Enabling SSL on cqlsh

After you enable the client-to-node encryption, to connect to cqlsh, you must enable SSL on cqlsh.

To enable SSL on cqlsh, complete the following steps:

1. Log in to the Cassandra server as the user who installed Sterling B2B Integrator and Global Mailbox.
2. Convert the JKS keystore of the server to PKCS12 by running the following command.

   keytool -importkeystore -srckeystore <path to JKS keystore> -srcstoretype JKS -srcstorepass <keystore password> -destkeystore <path to PKCS12 keystore> -deststoretype PKCS12 -deststorepass <keystore password>

3. Generate the PEM files from the PKCS keystore by running the following commands:

   openssl pkcs12 -in <path to PKCS12 keystore> -nokeys -out <path to certificate PEM file> -passin pass:<keystore password>
   openssl pkcs12 -in <path to PKCS12 keystore> -nodes -nocerts -out <path to key PEM file> -passin pass:<keystore password>

4. Create a file that is named cqlshrc in the <cassandra-install>/conf directory with the following lines:

   [ssl]
   validate = false
   userkey = <path to certificate PEM file for this node>
   usercert = <path to key PEM file for this node>
   
   [certfiles]
   <server-1 IP address> = <path to server-1's certificate>
   <server-2 IP address> = <path to server-2's certificate>
     :
   <server-n IP address> = <path to server-n's certificate>

5. Optional: If you specify the TLS protocol version in cassandra.yaml, you must also include it cqlshrc. Valid values are TLSv1, TLSv1_1, and TLSv1_2.
   The following is an example of cqlshrc configured to use the TLS protocol version 1.2:

   [ssl]
   validate = false
   userkey = <path to certificate PEM file for this node>
   usercert = <path to key PEM file for this node>
   version = TLSv1_2

   Note: If you specify the version as TLS, a bug in the cqlsh tool prevents it from starting. If the value TLS is intended, skip the version property and the tool will assume the value TLS.
6. Copy the server certificate that was exported when the personal certificates were created in Generating a self-signed personal certificate to each Cassandra node file system or a shared file system that is accessible from each Cassandra node.
7. Start cqlsh with SSL by running the following command.

   cqlsh --ssl --cqlshrc <path to cqlshrc file> <server ip address>

8. Repeat steps 1 - 7 on all Cassandra servers.