what exactly does the require client auth under client to node encryption options do? simple example would be appreciated.
what exactly does the require client auth under client to node encryption options do? simple example would be appreciated.
While encrypting connection between client to DSE node, the client must provide certificate for communication as setting require_client_auth to true means you require two-way host certificate validation (two-way SSL).
Here is a good explanation on one-way and two-way SSL: https://tutorialspedia.com/an-overview-of-one-way-ssl-and-two-way-ssl/
This setting only needs to set to true if you require two-way SSL. With two-way SSL, instead of the Cassandra client simply verifying the identity of the server, the server also verifies the certificate used by the client. But in One Way SSL the client only verifies the server's certificate.
To answer what you need to configure after enabling require_client_auth
First,
Before configuring the setting to true, you should generate the certificates that client will be presenting following the documentation :
https://docs.datastax.com/en/security/6.7/security/secSslCertificatesKeystores.html
And after you set it to true, you would need to configure the keystore and truststore as well. This is explained in the document here: https://docs.datastax.com/en/security/6.7/security/encryptClientNodeSSL.html
Hope this helps!
Thank you! I guess i am still a bit confused. When it comes to client to node encryption, what in DSE is considered a "client". Reason why i ask is because when require-client-auth is set to true in the node to node encryption options, we need to configure cqlsh to use ssl and to me cqlsh is a client, no?
In node-to-node SSL scenario, setting require_client_auth to true, simply means all DSE nodes need to have SSL cert, which they already have. However, it is optional to configure SSL for CQLSH when configuring node-to-node SSL.
In client-to-node SSL scenario, setting require_client_auth set to true requires any client(CQLSH as well) to be configured for SSL as this sets up a 2-way-SSL and requires the remote end to provide SSL cert as well.
Thank you! Some additional questions:
I enabled SSL node to node and client to node via the LCM for 2 nodes.
This created the following:
To clarify if i enable the require_client_auth at the client to node encryption level do i need to import the "node1" and "node2" certs into each TrustStore on each node?
Hi,
I am still having issues with the client to node encryption. I imported the node.crt that was created by LCM into the trustStores created by LCM and it still throwing errors.
6 People are following this question.
Error 18 self signed certificate error when verifying SSL certificate
Getting "No trusted certificate found" exception after configuring SSL encryption
Getting DSEFS authentication errors after enabling SSL through LCM
dse cassandra nodes rejecting client connection over SSL encryption
Getting AuthenticationException in DSEFS after exporting DSE_USERNAME, DSE_PASSWORD
DataStax Enterprise is powered by the best distribution of Apache Cassandra ™
© 2023 DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.
Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.
Privacy Policy Terms of Use