Preparing SSL certificates for development:
Step 1 : Creating SSL Certificates on all nodes:
We need to create SSL certificates on all the nodes that consists of keystore and truststore. Keystore contains private key and truststore contains SSL certificate of self and other nodes. Perform below steps in CASANDRA_HOME\conf folder.
Create node1 certificate
keytool -genkey -keyalg RSA -alias node1 -validity 36500 -keystore .keystore -storepass cassandra -keypass cassandra -dname "CN=vm-music-01, OU=None, O=None, L=None, C=None"
|
Export node1 cert to keystore
keytool -export -alias node1 -file node1.cer -keystore .keystore
|
Export node1 cert to truststore
keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore .truststore
|
Sameway create node2 cert using above 3 step and ftp node2.cer file to node1
scp -P 22 node2.cer <userid>@135.197.226.110:/tmp
|
Add node2.cer to truststore of node1
keytool -import -v -trustcacerts -alias node2 -file tmp/node2.cer -keystore .truststore
|
Step 2: Update Cassandra.yaml file:
On each node under server_encryption_options: change encryption to point to conf folder and with the password that was created used in Step 1.
For development
server_encryption_options:
internode_encryption: all
keystore: /conf/.keystore
keystore_password: cassandra
truststore: /conf/.truststore
truststore_password: cassandra
require_client_auth: true
|
Preparing SSL certificates with a self-signed CA:
Step 1 : Creating SSL Certificates on all nodes:
Create conf file in one of the node .
gen_rootCa_cert.conf
[ req ]
distinguished_name = req_distinguished_name
prompt = no
output_password = cassandra
default_bits = 2048
[ req_distinguished_name ]
C = US
O = AT&T
OU = Research
CN = rootCa
|
Create a root CA certificate and key using above created conf file.
sudo openssl req -config gen_rootCa_cert.conf -new -x509 -nodes -subj /CN=rootCa/OU=Research/O=AT&T/C=US/-keyout rootCa.key -out rootCa.crt
-days 365
|
Generate public/private key pair and keystore for each node (example is on node3):
sudo keytool -genkeypair -keyalg RSA -alias node3 -keystore node3.jks -storepass cassandra -keypass cassandra -validity 365 -keysize 2048 -dname "CN=VM Node 03, OU=Research, O=ATT, C=US"
|
Export certificate signing request (CSR) for each node:
sudo keytool -certreq -keystore node3.jks -alias node3 -file node3.csr -storepass cassandra -keypass cassandra -dname "CN=VM Node 03, OU=Research, O=ATT, C=US"
|
Sign node certificate with rootCa for each node
sudo openssl x509 -req -CA rootCa.crt -CAkey rootCa.key -in node3.csr -out node3.crt_signed -days 365 -CAcreateserial -passin pass:cassandra
|
Import rootCa certificate to each node keystore
sudo keytool -importcert -keystore node3.jks -alias rootCa -file rootCa.crt -noprompt -keypass cassandra -storepass cassandra
|
Import node's signed certificate into node keystore for each node
sudo keytool -importcert -keystore node3.jks -alias node3 -file node3.crt_signed -noprompt -keypass cassandra -storepass cassandra
|
Create a server truststore. The truststore file must be copied to each node
sudo keytool -importcert -keystore cluster-truststore.jks -alias rootCa -file rootCa.crt -noprompt -keypass cassandra -storepass cassandra
|
Copy the each node keystore file to each node. node3.jks was created and this jks should be copied to other nodes.
Step 2: Update Cassandra.yaml file:
On each node under server_encryption_options: change encryption to point to conf folder and with the password that was created used in Step 1.
server_encryption_options:
internode_encryption: all
keystore: /conf/node3.jks
keystore_password: cassandra
truststore: /conf/cluster-truststore.jks
truststore_password: cassandra
require_client_auth: true
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
|
restart cassandra and execute below command you should see message "Starting Encrypted Messaging Service on SSL port 7001"
grep SSL install_location/logs/system.log
Step 3 : To run cqlsh with SSL encryption:
create a .cassandra/cqlshrc file and update as below
[connection]
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
validate = false
|
Turning Off SSL communication
The default usage of MUSIC does not involve SSL. So Simply undo the configurations to the cassandra.yaml suggested above to revert to non-SSL usage.
