Configuring mTLS for Cassandra

Learn how to configure mTLS for Cassandra.

About this task

Complete the following steps to configure mTLS inter and intra-cluster communication to use Cassandra with geo-redundancy securely.

Procedure

  1. Cassandra TLS is disabled by default. To enable TLS, add the following to the Netcool® Operations Insight® instance:
    spec:
      helmValuesNOI:
        global.internalCaCertificate.secretName:  Optional name of the secret containing the certificate. Default: noi-root-ca
        global.internalCaCertificate.certificateName:  Optional name of certificate within the secret. Default: tls.crt
        global.internalCaCertificate.certificateKeyName:  Optional name of key within the secret. Default: tls.key
        global.cassandra.clientEncryption: true # Enables TLS for Cassandra client communication
        global.cassandra.requireClientAuth: true # Enable mutual TLS, also require enableMTLS
        global.cassandra.enableMTLS: true # Enable mutual TLS, also require requireClientAuth
        ibm-hdm-analytics-dev.cassandra.internodeEncryption: all # Enable mutual TLS between nodes and clusters.  Default: none
    Note: Optional: Configure mTLS for Cassandra. This configuration is used by both Kafka and Cassandra.
  2. Use the existing CA Certificate secret or create a new one. noi-root-ca is the default CA Certificate secret that is used in step 1. To create a CA Certificate secret, see Creating secrets.
  3. Restart the Netcool Operations Insight operator to reset the topology pods. These topology pods connect to the Cassandra pod that is running in TLS mode.