Encryption in Cassandra
Client-Server Encryption
By default, Cassandra communicates with clients over an insecure channel, which means attackers can set up Man-In-The-Middle (MITM) attacks to steal data or credentials that are sent over the wire. To mitigate this, encryption should be enabled. Cassandra provides this option through its client_encryption_options.
Cassandra achieves its encryption by relying on TLS (the successor of SSL). TLS relies on certificates to create a secure communication channel. To enable TLS, you will need to obtain a certificate for each Cassandra node.
There are two options: you can create a so-called self-signed certificate, or you can purchase one from a trusted public certification authority (e.g. Comodo, Digicert, etc.). Self-signed certificates are free of charge but are not automatically trusted by browsers or other clients. Purchased certificates will cost some money but are typically already trusted by most operating systems and browsers. If you decide to deploy purchased certificates, skip the section about generating the certificates below and go directly to Configuring the client_encryption_options.
Generating the certificates
To generate the certificates, you will need two tools: openssl and the Java keytool. Both of these can run on Linux and Windows.
Create a certificate configuration file. This will make it easier to generate a root CA certificate later.
In the example below, a certificate configuration file called rootCA_cert.conf is created.
# rootCA_cert.conf [ req ] distinguished_name = req_distinguished_name prompt = no # Make sure to set a strong password below output_password = <STRONG PASSWORD HERE> # Increase default_bits for a stronger encryption key default_bits = 4096 [ req_distinguished_name ] # Set your country code below C = BE # Set your organization name below O = SkylineCommunications # Important! Set your Cassandra Cluster name below OU = DMS CN = rootCaNote
Make sure the OU is set to the name of your Cassandra cluster, typically DMS. You can find this cluster_name tag in the cassandra.yaml file.
Generate the root CA certificate by executing the following command:
openssl req -config path/to/rootCa_cert.conf -new -x509 -nodes -keyout rootCa.key -out rootCa.crt -days 365The private key will now be saved to a new file named rootCa.key. The public certificate (including its public key) will be saved to rootCa.crt. In the example above, the certificate will be valid for 365 days because this is configured with the -days parameter.
Generate certificates for the individual Cassandra nodes using the keytool command:
keytool -genkeypair -keyalg RSA -alias <NODE IP ADDRESS> -keystore <NODE IP>.jks -storepass <STRONG PASSWORD> -keypass <STRONG PASSWORD> -validity 365 -keysize 4096 -dname "CN=<NODE IP>, OU=<CLUSTER NAME>, O=<ORGANIZATION>, C=<COUNTRY CODE>" -ext "san=ip:<NODE IP>"Note
It is important to also set the OU to the name of your Cassandra cluster. Also, make sure that the values for
-storepassand-keypassare equal. This is a known limitation in Cassandra. The certificate above will be valid for 365 days, based on the configuration of the-validityparameter.Repeat the previous step for every node in the Cassandra cluster.
Now that you have certificates for every node, digitally sign them with the private key of the root CA certificate. To do so, first create a certificate signing request (CSR).
keytool -certreq -keystore <NODE IP>.jks -alias <NODE IP> -file <NODE IP>.csr -keypass <STRONG PASSWORD> -storepass <STRONG PASSWORD>Digitally sign the node certificates with the root certificate authority.
openssl x509 -req -CA path/to/rootCa.crt -CAkey path/to/rootCa.key -in <NODE IP>.csr -out <NODE IP>.crt_signed -days 365 -CAcreateserial -passin pass:<ROOT CA PASSWORD>Make sure <ROOT CA PASSWORD> matches the password used to create the root CA certificate.
For every node, import the root certificate into the Java KeyStore (JKS) for that node.
keytool -keystore <NODE IP>.jks -alias rootca_name -importcert -file path/to/rootCa.crt -keypass <STRONG PASSWORD> -storepass <STRONG PASSWORD> -nopromptAlso import the signed certificate.
keytool -keystore <NODE IP>.jks -alias rootca_name -importcert -file <NODE IP ADDRESS>.crt_signed -keypass <STRONG PASSWORD> -storepass <STRONG PASSWORD> -noprompt
Now the certificates are all set, and you can configure the Cassandra cluster to use them. This is explained in the next section.
Configuring the client_encryption_options
The client_encryption_options allow you to encrypt all the traffic between DataMiner and Cassandra.
To enable client-server TLS encryption:
Copy the Java KeyStores to the node
Open the cassandra.yaml file, and locate the client_encryption_options.
Set enabled to true to enable TLS.
Set optional to false to make sure TLS encrypted is required.
Note
In order to test your changes without production impact, you can set optional to true until you have verified whether you can connect using TLS.
Set keystore to the path to the .jks file containing the certificates. Set keystore_password to the <STRONG PASSWORD> you used to generate them.
client_encryption_options: enabled: true # If enabled and optional is set to true, both encrypted and unencrypted connections are handled. optional: false keystore: path/to/<NODE IP>.jks keystore_password: <STRONG PASSWORD>Save the changes in the cassandra.yaml and restart the Cassandra service.
Configuring the server_encryption_options
The server_encryption_options allow you to encrypt all the traffic between the Cassandra nodes, which is often referred to as inter-node encryption.
To enable inter-node TLS encryption:
Copy the Java KeyStores to the corresponding node
Open the cassandra.yaml file, and locate the server_encryption_options.
Set internode_encryption to all to enable TLS.
Set optional to false to make sure TLS encrypted is required.
Note
In order to test your changes without production impact, you can set optional to true until you have verified whether you can connect using TLS.
Set keystore and truststore to the path to the .jks file containing the certificates. Set keystore_password and truststore_password to the <STRONG PASSWORD> you used to generate the certificates.
server_encryption_options: internode_encryption: all # If enabled and optional is set to true, both encrypted and unencrypted connections are handled. optional: false keystore: path/to/<NODE IP>.jks keystore_password: <YOUR PASSWORD> truststore: /path/to/<NODE IP>.jks truststore_password: <YOUR PASSWORD>Save the changes in the cassandra.yaml and restart the Cassandra service.
Connecting with DevCenter
In order to connect over TLS with DevCenter, you will have to install the Java Cryptography Extensions (JCE). For more information, see Connecting DevCenter to SSL/TLS-enabled Cassandra.
When you have done so:
Start DevCenter by executing
C:\Program Files\Cassandra\DevCenter\Run DevCenter.lnk.In DevCenter, open your connection properties.
Go to Advanced and select This cluster requires SSL.
Point it towards your rootCA.jks truststore file and use the password you used to generate it.
Connecting with DataMiner
Ensure TLS encryption is working by connecting to the Cassandra database through DevCenter.
Stop the DataMiner agent.
In the
C:\Skyline DataMinerfolder, open DB.xml.Locate the active <Database> tag for Cassandra and add <TLSEnabled>true</TLSEnabled>.
For example:
<DataBase active="True" local="true" type="CassandraCluster"> <ConnectString></ConnectString> <DBServer>1.1.1.1,2.2.2.2</DBServer> <DSN></DSN> <DB>SLDMADB</DB> <UID>username</UID> <PWD>password</PWD> <TLSEnabled>true</TLSEnabled> </DataBase>If you are using self-signed certificates:
Import the rootCa.crt in the Windows certificate store.
On your DataMiner Agent, double-click the rootCa.crt file and click Install Certificate.
Select Local Machine and place the certificate in the Trusted Root Certification Authorities.
Click Next and Finish to complete the import.
Start the DataMiner Agent. It should now communicate with the database over a TLS-encrypted channel.
Note
The Cassandra and SLDBConnection DataMiner log files can help in case you need to troubleshoot issues.