server for development cluster. We are going to create/use a self-signed certificate.
Throughout this blog, I will be using {cassandra_home} which is to refer to Cassandra installation directory.
Cassandra Setup and enable SSL
- Download Cassandra from here and install using the steps mentioned.
- Generate a self-signed certificate using java keytool. More on keytool. First, we will create and navigate to the following directory:
- $ cd {cassandra_home}
- $ mkdir ca_cert
- $ cd ca_cert
- Generate key pair using the following command:
- $ keytool -genkeypair -alias cassandra -keyalg RSA -validity 365 -keysize 2048 -keystore cassandra.jks
- Modify cassandra.yaml – Cassandra.yaml is the main configuration file for cassandra and available at {cassandra_home}/conf directory. By default communication between client-server is non-encrypted. To change that we are going to perform the following steps. Search for client_encryption_options in the yaml file and make the following changes.
- enabled: true #Default -false, This property enables encryption
- optional: false #If set to false it will allow both encrypted and non-encrypted connection. We will change it to true later
- keystore: ../ca_cert/cassandra.jks #Path of key generated in step 2
- keystore_password: cassandra #Keystore password
- Start Cassandra using the following command
- $ {cassandra_home}/bin/cassandra
Enable CQLSH for SSL connection
Now that we have enabled SSL in cassandra, we are going to setup cqlsh for ssl connection
- First, we need to export generated keypair into a cert file. We need to change dir to {cassandra_home}/ca_cert and run following command
- $ keytool -export -alias cassandra -keystore cassandra.jks -rfc -file cassandra.cert
- Create a cqlshrc file at {user_home_dirctory}/.cassandra directory with the following entry Sample is available at {cassandra_home}/conf folder
- [SSL]
- certfile = {cassandra_home}/ca_cert/cassandra.cert
- Now we can connect to cassandra using –ssl flag
- $ {cassandra_home}/bin/cqlsh –ssl –debug
The current setup will allow both ssl/non-ssl connection. Alternatively, optional flag can be set to true (as mentioned above) to allow only SSL connection. Happy Learning!