You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Jai Bheemsen Rao Dhanwada <ja...@gmail.com> on 2016/11/21 22:25:11 UTC
Cassandra Encryption
Hello,
I am setting up encryption on one of my cassandra cluster using the below
procedure.
server_encryption_options:
internode_encryption: all
keystore: /etc/keystore
keystore_password: xxxxx
truststore: /etc/truststore
truststore_password: xxxxx
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
However, one difficulty with this approach is whenever I am adding a new
node I had to rolling restart all the C* nodes in the cluster, so that the
truststore is updated with the new server information.
Is there a way to automatically trigger a reload so that the truststore is
updated on the existing machines without restart.
Can someone please help ?
Re: Cassandra Encryption
Posted by Jai Bheemsen Rao Dhanwada <ja...@gmail.com>.
Thanks Nate and Vladimir,
I will give it a try.
On Tue, Nov 22, 2016 at 12:48 AM, Vladimir Yudovin <vl...@winguzone.com>
wrote:
> >if I use the same certificate how does it helps?
> This certificate will be recognized by all existing nodes, and no restart
> will be needed.
>
> Or, as Nate suggested, you can use trusted root certificate to issue
> nodes' certificates.
>
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Tue, 22 Nov 2016 03:07:28 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> yes, I am generating separate certificate for each node.
> even if I use the same certificate how does it helps?
>
> On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
> wrote:
>
>
> Hi Jai,
>
> so do you generate separate certificate for each node? Why not use one
> certificate for all nodes?
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> Hello,
>
> I am setting up encryption on one of my cassandra cluster using the below
> procedure.
>
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/keystore
> keystore_password: xxxxx
> truststore: /etc/truststore
> truststore_password: xxxxx
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/
> security/jsse/JSSERefGuide.html#CreateKeystore
>
> However, one difficulty with this approach is whenever I am adding a new
> node I had to rolling restart all the C* nodes in the cluster, so that the
> truststore is updated with the new server information.
>
> Is there a way to automatically trigger a reload so that the truststore is
> updated on the existing machines without restart.
>
> Can someone please help ?
>
>
>
>
Re: Cassandra Encryption
Posted by Vladimir Yudovin <vl...@winguzone.com>.
>if I use the same certificate how does it helps?
This certificate will be recognized by all existing nodes, and no restart will be needed.
Or, as Nate suggested, you can use trusted root certificate to issue nodes' certificates.
Best regards, Vladimir Yudovin,
Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.
---- On Tue, 22 Nov 2016 03:07:28 -0500Jai Bheemsen Rao Dhanwada <jaibheemsen@gmail.com> wrote ----
yes, I am generating separate certificate for each node.
even if I use the same certificate how does it helps?
On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vladyu@winguzone.com> wrote:
Hi Jai,
so do you generate separate certificate for each node? Why not use one certificate for all nodes?
Best regards, Vladimir Yudovin,
Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.
---- On Mon, 21 Nov 2016 17:25:11 -0500Jai Bheemsen Rao Dhanwada <jaibheemsen@gmail.com> wrote ----
Hello,
I am setting up encryption on one of my cassandra cluster using the below procedure.
server_encryption_options:
internode_encryption: all
keystore: /etc/keystore
keystore_password: xxxxx
truststore: /etc/truststore
truststore_password: xxxxx
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
However, one difficulty with this approach is whenever I am adding a new node I had to rolling restart all the C* nodes in the cluster, so that the truststore is updated with the new server information.
Is there a way to automatically trigger a reload so that the truststore is updated on the existing machines without restart.
Can someone please help ?
Re: Cassandra Encryption
Posted by Nate McCall <na...@thelastpickle.com>.
You should be using a root certificate for signing all the node
certificates to create a trust chain. That way nodes won't have to
explicitly know about each other, only the root certificate.
This post has some details:
http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-server.html
On Tue, Nov 22, 2016 at 9:07 PM, Jai Bheemsen Rao Dhanwada <
jaibheemsen@gmail.com> wrote:
> yes, I am generating separate certificate for each node.
> even if I use the same certificate how does it helps?
>
> On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
> wrote:
>
>> Hi Jai,
>>
>> so do you generate separate certificate for each node? Why not use one
>> certificate for all nodes?
>>
>> Best regards, Vladimir Yudovin,
>>
>> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
>> CassandraLaunch your cluster in minutes.*
>>
>>
>> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
>> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>>
>> Hello,
>>
>> I am setting up encryption on one of my cassandra cluster using the below
>> procedure.
>>
>> server_encryption_options:
>> internode_encryption: all
>> keystore: /etc/keystore
>> keystore_password: xxxxx
>> truststore: /etc/truststore
>> truststore_password: xxxxx
>>
>> http://docs.oracle.com/javase/6/docs/technotes/guides/securi
>> ty/jsse/JSSERefGuide.html#CreateKeystore
>>
>> However, one difficulty with this approach is whenever I am adding a new
>> node I had to rolling restart all the C* nodes in the cluster, so that the
>> truststore is updated with the new server information.
>>
>> Is there a way to automatically trigger a reload so that the truststore
>> is updated on the existing machines without restart.
>>
>> Can someone please help ?
>>
>>
>>
>
--
-----------------
Nate McCall
Wellington, NZ
@zznate
CTO
Apache Cassandra Consulting
http://www.thelastpickle.com
Re: Cassandra Encryption
Posted by Jai Bheemsen Rao Dhanwada <ja...@gmail.com>.
yes, I am generating separate certificate for each node.
even if I use the same certificate how does it helps?
On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vl...@winguzone.com>
wrote:
> Hi Jai,
>
> so do you generate separate certificate for each node? Why not use one
> certificate for all nodes?
>
> Best regards, Vladimir Yudovin,
>
> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud
> CassandraLaunch your cluster in minutes.*
>
>
> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada
> <jaibheemsen@gmail.com <ja...@gmail.com>>* wrote ----
>
> Hello,
>
> I am setting up encryption on one of my cassandra cluster using the below
> procedure.
>
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/keystore
> keystore_password: xxxxx
> truststore: /etc/truststore
> truststore_password: xxxxx
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/
> security/jsse/JSSERefGuide.html#CreateKeystore
>
> However, one difficulty with this approach is whenever I am adding a new
> node I had to rolling restart all the C* nodes in the cluster, so that the
> truststore is updated with the new server information.
>
> Is there a way to automatically trigger a reload so that the truststore is
> updated on the existing machines without restart.
>
> Can someone please help ?
>
>
>
Re: Cassandra Encryption
Posted by Vladimir Yudovin <vl...@winguzone.com>.
Hi Jai,
so do you generate separate certificate for each node? Why not use one certificate for all nodes?
Best regards, Vladimir Yudovin,
Winguzone - Hosted Cloud Cassandra
Launch your cluster in minutes.
---- On Mon, 21 Nov 2016 17:25:11 -0500Jai Bheemsen Rao Dhanwada <jaibheemsen@gmail.com> wrote ----
Hello,
I am setting up encryption on one of my cassandra cluster using the below procedure.
server_encryption_options:
internode_encryption: all
keystore: /etc/keystore
keystore_password: xxxxx
truststore: /etc/truststore
truststore_password: xxxxx
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
However, one difficulty with this approach is whenever I am adding a new node I had to rolling restart all the C* nodes in the cluster, so that the truststore is updated with the new server information.
Is there a way to automatically trigger a reload so that the truststore is updated on the existing machines without restart.
Can someone please help ?