DataStax Enterprise 3.2

Client-to-node encryption

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. Unlike Kerberos, SSL is fully distributed and does not require setting up a shared authentication service. For information about generating SSL certificates, see Preparing server certificates.

SSL settings for DataStax Enterprise client-to-node encryption

To enable client-to-node SSL, set the client encryption options. Where you set them depends on the version.

Procedure

  1. Set the client encryption options using one of the two following scenarios.
    • In 3.1.2 and later, configure the client_encryption_options only in the cassandra.yaml file. If necessary, remove them from the dse.yaml.
    • In prior 3.1 version, configured them identically in both the dse.yaml and cassandra.yaml files.
  2. On each node, under client_encryption_options:
    • Enable encryption.
    • Set the paths to your .keystore and .truststore files.
    • Provide the passwords used when generating the keystore and truststore.
    client_encryption_options:
        enabled: true
        keystore: resources/dse/conf/.keystore
        keystore_password: keystore password
        keystore_type: JKS
        truststore: resources/dse/conf/.truststore
        truststore_password: truststore password
        protocol: ssl
        cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
    For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
    Note: Initializing Solr to support SSL encryption

    When you enable SSL, it automatically enables the authentication/authorization filters in Solr web.xml and configures an SSL connector in Tomcat. This means that you don't have to change your web.xml or server.xml.

Show/hide