Learn how to configure mTLS for Cassandra.
About this task
Complete the following steps to configure mTLS inter and intra-cluster communication to use
Cassandra with geo-redundancy securely.
Procedure
-
Cassandra TLS is disabled by default. To enable TLS, add the following to the Netcool®
Operations Insight® instance:
spec:
helmValuesNOI:
global.internalCaCertificate.secretName: Optional name of the secret containing the certificate. Default: noi-root-ca
global.internalCaCertificate.certificateName: Optional name of certificate within the secret. Default: tls.crt
global.internalCaCertificate.certificateKeyName: Optional name of key within the secret. Default: tls.key
global.cassandra.clientEncryption: true # Enables TLS for Cassandra client communication
global.cassandra.requireClientAuth: true # Enable mutual TLS, also require enableMTLS
global.cassandra.enableMTLS: true # Enable mutual TLS, also require requireClientAuth
ibm-hdm-analytics-dev.cassandra.internodeEncryption: all # Enable mutual TLS between nodes and clusters. Default: none
Note: Optional: Configure mTLS for Cassandra. This configuration is used by both Kafka and
Cassandra.
- Use the existing CA Certificate secret or create a new one.
noi-root-ca
is the default CA Certificate secret that is used in step 1. To create a CA Certificate secret, see
Creating secrets.
- Restart the Netcool
Operations Insight operator to reset
the topology pods. These topology pods connect to the Cassandra pod that is running in TLS
mode.