Enabling server authentication

When server authentication is enabled, Global Mailbox clients only connect to Cassandra servers that they trust, increasing security.

Before you begin

Complete the following tasks:
  1. Generating a self-signed personal certificate
  2. Creating a truststore
  3. Enabling client-to-node encryption
  4. Enabling node-to-node encryption
  5. Enabling client authentication

About this task

By default, when client-to-node encryption is initially enabled, the Global Mailbox clients trust any Cassandra server. Enable server authentication to restrict connections to only Cassandra servers that are trusted.

Procedure

To enable server authentication, complete the following steps:

  1. Select server certificates to trust by either interactively connecting to every server and choosing their individual certificates (option a), or by providing an existing trust store file (option b).
    1. To retrieve certificates from all of your Cassandra servers, type dbConfigUtility.sh setSSL --adminUser=admin --adminPassword=<password> --chooseTrust
      Note: Utilities are located at <SI-install>/MailboxUtilities/admin/bin/.

      The script connects to each Cassandra server, establishes an SSL handshake (with the configured protocol), and displays the server certificate chain on the console, prompting for which certificate in the chain to trust.

      The first certificate in the chain is the server public certificate. If the server certificate is not self-signed, then the certificate of the server certificate issuer is displayed next, followed by the certificate of the issuer for the issuer, continuing until the certificate of the root CA is reached. If all server certificates are signed by the same CA, then choosing that CA certificate is sufficient to trust all servers.

      The chosen certificate from the chain is added to an internal JKS truststore file located on the data center shared configuration directory (<config_root>/cassandra.truststore). Because all Global Mailbox nodes in the local data center use this same truststore file, this command must be run only one time from any Global Mailbox client node in the local data center. Ensure that all Cassandra servers are started and online.

    2. To retrieve specific certificates from a Cassandra server, type dbConfigUtility.sh setSSL --adminUser=admin --adminPassword=<password> --trustStoreFile=<file> --trustStoreType=<type> --trustStorePassword=<password> --trustAlias=<alias>

      The script copies certificates from the specified truststore file into the internal JKS truststore file that is located on the data center shared configuration directory (<config_root>/cassandra.truststore). If --trustAlias is specified, only the certificate with the specified alias is copied to the shared truststore. Otherwise, all certificates in the given truststore file are copied to the shared truststore. The truststore file could be the same truststore that is used for node-to-node encryption on the Cassandra servers.

  2. Restart every Global Mailbox Administration Server node by running the following commands:
    1. To stop Global Mailbox Administration Server, type ./stopGMAdmin.sh.
    2. To start Global Mailbox Administration Server, type ./startGMAdmin.sh.
  3. Restart the Global Mailbox Client Adapter on every B2Bi node.

What to do next

For more details, refer to Verifying SSL connections.