Connecting DataStax DevCenter to an SSL-enabled Apache Cassandra or DataStax Enterprise.

Data security is a very important issue in today's world and one of the mechanisms Cassandra provides in this area is SSL encryption and authentication. In this post we will go through the simple steps needed to connect DataStax DevCenter to an SSL-enabled Cassandra cluster.

We will assume that you have Cassandra cluster with working SSL configuration.

Prerequisites:

• Install the Java Cryptography Extension (JCE) on the system where you have DevCenter installed.
  1.  Locate your jre lib/security directory:
     • On Linux it is usually at /usr/lib/jvm/jdk1.7.x.x/jre/lib/security.
     • On Windows it should be by default at: C:\Program Files\Java\jre7\lib\security.
     • On OSX it is at /Library/Java/JavaVirtualMachines/jdk1.x.x.x/Contents/Home/jre/lib/security.
  2. Download the Java Cryptography Extension (JCE)
     • Download for Java 8
     • Download for Java7
     • Download for Java6
  3. Extract the downloaded file and copy the content of UnlimitedJCEPolicy directory to jre/lib/security folder
• You will be using the keytool command to manage keys.
  • If you cannot find the keytool command on your Windows system see this link for details: "http://certificate.fyicenter.com/97_JDK_Keytool_How_to_Find_the_Java_Keytool_on_Windows.html"

Server Verification:

To perform server verification, the client needs to have the public key certificate of each Cassandra node stored in a local truststore file. This file is password protected (keytool will prompt to create a password). The truststore file and password will be entered into the DevCenter connection manager dialog box (see below).

1. Create a truststore file on a client using server certificates
   • Obtain the public key certificates from each Cassandra node you would like to connect to DevCenter
   • Import these certificates into a truststore file on the client, for example:

     keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
     keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore .truststore
     keytool -import -v -trustcacerts -alias node2 -file node2.cer -keystore .truststore
     

2. In DevCenter open Connection Manager and add the IP addresses of the nodes you want to be connected to. Click Next
3. Select 'This cluster requires SSL' option and enter a full path to (or navigate to) truststore file on your machine
4. Enter truststore password
5. Click "Try to establish a connection" link to verify that you can successfully connect to Cassandra nodes
   • If you are seeing "Failed to initialize a pipeline." error, this means that you still need to install Java Cryptography Extension (JCE).
   
6. Click OK and Finish to create a new connection

Client verification:

If the Cassandra cluster you are trying to connect to requires client verification, you need to perform the following additional steps:

1. Create a client certificate and keystore
   • Create ssl certificate for the host where DevCenter is installed, for example:

     keytool -genkey -alias ikapl -keystore .keystore

   • Export client certificate, for example:

     keytool -export -alias ikapl -file ikapl.cer -keystore .keystore

     The public certificate is stored in ikapl.cer file

2. Ask your Cassandra cluster administrator to copy the public certificate and import it into the truststore on all nodes of the Cassandra cluster which you want DevCenter to be connected to, for example:

   keytool -import -v -trustcacerts -alias ikapl -file /tmp/ikapl.cer -keystore /var/tmp/.truststore

3. In DevCenter Connection Manager advanced settings select "Client authentication required" option and enter location of the keystore file and keystore password.

   Connection manager will display an error in case the path to the file or the password is incorrect. The following screenshot shows an example error message for an invalid password:

   
4. Click "Try to establish a connection" link to verify your configuration

    

5. Click "OK" button on the bottom of the Connection Manager window to create/update connection

That's it! A new connection has been created. Now you can enable it and have DevCenter communicate with the SSL-enabled Cassandra cluster.