DataStax Enterprise 3.1 Documentation

Client-to-node encryption

This documentation corresponds to an earlier product version. Make sure this document corresponds to your version.

Latest DSE documentation | Earlier DSE documentation

Client-to-node encryption protects data in flight from client machines to a database cluster. It establishes a secure channel between the client and the coordinator node. Unlike Kerberos, SSL is fully distributed and does not require setting up a shared authentication service. For information about generating SSL certificates, see Preparing server certificates.

SSL settings for DataStax Enterprise client-to-node encryption

To enable client-to-node SSL, you must set the client encryption options. Where you set them depends on the version:

  • In 3.1.2 and later, configure the client_encryption_options only in the cassandra.yaml file. If necessary, remove them from the dse.yaml.
  • In prior 3.1 version, configured them identically in both the dse.yaml and cassandra.yaml files.

On each node, under client_encryption_options:

  • Enable encryption.
  • Set the paths to your .keystore and .truststore files.
  • Provide the passwords used when generating the keystore and truststore.
client_encryption_options:
   enabled: true
   keystore: resources/dse/conf/.keystore
   keystore_password: <keystore password>
   keystore_type: JKS
   truststore: resources/dse/conf/.truststore
   truststore_password: <truststore password>
   protocol: ssl
   cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

Initializing Solr to support SSL encryption

When you enable SSL, it automatically enables the authentication/authorization filters in Solr web.xml and configures an SSL connector in Tomcat. This means that you don't have to change your web.xml or server.xml.