Apache Cassandra™ 2.0

Preparing server certificates

Generate SSL certificates for client-to-node encryption or node-to-node encryption.

If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and doesn't require signing by a trusted and recognized public certification authority.

Procedure

  1. Generate the private and public key pair for the nodes of the cluster.

    A prompt for the new keystore and key password appears.

  2. Leave key password the same as the keystore password.
  3. Repeat steps 1 and 2 on each node using a different alias for each one.
    keytool -genkey -keyalg RSA -alias <cassandra_node0> -keystore .keystore
  4. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
    keytool -export -alias cassandra -file cassandranode0.cer -keystore .keystore
    
  5. Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.
    keytool -import -v -trustcacerts -alias <cassandra_node0> -file <cassandra_node0>.cer -keystore .truststore
    keytool -import -v -trustcacerts -alias <cassandra_node1> -file <cassandra_node1>.cer -keystore .truststore
    . . .
    
  6. Distribute the .keystore and .truststore files to all Cassandra nodes.
  7. Make sure .keystore is readable only to the Cassandra daemon and not by any user of the system.

Adding new trusted users

Add new users when client certificate authentication is enabled.

Prerequisites

The client certificate authentication must be enabled (require_client_auth=true).

Procedure

  1. Generate the certificate as described in Client-to-node encryption .
  2. Import the user's certificate into every node's truststore using keytool:
    keytool -import -v -trustcacerts -alias <username> -file <certificate file> -keystore .truststore
    
Show/hide