I've set up node-to-node encryption on my Cassandra cluster. Now I want to set up client-to-node. According to this documentation, it should be as easy as taking the SSL certificate of my client and importing it into every node's truststore. I don't have such a certificate yet but this is not my question.
Since my client is using the DataStax Java driver, it seems that in order to enable SSL from the client side, when I am building the Cluster
I should use the withSSL()
method to enable SSL. Okay, but what else do I need to do? I am not familiar with JSSE so I don't know what else is necessary. Is the SSL communication two-way, i.e. does the driver need to have access to the SSL certificates of each node in the cluster?
Create the certificates [1].
Enable client-node encryption in cassandra.yaml settings [2].
Add SSL support to your client. There is an excellent datastax blog on with sample code for setting up the SSL connection in your client [3].
A cert for your client. From what I can tell, it seems like you should be able to use the same keystore and trusture from [1] for the java client to use. Per [4], I know you need a pcks12 style PEM file to use cqlsh.
Also, [4] provides a barebones example of a client connecting to a cassandra cluster over SSL. [5] is an okay read for examples of cert creation for the cluster nodes and client.
N.B. If you wish to use enterprise strength encryption, you'll need to enable the Java Cryptography Extension. For legal reasons, only relatively weak encryption is supported by the java that is shipped. Cassandra and your client will likely complain if you try to use 256 bit encryption without the JCE enabled. Do this for both the client and server machines:
Copy the two policy jars into your JAVA_HOME, overwriting the two jars that are already there:
[user@host UnlimitedJCEPolicy]$ ls
local_policy.jar README.txt US_export_policy.jar
[user@host UnlimitedJCEPolicy]$ export JAVA_HOME="$( readlink -f "$( which java )" | sed "s:bin/.*$::" )"
[use@host UnlimitedJCEPolicy]$ echo $JAVA_HOME
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/
[user@host UnlimitedJCEPolicy]$ cp -v *.jar $JAVA_HOME/lib/security/
Restart cassandra and the client
[1] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html
[2] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLClientToNode_t.html
[3] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[4] https://github.com/PatrickCallaghan/datastax-ssl-example
[5] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[6] http://techdocs.acunu.com.s3.amazonaws.com/v5.0/admin/security/ssl.html