You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Jai Bheemsen Rao Dhanwada <ja...@gmail.com> on 2016/11/21 22:25:11 UTC

Cassandra Encryption

Hello,

I am setting up encryption on one of my cassandra cluster using the below
procedure.

server_encryption_options:
    internode_encryption: all
    keystore: /etc/keystore
    keystore_password: xxxxx
    truststore: /etc/truststore
    truststore_password: xxxxx

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore

However, one difficulty with this approach is whenever I am adding a new
node I had to rolling restart all the C* nodes in the cluster, so that the
truststore is updated with the new server information.

Is there a way to automatically trigger a reload so that the truststore is
updated on the existing machines without restart.

Can someone please help ?

Re: Cassandra Encryption

Posted by Jai Bheemsen Rao Dhanwada <ja...@gmail.com>.
Thanks Nate and Vladimir,

I will give it a try.

On Tue, Nov 22, 2016 at 12:48 AM, Vladimir Yudovin <vl...@winguzone.com>
wrote:

> >if I use the same certificate how does it helps?
> This certificate will be recognized by all existing nodes, and no restart
> will be needed.
>
> Or, as Nate suggested, you can use trusted root certificate to issue
> nodes' certificates.
>
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Tue, 22 Nov 2016 03:07:28 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> yes, I am generating separate certificate for each node.
> even if I use the same certificate how does it helps?
>
> On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
> wrote:
>
>
> Hi Jai,
>
> so do you generate separate certificate for each node? Why not use one
> certificate for all nodes?
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> Hello,
>
> I am setting up encryption on one of my cassandra cluster using the below
> procedure.
>
> server_encryption_options:
>     internode_encryption: all
>     keystore: /etc/keystore
>     keystore_password: xxxxx
>     truststore: /etc/truststore
>     truststore_password: xxxxx
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/
> security/jsse/JSSERefGuide.html#CreateKeystore
>
> However, one difficulty with this approach is whenever I am adding a new
> node I had to rolling restart all the C* nodes in the cluster, so that the
> truststore is updated with the new server information.
>
> Is there a way to automatically trigger a reload so that the truststore is
> updated on the existing machines without restart.
>
> Can someone please help ?
>
>
>
>

Re: Cassandra Encryption

Posted by Vladimir Yudovin <vl...@winguzone.com>.
&gt;if I use the same certificate how does it helps?

This certificate will be recognized by all existing nodes, and no restart will be needed.



Or, as Nate suggested, you can use trusted root certificate to issue nodes' certificates.





Best regards, Vladimir Yudovin, 

Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.





---- On Tue, 22 Nov 2016 03:07:28 -0500Jai Bheemsen Rao Dhanwada &lt;jaibheemsen@gmail.com&gt; wrote ----




yes, I am generating separate certificate for each node.

even if I use the same certificate how does it helps?




On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin &lt;vladyu@winguzone.com&gt; wrote:








Hi Jai,



so do you generate separate certificate for each node? Why not use one certificate for all nodes?



Best regards, Vladimir Yudovin, 

Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.





---- On Mon, 21 Nov 2016 17:25:11 -0500Jai Bheemsen Rao Dhanwada &lt;jaibheemsen@gmail.com&gt; wrote ----




Hello,



I am setting up encryption on one of my cassandra cluster using the below procedure.



server_encryption_options:

    internode_encryption: all

    keystore: /etc/keystore

    keystore_password: xxxxx

    truststore: /etc/truststore

    truststore_password: xxxxx




http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore



However, one difficulty with this approach is whenever I am adding a new node I had to rolling restart all the C* nodes in the cluster, so that the truststore is updated with the new server information.



Is there a way to automatically trigger a reload so that the truststore is updated on the existing machines without restart.



Can someone please help ?

Re: Cassandra Encryption

Posted by Nate McCall <na...@thelastpickle.com>.
You should be using a root certificate for signing all the node
certificates to create a trust chain. That way nodes won't have to
explicitly know about each other, only the root certificate.

This post has some details:
http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-server.html

On Tue, Nov 22, 2016 at 9:07 PM, Jai Bheemsen Rao Dhanwada <
jaibheemsen@gmail.com> wrote:

> yes, I am generating separate certificate for each node.
> even if I use the same certificate how does it helps?
>
> On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
> wrote:
>
>> Hi Jai,
>>
>> so do you generate separate certificate for each node? Why not use one
>> certificate for all nodes?
>>
>> Best regards, Vladimir Yudovin,
>>
>> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
>> CassandraLaunch your cluster in minutes.*
>>
>>
>> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
>> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>>
>> Hello,
>>
>> I am setting up encryption on one of my cassandra cluster using the below
>> procedure.
>>
>> server_encryption_options:
>>     internode_encryption: all
>>     keystore: /etc/keystore
>>     keystore_password: xxxxx
>>     truststore: /etc/truststore
>>     truststore_password: xxxxx
>>
>> http://docs.oracle.com/javase/6/docs/technotes/guides/securi
>> ty/jsse/JSSERefGuide.html#CreateKeystore
>>
>> However, one difficulty with this approach is whenever I am adding a new
>> node I had to rolling restart all the C* nodes in the cluster, so that the
>> truststore is updated with the new server information.
>>
>> Is there a way to automatically trigger a reload so that the truststore
>> is updated on the existing machines without restart.
>>
>> Can someone please help ?
>>
>>
>>
>


-- 
-----------------
Nate McCall
Wellington, NZ
@zznate

CTO
Apache Cassandra Consulting
http://www.thelastpickle.com

Re: Cassandra Encryption

Posted by Jai Bheemsen Rao Dhanwada <ja...@gmail.com>.
yes, I am generating separate certificate for each node.
even if I use the same certificate how does it helps?

On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
wrote:

> Hi Jai,
>
> so do you generate separate certificate for each node? Why not use one
> certificate for all nodes?
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> Hello,
>
> I am setting up encryption on one of my cassandra cluster using the below
> procedure.
>
> server_encryption_options:
>     internode_encryption: all
>     keystore: /etc/keystore
>     keystore_password: xxxxx
>     truststore: /etc/truststore
>     truststore_password: xxxxx
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/
> security/jsse/JSSERefGuide.html#CreateKeystore
>
> However, one difficulty with this approach is whenever I am adding a new
> node I had to rolling restart all the C* nodes in the cluster, so that the
> truststore is updated with the new server information.
>
> Is there a way to automatically trigger a reload so that the truststore is
> updated on the existing machines without restart.
>
> Can someone please help ?
>
>
>

Re: Cassandra Encryption

Posted by Vladimir Yudovin <vl...@winguzone.com>.
Hi Jai,



so do you generate separate certificate for each node? Why not use one certificate for all nodes?



Best regards, Vladimir Yudovin, 

Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.





---- On Mon, 21 Nov 2016 17:25:11 -0500Jai Bheemsen Rao Dhanwada &lt;jaibheemsen@gmail.com&gt; wrote ----




Hello,



I am setting up encryption on one of my cassandra cluster using the below procedure.



server_encryption_options:

    internode_encryption: all

    keystore: /etc/keystore

    keystore_password: xxxxx

    truststore: /etc/truststore

    truststore_password: xxxxx




http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore



However, one difficulty with this approach is whenever I am adding a new node I had to rolling restart all the C* nodes in the cluster, so that the truststore is updated with the new server information.



Is there a way to automatically trigger a reload so that the truststore is updated on the existing machines without restart.



Can someone please help ?