Securing Cassandra JMX

To secure the Cassandra JMX, the JMX user name and password must be configured in Cassandra. All Cassandra nodes must be configured with the same user name and password for JMX Security.

Before you begin

Configure Cassandra to enable remote JMX connections and set a user name and password.

About this task

Note: If you configured Cassandra JMX in Global Mailbox v6.1.0.x, and then upgraded to v6.2.0 or later, the configurations will be lost after the upgrade and you must reconfigure it by following the procedure below.

Procedure

  1. Enable JMX authentication in Cassandra.
    1. Navigate to GlobalMailbox_Dir/apache-cassandra/conf/ and open the file cassandra-env.sh in edit mode.
    2. Find all the occurrences of: 
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
      Change the value of the parameter from false to true.
    3. Find the occurrence of: 
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
      Change the path of jmxremote.password to the file that contains the Cassandra JMX authentication information. For example, 
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/GlobalMailbox_Dir/apache-cassandra/conf/jmxremote.password
    4. Find the occurrence of: 
      #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/conf/jmxremote.access"
      Uncomment the line and modify the path. For example, 
      JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/GlobalMailbox_Dir/apache-cassandra/jmxremote.access
    5. Save and close cassandra-env.sh.
    6. Navigate to GlobalMailbox_Dir/apache-cassandra/conf/ and create a new file jmxremote.password with the following content: 
      <cassandra jmx username> <cassandra jmx password>
      Note: Ensure that only the user who runs Cassandra has read access to this file.
    7. Navigate to GlobalMailbox_Dir/apache-cassandra/conf/ and create a new file jmxremote.access with the following content: 
      <cassandra jmx username>  readwrite
  2. Configure JMX user name and password for Cassandra Reaper.
    1. Navigate to GlobalMailbox_Dir/apache-cassandra/reaper/conf/ and open cassandra-reaper.yaml in edit mode.
    2. Locate the jmxPorts section. This section lists the ports for each hostname. Add the IP address and port number as additional entries for each hostname.
      For example:
      jmxPorts:

  host1: 13199

#IP entry for host1

  192.168.1.145: 13199

  host2: 13199

#IP entry for host2

  192.168.1.152: 13199
    3. Uncomment the following lines: 
      #jmxAuth:

#  username: myUsername

#  password: myPassword
      • Replace myUsername with the Cassandra JMX user name.
      • Replace myPassword with the Cassandra JMX password.
  3. Restart Cassandra, ZooKeeper, and Cassandra Reaper by using the following commands: 
    stopGM.sh
    startGM.sh
  4. Verify that JMX authentication is required.
    The command nodetool status should result in the following error:
    SecurityException: 'Authentication failed! Credentials required'.
  5. Verify that the JMX user name and password are correct by using the following command: 
    nodetool -u <cassandra jxm user name>  -pw <cassandra jmx password>  status
  6. Configure JMX with SSL. For more information, see Using JMX with SSL encryption.
  7. Verify Reaper by performing the following steps:
    1. Examine the log files to ensure that the Reaper is connected.
    2. Using the Reaper UI, ensure that the Reaper has begun repairs.