Enabling Cassandra data encryption

Use the information to set up SSL on Cassandra.

About this task

This procedure details the steps that are needed to set up SSL on Cassandra.

Important: If you do not want to set up SSL on Cassandra, set the value for the ssl_cassandra_disable property to true.

Procedure

  1. Configure Cassandra over SSL.
  2. Import self-signed certificate, which you used to configure SSL on Cassandra, to truststore by using the following keytool command.
     
    keytool -import -v -trustcacerts -alias <alias for certificate in trust store> -file <path_to_certificate> -keystore <trust store name> -storepass <password> -keypass <password> -noprompt
    The following arguments are used in the command line.
    • -alias is the name of the certificate to process.
    • -file is the name of the certificate to be imported.
    • -keystore is the name of the truststore.
    • -storepass is the password for the truststore.
    • -keypass is the password that is used to protect the private key of the generated key pair.
  3. Run the following command to create configmap for volume mounting the created truststore.
     
    kubectl create configmap <truststoreConfig> --from-file=<truststore_name> -n <namespace>
    The following arguments are used in the command line.
    • --from-file is the name of the truststore file.
    • -n is the name of the namespace.
  4. Set the truststore configMaps as volume mount inside the container by adding the following configuration in the spec.additionalMounts property, which resides in: 
    additionalMounts:
    configMaps:
      - mountPath: <path_to_store_truststore_file_in_container>
        name: <truststore_configmap_name>
        readOnly: <boolean>
        subPath: <truststore_file_name>

    For more information, see Configuring additionalMounts parameter.

  5. Add the contact points and key space of Cassandra in the cassandra.contactPoints field as contactPoints: <contactpoints_of_cassandra> and cassandra.keyspace field as keyspace: <cassandra_keyspace>. For more information, see Configuring cassandra parameter.
  6. Set the truststore password in the form of a key-value pair in the secret. 
    trustStorePassword: <password configured while creating the truststore>

    For more information, see Creating a secret.