Irina Kaplounova

Data security is a very important issue in today's world and one of the mechanisms Cassandra provides in this area is SSL encryption and authentication. In this post we will go through the simple steps needed to connect DataStax DevCenter to an SSL-enabled Cassandra cluster.

We will assume that you have&nbsp;<a href="http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSslEncryptionTOC.html">Cassandra cluster with working SSL configuration</a>.

<h3>Prerequisites:</h3>

<ul>
	<li>Install the Java Cryptography Extension&nbsp;(JCE) on the system where you have DevCenter installed.
	<ol>
		<li>&nbsp;Locate&nbsp;your jre lib/security directory:
		<ul>
			<li>On Linux it is usually at&nbsp;/usr/lib/jvm/jdk1.7.x.x/jre/lib/security.</li>
			<li>On Windows it should be by default at:&nbsp;C:\Program Files\Java\jre7\lib\security.</li>
			<li>On OSX it is at /Library/Java/JavaVirtualMachines/jdk1.x.x.x/Contents/Home/jre/lib/security.</li>
		</ul>
		</li>
		<li>Download the Java Cryptography Extension (JCE)
		<ul>
			<li><a href="http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">Download for Java 8</a></li>
			<li><a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html">Download for Java7</a></li>
			<li><a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html">Download for Java6</a></li>
		</ul>
		</li>
		<li>Extract the downloaded file and copy the content of&nbsp;UnlimitedJCEPolicy directory to&nbsp;jre/lib/security folder</li>
	</ol>
	</li>
	<li>You will be using the&nbsp;keytool&nbsp;command to manage keys.
	<ul>
		<li>If you cannot find the keytool command on your Windows system see this link for details:&nbsp;<a href="http://certificate.fyicenter.com/97_JDK_Keytool_How_to_Find_the_Java_Keytool_on_Windows.html">"http://certificate.fyicenter.com/97_JDK_Keytool_How_to_Find_the_Java_Keytool_on_Windows.html"</a></li>
	</ul>
	</li>
</ul>

<h3>Server Verification:</h3>

To perform server verification, the client needs to have&nbsp;<a href="http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html">the public key certificate of each Cassandra node</a>&nbsp;stored in a local truststore file. This file is password protected (keytool will prompt to create a password). The truststore file and password will be entered into the DevCenter connection manager dialog box (see below).
<img alt="truststore file" data-align="center" data-entity-type="file" data-entity-uuid="f8fa66c2-499b-4fdd-a9e0-a5a0cdfc42e7" src="https://www.datastax.com/sites/default/files/inline-images/scr11.png" />
<ol>
	<li>Create a truststore file on a client using server certificates
	<ul>
		<li>Obtain the public key certificates from each Cassandra node&nbsp;you would like to connect to DevCenter</li>
		<li>Import these certificates into a truststore file on the client, for example:
		<pre>
keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore .truststore
keytool -import -v -trustcacerts -alias node2 -file node2.cer -keystore .truststore
</pre>
		</li>
	</ul>
	</li>
	<li>In DevCenter open Connection Manager and add the IP addresses of the nodes you want to be&nbsp;connected to. Click Next</li>
	<li>Select&nbsp;'This cluster requires SSL'&nbsp;option and enter a full path to (or navigate to) truststore&nbsp;file on your machine</li>
	<li>Enter truststore password</li>
	<li>Click&nbsp;"Try to establish a connection"&nbsp;link to verify that you can successfully connect to Cassandra&nbsp;nodes
	<ul>
		<li>If you are seeing&nbsp;"Failed to initialize a pipeline."&nbsp;error, this means that you still need to install Java Cryptography Extension (JCE).</li>
	</ul>
	<img alt="Click &quot;Try to establish a connection&quot;" data-align="center" data-entity-type="file" data-entity-uuid="d55f3cdf-b67b-4833-b423-534a9327d435" src="https://www.datastax.com/sites/default/files/inline-images/scrn2-700x369.png" /></li>
	<li>Click&nbsp;OK&nbsp;and&nbsp;Finish&nbsp;to create a new connection</li>
</ol>

<h3>Client verification:</h3>

If the Cassandra cluster you are trying to connect to requires client verification, you need to perform the following additional steps:

<ol>
	<li>Create a client certificate and keystore
	<ul>
		<li>Create ssl certificate for the host where DevCenter is installed, for example:
		<pre>
keytool -genkey -alias ikapl -keystore .keystore</pre>
		</li>
		<li>Export client certificate, for example:
		<pre>
keytool -export -alias ikapl -file ikapl.cer -keystore .keystore</pre>

		The public certificate is stored in&nbsp;ikapl.cer&nbsp;file
		</li>
	</ul>
	</li>
	<li>Ask your Cassandra cluster administrator to copy the public certificate and import it into the truststore on all nodes of the Cassandra cluster which you want DevCenter to be connected to, for example:
	<pre>
keytool -import -v -trustcacerts -alias ikapl -file /tmp/ikapl.cer -keystore /var/tmp/.truststore</pre>
	</li>
	<li>In DevCenter Connection Manager advanced settings select "Client authentication required" option and enter location of the keystore file and keystore password.<img alt="DevCenter Connection Manager" data-align="center" data-entity-type="file" data-entity-uuid="6017f9c0-89df-4834-be52-459f4e1f65f2" src="https://www.datastax.com/sites/default/files/inline-images/scrn3-700x486.png" />
	Connection manager will display an error in case the path to the file or the password is incorrect. The following screenshot shows an example error message for an invalid password:
	<img alt="Connection manager" data-align="center" data-entity-type="file" data-entity-uuid="587170dc-1113-4aeb-b418-791e96892cf5" src="https://www.datastax.com/sites/default/files/inline-images/scrn4-700x478.png" /></li>
	<li>Click "Try to establish a connection" link to verify your configuration<img alt="verify your configuration" data-align="center" data-entity-type="file" data-entity-uuid="92c1788e-ae56-4844-949e-0cd508553366" src="https://www.datastax.com/sites/default/files/inline-images/screen6-700x418.png" />
	&nbsp;
	</li>
	<li>Click "OK" button on the bottom of the Connection Manager window to create/update connection</li>
</ol>

That's it! A new connection has been created. Now you can enable it and have DevCenter communicate with the SSL-enabled Cassandra cluster.

Connecting DataStax DevCenter to an SSL-enabled Apache Cassandra or DataStax Enterprise.

Irina Kaplounova

Share

Share

Prerequisites:

Server Verification:

Client verification:

More Technology

How Winweb Built its AI Assistant with DataStax Astra DB and LangChain

Vercel + Astra DB: Get Data into Your GenAI Apps Fast

Simplifying Agent Development with Astra DB Connector for Vertex AI Search

Making Astra DB easier for MongoDB developers

One-stop Data API for Production GenAI