Enabling SSL on cqlsh
After you enable the client-to-node encryption, to connect to cqlsh, you must enable SSL on cqlsh.
To enable SSL on cqlsh, complete the following steps:
- Log in to the Cassandra server as the user who installed Sterling B2B Integrator and Global Mailbox.
-
Convert the JKS keystore of the server to PKCS12 by running the following command.
keytool -importkeystore -srckeystore <path to JKS keystore> -srcstoretype JKS -srcstorepass <keystore password> -destkeystore <path to PKCS12 keystore> -deststoretype PKCS12 -deststorepass <keystore password>
-
Generate the PEM files from the PKCS keystore by running the following commands:
openssl pkcs12 -in <path to PKCS12 keystore> -nokeys -out <path to certificate PEM file> -passin pass:<keystore password> openssl pkcs12 -in <path to PKCS12 keystore> -nodes -nocerts -out <path to key PEM file> -passin pass:<keystore password>
-
Create a file that is named cqlshrc in the
<cassandra-install>/conf directory with the following lines:
[ssl] validate = false userkey = <path to certificate PEM file for this node> usercert = <path to key PEM file for this node> [certfiles] <server-1 IP address> = <path to server-1's certificate> <server-2 IP address> = <path to server-2's certificate> : <server-n IP address> = <path to server-n's certificate>
- Optional:
If you specify the TLS protocol version in cassandra.yaml, you must also include it cqlshrc. Valid values are
TLSv1
,TLSv1_1
, andTLSv1_2
.The following is an example of cqlshrc configured to use the TLS protocol version 1.2:[ssl] validate = false userkey = <path to certificate PEM file for this node> usercert = <path to key PEM file for this node> version = TLSv1_2
Note: If you specify the version asTLS
, a bug in the cqlsh tool prevents it from starting. If the valueTLS
is intended, skip the version property and the tool will assume the valueTLS
. - Copy the server certificate that was exported when the personal certificates were created in Generating a self-signed personal certificate to each Cassandra node file system or a shared file system that is accessible from each Cassandra node.
-
Start cqlsh with SSL by running the following command.
cqlsh --ssl --cqlshrc <path to cqlshrc file> <server ip address>
- Repeat steps 1 - 7 on all Cassandra servers.