Skip to content

Instantly share code, notes, and snippets.

@jasonmk
Last active August 29, 2015 14:06
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jasonmk/be5257c2b846c2b74c6c to your computer and use it in GitHub Desktop.
CQL-RB with 2-way SSL

Assumptions:

  • You have a internal CA as part of your organization that can be used to generate both client and server certificates
  • You have generated private keys and certificates signed by your CA for both the client and the server
  • You are using at least Cassandra 1.2.3

Certificates:

Getting the certificates in all the right places is probably the trickiest part. Basically, it goes like this:

  • Cassandra has a keystore.jks that includes the private key and server certificate of the local cassandra node.
  • Cassandra has a truststore.jks that includes the CA certificate, the server certificate of every cassandra node in the cluster, and the client certificate of every client that will be connecting to the cluster.
  • The JRE on each node includes your organization's CA cert in the global cacerts file (usually lib/security/cacerts).
  • The CQL-RB client has access to the application private key, CA-signed certificate, and CA public cert. It does not need the server certificate since it was signed by the organization's CA.

Cassandra configuration

Update the cassandra.yaml settings as follows:

client_encryption_options:
  enabled: true
  keystore: conf/keystore.jks
  keystore_password: <keystore password> ## The password you used when generating the keystore.
  truststore: conf/truststore.jks
  truststore_password: <truststore password>
  require_client_auth: true

Connect from cql-rb

  ca_cert = '/path/to/ca.cert'
  client_cert = '/path/to/client.cert'
  client_key = '/path/to/client.key'
  pass = 'password_for_client_key_if_applicable'

  ssl_context = OpenSSL::SSL::SSLContext.new
  ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
  ssl_context.ca_file = ca_cert
  if(pass.present?)
    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(client_key), pass)
  else
    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(client_key))
  end
  ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(client_cert))

  Cql::Client.connect(hosts: ['localhost'], ssl: ssl_context)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment