DataStax Enterprise 3.0 Documentation

Client-to-node encryption

This documentation corresponds to an earlier product version. Make sure this document corresponds to your version.

Latest DSE documentation | Earlier DSE documentation

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. Unlike Kerberos, SSL is fully distributed and does not require setting up a shared authentication service. For information about generating SSL certificates, see Preparing server certificates.

SSL settings for DataStax Enterprise client-to-node encryption

To enable client-to-node SSL, you must set the client encryption options in the dse.yaml file.

On each node, under client_encryption_options:

  • Enable encryption.
  • Set the paths to your .keystore and .truststore files.
  • Provide the passwords used when generating the keystore and truststore.
client_encryption_options:
   enabled: true
   keystore: resources/dse/conf/.keystore
   keystore_password: <keystore password>
   keystore_type: JKS
   truststore: resources/dse/conf/.truststore
   truststore_password: <truststore password>

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

Initializing Solr to support SSL encryption

When you enable SSL in the dse.yaml, it automatically enables the authentication/authorization filters in Solr web.xml and configures an SSL connector in Tomcat. This means that you don't have to change your web.xml or server.xml.