You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Justin Cameron <ju...@instaclustr.com> on 2019/03/01 00:00:14 UTC
Re: Disable Truststore CA check for internode_encryption
require_client_auth enforces mutual (two-way) authentication. The default
(require_client_auth: false) is one-way - only the server certificate is
verified. I believe you want to disable SSL authentication altogether, as
Jeff mentioned I think you'd need to make code changes in order to do that.
If you use a public CA (like Let's Encrypt, Comodo, etc) to sign your
certificates then I think you may not need to provide a truststore to
clients, because their CA certificates should already be in Java's built-in
truststore. However, it may be difficult to find a CA that will issue a
certificate for a public IP address. I believe Let's Encrypt will only
issue certificates for DNS, not IP addresses.
On Thu, 28 Feb 2019 at 07:32, Jai Bheemsen Rao Dhanwada <
jaibheemsen@gmail.com> wrote:
> I see require_client_auth in the internode_encryption and the default
> value is false. but cassandra process expects a truststore and truststore
> password for the cassandra to startup.
>
> On Wed, Feb 27, 2019 at 11:25 PM Hannu Kröger <hk...@gmail.com> wrote:
>
>> I was using this as reference:
>> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html#configCassandra_yaml__SecurityProps
>>
>> And there I see “require client authentication” also in server options
>> ie. internode encryption.
>>
>> However I am not sure if this is what the OP is after.
>>
>> Hannu
>>
>> Jeff Jirsa <jj...@gmail.com> kirjoitti 28.2.2019 kello 9.01:
>>
>> That’s client to server - internode is different
>>
>> Don’t think it’s possible without code modifications - please opens JIRA
>>
>> --
>> Jeff Jirsa
>>
>>
>> On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
>>
>>
>> Is server encryption option ”require_client_auth: false” what you are
>> after?
>>
>>
>> Hannu
>>
>>
>> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019
>> kello 1.57:
>>
>>
>> Hello,
>>
>>
>> Is it possible to disable truststore CA check for the cassandra
>> internode_encyrption? if yes, is there a config property to do that?
>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>>
>> For additional commands, e-mail: user-help@cassandra.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: user-help@cassandra.apache.org
>>
>>
--
*Justin Cameron**Senior Software Engineer*
<http://www.instaclustr.com/platform>
Read our latest technical blog posts here
<https://www.instaclustr.com/blog/>.
This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
and Instaclustr Inc (USA).
This email and any attachments may contain confidential and legally
privileged information. If you are not the intended recipient, do not copy
or disclose its content, but please reply to this email immediately and
highlight the error to the sender and then immediately delete the message.
Instaclustr values your privacy. Our privacy policy can be found at
https://www.instaclustr.com/company/policies/privacy-policy/