SSL Certs Documentation: http://www.datastax.com/docs/1.2/security/ssl_certs
Node-to-node encryption documentation: http://www.datastax.com/docs/1.2/security/ssl_node_to_node
KeyTool documentation: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html
How to remote debug cassandra: http://kasunweranga.blogspot.com/2012/04/how-to-remote-debug-apache-cassandra.html
Never use relative paths for keystores and truststores, they do not work, files are not found on disk properly.
The store and key password need to be identical, Cassandra does not have separate settings for those.
The truststore can have a different password than the keystore.
If there are errors with the configuration, the error is not bubbled up, it's just swallowed and instead a generic message the Secure Socket cannot be created is logged. The culprit is this line of code: No SSL error
The only way to really find out the security error is to attach a debugger to the Cassandra instance, which might not be viable for production purposes.
There is no specific error message if SSL setup fails. The only indication is that the nodes keep trying to connect to each other and fail. No mention of the SSL error.
Even if node-to-node communication is encrypted, thrift will still operate unsecured; thrift needs to be manually disabled.
Cassandra requires RSA keys. Successfully tested with 1024 bit keys, shorter keys might not work.
The truststore needs to contain all the public keys for all the nodes in the cluster. Otherwise the node with the missing public key will not be able to communicate with the node that has the missing certificate.
server_encryption_options: internode_encryption: all keystore: /keystores/node0.keystore keystore_password: node0store truststore: /keystores/global.truststore truststore_password: globalstore # More advanced defaults below: # protocol: TLS # algorithm: SunX509 #store_type: JKS #cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] #cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] #require_client_auth: false
Notes:
node0.keystore contains the private and public key for the current node
the public key of the node was exported from the node0.keystore and imported into global.truststore
global.truststore contains all the public keys for all the other nodes in the cluster
Create /keystore folder at the root of the file system (for simplicity).
Download the makekeys.sh script (attached) in /keystore and execute it
Update cassandra.yaml of each node as shown above. The section is at the bottom of the file.
Restart each Cassandra node.
Watch for any "Secure socket" errors.
Make keys utility: makekeys.sh