You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Jeremy Jongsma <je...@barchart.com> on 2014/05/22 17:05:30 UTC
Managing truststores with inter-node encryption
The docs say that each node needs every other node's certificate in its
local truststore:
http://www.datastax.com/documentation/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html
This seems like a bit of a headache for adding nodes to a cluster. How do
others deal with this?
1) If I am self-signing the client certificates (with puppetmaster), is it
enough that the truststore just contain the CA certificate used to sign
them? This is the typical PKI mechanism for verifying trust, so I am hoping
it works here.
2) If not, can I use the same certificate for every node? If so, what is
the downside? I'm mainly concerned with encryption over public internet
links, not node identity verification.
Re: Managing truststores with inter-node encryption
Posted by Ben Bromhead <be...@instaclustr.com>.
Java ssl sockets need to be able to build a chain of trust. So having
either a nodes public cert or the root cert in the truststore works (as you
found out).
To get cassandra to use cypher suites > 128 bit you will need to install
the JCE unlimited strength jurisdiction policy files. You will know if you
aren't using it because there will be a bunch of warnings quickly filling
up your logs.
Note that javas ssl implementation does not check certificate revocation
lists by default, though as you are not using inter node for authentication
and identification its no big deal.
Ben
On 31/05/2014 1:04 AM, "Jeremy Jongsma" <je...@barchart.com> wrote:
> It appears that only adding the CA certificate to the truststore is
> sufficient for this.
>
>
> On Thu, May 22, 2014 at 10:05 AM, Jeremy Jongsma <je...@barchart.com>
> wrote:
>
>> The docs say that each node needs every other node's certificate in its
>> local truststore:
>>
>>
>> http://www.datastax.com/documentation/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html
>>
>> This seems like a bit of a headache for adding nodes to a cluster. How do
>> others deal with this?
>>
>> 1) If I am self-signing the client certificates (with puppetmaster), is
>> it enough that the truststore just contain the CA certificate used to sign
>> them? This is the typical PKI mechanism for verifying trust, so I am hoping
>> it works here.
>>
>> 2) If not, can I use the same certificate for every node? If so, what is
>> the downside? I'm mainly concerned with encryption over public internet
>> links, not node identity verification.
>>
>>
>>
>
Re: Managing truststores with inter-node encryption
Posted by Jeremy Jongsma <je...@barchart.com>.
It appears that only adding the CA certificate to the truststore is
sufficient for this.
On Thu, May 22, 2014 at 10:05 AM, Jeremy Jongsma <je...@barchart.com>
wrote:
> The docs say that each node needs every other node's certificate in its
> local truststore:
>
>
> http://www.datastax.com/documentation/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html
>
> This seems like a bit of a headache for adding nodes to a cluster. How do
> others deal with this?
>
> 1) If I am self-signing the client certificates (with puppetmaster), is it
> enough that the truststore just contain the CA certificate used to sign
> them? This is the typical PKI mechanism for verifying trust, so I am hoping
> it works here.
>
> 2) If not, can I use the same certificate for every node? If so, what is
> the downside? I'm mainly concerned with encryption over public internet
> links, not node identity verification.
>
>
>