I've set up node-to-node encryption on my Cassandra cluster. Now I want to set up client-to-node. According to this documentation, it should be as easy as taking the SSL certificate of my client and importing it into every node's truststore. I don't have such a certificate yet but this is not my question.
Since my client is using the DataStax Java driver, it seems that in order to enable SSL from the client side, when I am building the Cluster
I should use the withSSL()
method to enable SSL. Okay, but what else do I need to do? I am not familiar with JSSE so I don't know what else is necessary. Is the SSL communication two-way, i.e. does the driver need to have access to the SSL certificates of each node in the cluster?
In order to connect to Cassandra from Java, we need to build a Cluster object. An address of a node needs to be provided as a contact point. If we don't provide a port number, the default port (9042) will be used. These settings allow the driver to discover the current topology of a cluster.
They are used to serialize/deserialize values using the Cassandra protocol: A Codec that can serialize and deserialize to and from a given CQL type and a given Java Type. Codecs are primarily used along with data types that map natively to Java types, such as INT to integer and VARCHAR to String .
TLS/SSL EncryptionCassandra provides secure communication between a client machine and a database cluster and between nodes within a cluster. Enabling encryption ensures that data in flight is not compromised and is transferred securely.
Create the certificates [1].
Enable client-node encryption in cassandra.yaml settings [2].
Add SSL support to your client. There is an excellent datastax blog on with sample code for setting up the SSL connection in your client [3].
A cert for your client. From what I can tell, it seems like you should be able to use the same keystore and trusture from [1] for the java client to use. Per [4], I know you need a pcks12 style PEM file to use cqlsh.
Also, [4] provides a barebones example of a client connecting to a cassandra cluster over SSL. [5] is an okay read for examples of cert creation for the cluster nodes and client.
N.B. If you wish to use enterprise strength encryption, you'll need to enable the Java Cryptography Extension. For legal reasons, only relatively weak encryption is supported by the java that is shipped. Cassandra and your client will likely complain if you try to use 256 bit encryption without the JCE enabled. Do this for both the client and server machines:
Copy the two policy jars into your JAVA_HOME, overwriting the two jars that are already there:
[user@host UnlimitedJCEPolicy]$ ls
local_policy.jar README.txt US_export_policy.jar
[user@host UnlimitedJCEPolicy]$ export JAVA_HOME="$( readlink -f "$( which java )" | sed "s:bin/.*$::" )"
[use@host UnlimitedJCEPolicy]$ echo $JAVA_HOME
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/
[user@host UnlimitedJCEPolicy]$ cp -v *.jar $JAVA_HOME/lib/security/
Restart cassandra and the client
[1] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html
[2] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLClientToNode_t.html
[3] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[4] https://github.com/PatrickCallaghan/datastax-ssl-example
[5] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[6] http://techdocs.acunu.com.s3.amazonaws.com/v5.0/admin/security/ssl.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With