Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

suujana.naga16_165607 avatar image
suujana.naga16_165607 asked Erick Ramirez answered

Unable to cqlsh to SSL-enabled node

I have setup a single DSE v5.1.15 node SSL enabled cluster and tried to cqlsh from the same node. I have enabled client to node encryption.

Below are the configurations and error that I am getting.

Commands used for generating SSL certs:

### custerkey setup

keytool -genkey -validity 2693 -alias cassandra02_CLUSTER -keyalg RSA -keystore cassandra02.jks
keytool -export -alias cassandra02_CLUSTER -file cassandra02_CLUSTER_PUBLIC.cer -keystore cassandra02.jk
keytool -importcert -v -trustcacerts -alias cassandra02_CLUSTER -file cassandra02_CLUSTER_PUBLIC.cer -keystore CassandraTruststore.ts

===================================

### Client key setup.

keytool -genkey -validity 2693 -alias cassandra02_CLIENT -keyalg RSA -keystore cassandra02.jk
keytool -export -alias cassandra02_CLIENT -file cassandra02_CLIENT_PUBLIC.cer -keystore cassandra02.jks
keytool -importcert -v -trustcacerts -alias cassandra02_CLIENT -file cassandra02_CLIENT_PUBLIC.cer -keystore CassandraTruststore.ts

## exporting .pem files

keytool -importkeystore -srckeystore cassandra02.jks -srcstoretype JKS -destkeystore cassandra02.p12 -deststoretype PKCS12
openssl pkcs12 -in cassandra02.p12 -nokeys -out cassandra02_CLIENT.cer.pem
openssl pkcs12 -in cassandra02.p12 -nodes -nocerts -out cassandra02_CLIENT.key.pem

##cqlshrc file

[connection]
hostname = 172.31.39.156
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
certfile = /home/cassandra/certs/cassandra02_CLIENT.cer.pem
validate = false

cassandr.yaml configurations

1617489511616.png

Error:

1617489572615.png

encryption
1617489511616.png (96.4 KiB)
1617489572615.png (47.7 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered

A quick review of your configuration shows that you are using a PEM file in your cqlshrc:

[ssl]
certfile = /home/cassandra/certs/cassandra02_CLIENT.cer.pem
validate = false

As stated in Using CQL shell with SSL, you use the PEM files when you want two-way certificate authentication:

client_encryption_options:
    ...
    require_client_auth: true
    ... 

But in the configuration you posted, you have set require_client_auth: false. In this case, you need to provide the certificate file instead of the PEM file.

As a side note, my ability to assist you with troubleshooting is limited in this Q&A forum. If you have any follow up questions, please log a ticket with DataStax Support so one of our engineers can assist you. Cheers!

Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.