I have enabled ssl encryption in my cassandra node and I am trying to figure out how to connect to my node using cqlsh with ssl:
When I run ./cqlsh --ssl
I get the following error:
Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /root/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.
I followed the link on https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html:
[authentication]
username = fred
password = !!bang!!$
I am keeping in the root folder so that any user can login and can access the common folder (rather than in my user directory). However what would be the password in this case? Do I need to put my password?!
certfile = ~/keys/node0.cer.pem
Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself?
I am using Cassandra 2.2.7.
This chapter introduces the Cassandra query language shell and explains how to use its commands. By default, Cassandra provides a prompt Cassandra query language shell (cqlsh) that allows users to communicate with it. Using this shell, you can execute Cassandra Query Language (CQL).
Requirements. In Cassandra 2.1, the cqlsh utility uses the native protocol. In Cassandra 2.1, which uses the python driver, the default cqlsh listen port is 9042.
There are a few things needed to make this work:
However what would be the password in this case? Do I need to put my password?!
Inside your cqlshrc file, this refers to the username and password for authentication/authorization. You don't really need to add it here. If you do not, remember to specify the -u username -p password
flags on the cqlsh command line.
Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself.
For client-to-node SSL, you don't really need to use the truststore.
If you followed the steps in that doc above, you should already have the private key part of the certificate in your keystore file. Then, you would have exported the public part of that cert to a file. You would have then converted that file to a PKCS12 file for use with cqlsh. Judging by the filenames you are using above, it looks like you have done that.
As an example, here is an example cqlshrc file that should connect to a 2.2.x clusters:
[connection]
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
certfile = ~/certs/dev-cluster1.cer.pem
validate = false
[authentication]
username = cassuser
password = 12345
Make sure that you are setting the ssl_transport_factory
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With