Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. For information about generating SSL certificates, see Preparing server certificates.
To enable client-to-node SSL, you must set the client encryption options in the cassandra.yaml file. On each node under client_encryption_options:
client_encryption_options: enabled: true keystore: conf/.keystore ## The path to your .keystore file keystore_password: <keystore password> ## The password you used when generating the keystore. truststore: conf/.truststore truststore_password: <truststore password> require_client_auth: <true or false>
To run cqlsh, you must create a .cqlshrc file in your home or client program directory. This means you don't have to override the SSL_CERTFILE environmental variables every time.
You cannot use cqlsh when client certificate authentication is enabled (require_client_auth=true).
Sample files are available in the following directories:
[authentication] username = fred password = !!bang!!$ [connection] hostname = 127.0.0.1 port = 9160 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = ~/keys/cassandra.cert validate = true ## Optional, true by default. [certfiles] ## Optional section, overrides the default certfile in the [ssl] section. 192.168.1.3 = ~/keys/cassandra01.cert 192.168.1.4 = ~/keys/cassandra02.cert
When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.