Sam Tunnicliffe

<p>Apache Cassandra provides a&nbsp;number&nbsp;of&nbsp;features&nbsp;designed to help you secure your data. For deployments where Cassandra's internal authentication mechanism is not sufficient,&nbsp;DataStax Enterprise&nbsp;adds support for&nbsp;enterprise-grade authentication using Kerberos.</p>

<p>The&nbsp;<a href="https://github.com/datastax/java-driver" target="_blank" title="DataStax Java driver">DataStax Java driver</a>&nbsp;for the CQL native protocol can be used with both DSE and Apache C* to access your data in a secure manner. If you're running a secure DSE cluster using Kerberos authentication and/or SSL for client to node encryption, you might find these examples useful.</p>

<h2>&nbsp;</h2>

<h2>DataStax Enterprise with Kerberos Authentication</h2>

<p>In order to support Kerberos authentication, it was necessary to backport the authentication mechanism from version 2 of the CQL native protocol (<a href="https://issues.apache.org/jira/browse/CASSANDRA-5545">CASSANDRA-5545</a>) into the C* 1.2 which ships with DSE. For this reason, we also publish a DSE-specific version of the DataStax java driver for use with secure DSE clusters. This DSE extension to the driver is open source and available from the same Github repository as the mainstream version, where you can find it in the&nbsp;<code>dse_3.1</code>&nbsp;branch. It's a drop in replacement for the mainstream driver, so to include it in your maven project just use these maven coordinates:</p>

<pre>
    &lt;dependency&gt;
      &lt;groupId&gt;com.datastax.cassandra&lt;/groupId&gt;
      &lt;artifactId&gt;cassandra-driver-core&lt;/artifactId&gt;
      &lt;version&gt;1.0.4-dse&lt;/version&gt;
    &lt;/dependency&gt;</pre>

<p>(Incidentally, we employ a similar approach when it comes to the C# driver. I won't cover the details here, but to use the C# driver with Kerberos and DSE, check out&nbsp;<a href="https://github.com/datastax/csharp-driver/tree/dse_3.1">this branch</a>).</p>

<p>This DSE version of the java driver includes some additional authentication classes, amongst which is&nbsp;<code><a href="https://github.com/datastax/java-driver/blob/dse_3.1/driver-core/src/main/java/com/datastax/driver/core/sasl/DseAuthProvider.java">com.datastax.driver.core.sasl.DseAuthProvider</a></code>&nbsp;that handles the negotiation of secure connections with DSE using&nbsp;<a href="http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface" target="_blank" title="GSSAPI">GSSAPI</a>&nbsp;&amp;&nbsp;<a href="http://tools.ietf.org/html/rfc4422" target="_blank" title="RFC4422">SASL</a>.</p>

<p>When using&nbsp;<code>DseAuthProvider</code>, Kerberos options are set using a standard JAAS Login configuration file. The location of the file can be set using the standard Java mechanisms; by setting the&nbsp;<code>java.security.auth.login.config</code>&nbsp;system property or by adding a&nbsp;<code>login.config.url.n</code>&nbsp;entry in the&nbsp;<code>java.security</code>&nbsp;properties file.</p>

<p>Below are a couple of examples of JAAS config files which demonstrate the most commonly used means of providing Kerberos credentials. Both contain an entry named&nbsp;<code>DseClient</code>, which is the reference that&nbsp;<code>DseAuthProvider</code>&nbsp;uses to retrieve the login configuration (and so this shouldn't be changed). Both examples also specify the JVM standard&nbsp;<code>Krb5LoginModule</code>&nbsp;be used, for obvious reasons.</p>

<h3>Obtaining User Credentials From a Keytab</h3>

<p>To authenticate using a credentials from a keytab file, specify its location on disk.&nbsp;If your keytab contains more than one principal key, you should also specify&nbsp;which one to select.</p>

<pre>
    DseClient {
        com.sun.security.auth.module.Krb5LoginModule required
          useKeyTab=true
          keyTab="/path/to/file.keytab"
          principal="user@MYDOMAIN.COM";
    };</pre>

<h3>Obtaining Credentials From a Local Ticket Cache</h3>

<p>To authenticate using credentials obtained from the local per-user Kerberos ticket cache, you just need a few changes to the config. You must run&nbsp;<code>kinit</code>&nbsp;to obtain a ticket and populate the cache before connecting.</p>

<pre>
    DseClient {
        com.sun.security.auth.module.Krb5LoginModule required
          useTicketCache=true
          renewTGT=true;
    };</pre>

