- You have a internal CA as part of your organization that can be used to generate both client and server certificates
- You have generated private keys and certificates signed by your CA for both the client and the server
- You are using at least Cassandra 1.2.3
Getting the certificates in all the right places is probably the trickiest part. Basically, it goes like this:
- Cassandra has a keystore.jks that includes the private key and server certificate of the local cassandra node.
- Cassandra has a truststore.jks that includes the CA certificate, the server certificate of every cassandra node in the cluster, and the client certificate of every client that will be connecting to the cluster.
- The JRE on each node includes your organization's CA cert in the global cacerts file (usually lib/security/cacerts).
- The CQL-RB client has access to the application private key, CA-signed certificate, and CA public cert. It does not need the server certificate since it was signed by the organization's CA.
Update the cassandra.yaml settings as follows:
client_encryption_options:
enabled: true
keystore: conf/keystore.jks
keystore_password: <keystore password> ## The password you used when generating the keystore.
truststore: conf/truststore.jks
truststore_password: <truststore password>
require_client_auth: true
ca_cert = '/path/to/ca.cert'
client_cert = '/path/to/client.cert'
client_key = '/path/to/client.key'
pass = 'password_for_client_key_if_applicable'
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.ca_file = ca_cert
if(pass.present?)
ssl_context.key = OpenSSL::PKey::RSA.new(File.read(client_key), pass)
else
ssl_context.key = OpenSSL::PKey::RSA.new(File.read(client_key))
end
ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(client_cert))
Cql::Client.connect(hosts: ['localhost'], ssl: ssl_context)