Generating a self-signed personal certificate

Each Cassandra server must have a keystore containing a personal certificate (private certificate + public certificate). The personal certificate can be self-signed or signed by a certificate authority (CA).

Before you begin

Before you start, refer to the section Installing a Cassandra node.

Procedure

To generate a self-signed personal certificate, complete the following steps:

  1. Log in to the Cassandra server as the user who installed Sterling B2B Integrator and Global Mailbox.
  2. Use the Java™ keytool utility that is provided in the IBM JDK that is installed during installation with the following input:
    keytool

    -genkeypair -alias <name> -keyalg <algorithm> -keysize <size> -dname <subject> -validity <days> -keystore <path to keystore> -storepass <password> -keypass <same password> -storetype JKS

    -alias <name>
    Any value. For example, the host name of the server, or a descriptive name like cassandra node 1.
    -keyalg <algorithm>
    The key algorithm is normally RSA.
    -keysize <size>
    Use a key size of 2048.
    -dname <subject>
    The subject is an X.500 Distinguished Name (DN) with a CN (common name), and optionally O (organization), OU (organizational unit), C (country), and other tokens. An example DN is CN=cassandra node 1, OU=Datacenter 1, OU=QA, O=IBM.
    -validity <days>
    The validity specifies the number of days until the personal certificate expires. For self-signed personal certificates used for internal client/server communications, there is no reason to specify short validity periods, so a ten-year expiration (3650) is acceptable.
    -keystore <path to keystore>
    The path to the keystore file can be anywhere, but it would normally be on the Cassandra conf directory (for example: /etc/cassandra/conf/keystore.jks).
    -storepass <password>
    The keystore password can be any value. It is used to generate a key to encrypt the keystore file.
    -keypass <same password>
    The key password must be the same as the storepass password.
    -storetype JKS
    The keystore type must be JKS.
    The generated certificate is in the specified keystore.
  3. Export the certificate that is created in step 1 by using the Java™ keytool utility supplied with the IBM JDK with the following input:
    -exportcert
    The keytool command for exporting a certificate.
    -keystore <path to keystore>
    The path to the keystore file can be anywhere, but it would normally be on the Cassandra conf directory (for example: /etc/cassandra/conf/keystore.jks).
    -alias <name>
    Any value. For example, the host name of the server, or a descriptive name like cassandra node 1.
    -file <path to the file to which the certificate is exported>
    The path to the file that contains the exported certificate (for example: /etc/cassandra/conf/cassandra.cer). It is recommended that the name of the certificate file is different for each Cassandra node to identify them.
    -storepass <password>
    The keystore password that is used in step 1.

    Example

    keytool -exportcert -alias cassandra -keystore <path to keystore> -file <path to cert file> -storepass <password>
  4. Generate a personal certificate for each Cassandra server in all data centers by repeating steps 2 and 3 on all Cassandra servers.

What to do next

For more details, refer to the sections:

  1. Creating a truststore
  2. Enabling client-to-node encryption
  3. Enabling node-to-node encryption
  4. Enabling client authentication
  5. Enabling server authentication
  6. Verifying SSL connections