<p>A full list of the options supported by&nbsp;<code>Krb5LoginModule</code>&nbsp;can be found in its&nbsp;<a href="http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html" target="_blank" title="Krb5LoginModule javadoc">javadoc</a>. You can read more about the details of what may be specified by the login file&nbsp;<a href="http://docs.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html" target="_blank" title="JAAS Login config">here</a>&nbsp;and more&nbsp;on JAAS in general&nbsp;<a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html" target="_blank" title="JAAS">here</a>.</p>

<p>Having provided a JAAS configuration, connecting to a secure DSE cluster is as simple as creating a&nbsp;<code>DseAuthProvider</code>&nbsp;instance.</p>

<pre>
    Cluster cluster = Cluster.builder()
                             .addContactPoints("192.168.10.10", "192.168.10.11")
                             .withAuthProvider(new DseAuthProvider())
                             .build();
    Session session = cluster.connect();</pre>

<h2>&nbsp;</h2>

<h2>Client to Node Encryption with SSL</h2>

<p>As well as the option to&nbsp;encrypt all internode communication, Apache Cassandra also supports&nbsp;client to server encryption using SSL. To open an encrypted connection with the java-driver, whether using Apache Cassandra or DSE, simply use the&nbsp;<code>withSSL()</code>&nbsp;method when constructing your Cluster instance</p>

<pre>
    Cluster cluster = Cluster.builder()
                             .addContactPoints("192.168.10.10", "192.168.10.11")
                             .withSSL()
                             .build();</pre>

<p>By default this will instantiate connections using the system's default SSL context, which can be configured using system properties as documented&nbsp;<a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization" target="_blank" title="JSSE Customization">here</a>. The same end can also be achieved programatically, by constructing an&nbsp;<code>SSLContext</code>&nbsp;and handing that to the Cluster builder</p>

<pre>
    public static void main(String[] args)
    {
        .
        .
        .
        SSLContext context = getSSLContext(truststorePath, 
                                           truststorePassword, 
                                           keystorePath, 
                                           keystorePassword);

        // Default cipher suites supported by C*
        String[] cipherSuites = { "TLS_RSA_WITH_AES_128_CBC_SHA", 
                                  "TLS_RSA_WITH_AES_256_CBC_SHA" };

        Cluster cluster = Cluster.builder()
                                 .addContactPoints("192.168.10.10", "192.168.10.11")
                                 .withSSL(new SSLOptions(context, cipherSuites))
                                 .build();
        Session session = cluster.connect();
    }

    private static SSLContext getSSLContext(String truststorePath, 
                                            String truststorePassword,
                                            String keystorePath, 
                                            String keystorePassword)
    throws Exception 
    {
        FileInputStream tsf = new FileInputStream(truststorePath);
        FileInputStream ksf = new FileInputStream(keystorePath);
        SSLContext ctx = SSLContext.getInstance("SSL");

        KeyStore ts = KeyStore.getInstance("JKS");
        ts.load(tsf, truststorePassword.toCharArray());
        TrustManagerFactory tmf = 
                   TrustManagerFactory.getInstance(
                        TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ts);

        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(ksf, keystorePassword.toCharArray());
        KeyManagerFactory kmf = 
                   KeyManagerFactory.getInstance(
                        KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, keystorePassword.toCharArray());

        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
        return ctx;
    }</pre>

<p>That just about covers using the DataStax CQL driver for accessing secured clusters in Java. DSE also supports Kerberos authentication in its&nbsp;<a href="https://www.datastax.com/docs/datastax_enterprise3.1/solutions/dse_search_query#using-the-solr-http-api" target="_blank" title="DSE Solr HTTP API">Solr HTTP API</a>, using&nbsp;SPNEGO. Next time, I'll cover some examples using those APIs from the command line with&nbsp;cURL&nbsp;and from Java with&nbsp;SolrJ.</p>


Accessing secure DSE clusters with CQL native protocol

Sam Tunnicliffe

Share

More Technology

Why DataStax Loves LangChain

Getting Started with DataStax Astra DB and Amazon Bedrock

Why You Can't Miss Cassandra Summit

Mitigate the OpenAI Debacle with Open Source and Cloud

NoSQL and Vector DB
for Generative AI,
Instantly, At Scale

Sam Tunnicliffe

Share

More Technology

Why DataStax Loves LangChain

Getting Started with DataStax Astra DB and Amazon Bedrock

Why You Can't Miss Cassandra Summit

Mitigate the OpenAI Debacle with Open Source and Cloud

NoSQL and Vector DBfor Generative AI,Instantly, At Scale

NoSQL and Vector DB
for Generative AI,
Instantly, At Scale