JBoss Community Archive (Read Only)

RHQ 4.9

Note To Node Encryption Cassandra


  1. Never use relative paths for keystores and truststores, they do not work, files are not found on disk properly.

  2. The store and key password need to be identical, Cassandra does not have separate settings for those.

  3. The truststore can have a different password than the keystore.

  4. If there are errors with the configuration, the error is not bubbled up, it's just swallowed and instead a generic message the Secure Socket cannot be created is logged. The culprit is this line of code: No SSL error

  5. The only way to really find out the security error is to attach a debugger to the Cassandra instance, which might not be viable for production purposes. 

  6. There is no specific error message if SSL setup fails. The only indication is that the nodes keep trying to connect to each other and fail. No mention of the SSL error.

  7. Even if node-to-node communication is encrypted, thrift will still operate unsecured; thrift needs to be manually disabled.

  8. Cassandra requires RSA keys. Successfully tested with 1024 bit keys, shorter keys might not work.

  9. The truststore needs to contain all the public keys for all the nodes in the cluster. Otherwise the node with the missing public key will not be able to communicate with the node that has the missing certificate.

Sample Configuration

    internode_encryption: all
    keystore: /keystores/node0.keystore
    keystore_password: node0store
    truststore: /keystores/global.truststore
    truststore_password: globalstore
    # More advanced defaults below:
    # protocol: TLS
    # algorithm: SunX509
    #store_type: JKS
    #cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
    #cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
    #require_client_auth: false


  • node0.keystore contains the private and public key for the current node

  • the public key of the node was exported from the node0.keystore and imported into global.truststore

  • global.truststore contains all the public keys for all the other nodes in the cluster

Manually Setup Encryption

  1. Create /keystore folder at the root of the file system (for simplicity).

  2. Download the makekeys.sh script (attached) in /keystore and execute it 

  3. Update cassandra.yaml of each node as shown above. The section is at the bottom of the file.

  4. Restart each Cassandra node.

  5. Watch for any "Secure socket" errors.


Make keys utility: makekeys.sh

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-13 08:17:07 UTC, last content change 2013-09-18 19:41:53 UTC.