Client-to-node encryption¶

SSL settings for Cassandra client-to-node encryption¶

To enable client-to-node SSL, you must set the client encryption options in the cassandra.yaml file. On each node under client_encryption_options:

• Enable encryption.
• Set the appropriate paths to your .keystore and .truststore files.
• Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
• To enable client certificate authentication, set require_client_auth to true. (Available starting with Cassandra 1.2.3.)

client_encryption_options:
   enabled: true
   keystore: conf/.keystore ## The path to your .keystore file
   keystore_password: <keystore password> ## The password you used when generating the keystore.
   truststore: conf/.truststore
   truststore_password: <truststore password>
   require_client_auth: <true or false>

Using cqlsh with SSL encryption¶

To run cqlsh, you must create a .cqlshrc file in your home or client program directory. This means you don't have to override the SSL_CERTFILE environmental variables every time.

Sample files are available in the following directories:

• Packaged installs: /etc/cassandra/conf
• Binary installs: <install_location>/conf

For example:

[authentication]
username = fred
password = !!bang!!$

[connection]
hostname = 127.0.0.1
port = 9160
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/keys/cassandra.cert
validate = true ## Optional, true by default.

[certfiles] ## Optional section, overrides the default certfile in the [ssl] section.
192.168.1.3 = ~/keys/cassandra01.cert
192.168.1.4 = ~/keys/cassandra02.cert

When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.