Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

scano_183208 avatar image
scano_183208 asked ·

What do I need to configure after enabling require_client_auth on client to node encryption?

what exactly does the require client auth under client to node encryption options do? simple example would be appreciated.

dsesslencryption
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

liviraheja_160281 avatar image
liviraheja_160281 answered ·

While encrypting connection between client to DSE node, the client must provide certificate for communication as setting require_client_auth to true means you require two-way host certificate validation (two-way SSL).

Here is a good explanation on one-way and two-way SSL: https://tutorialspedia.com/an-overview-of-one-way-ssl-and-two-way-ssl/

This setting only needs to set to true if you require two-way SSL. With two-way SSL, instead of the Cassandra client simply verifying the identity of the server, the server also verifies the certificate used by the client. But in One Way SSL the client only verifies the server's certificate.


To answer what you need to configure after enabling require_client_auth

First,

Before configuring the setting to true, you should generate the certificates that client will be presenting following the documentation :
https://docs.datastax.com/en/security/6.7/security/secSslCertificatesKeystores.html

And after you set it to true, you would need to configure the keystore and truststore as well. This is explained in the document here: https://docs.datastax.com/en/security/6.7/security/encryptClientNodeSSL.html

Hope this helps!

5 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

@liviraheja_160281

Thank you! I guess i am still a bit confused. When it comes to client to node encryption, what in DSE is considered a "client". Reason why i ask is because when require-client-auth is set to true in the node to node encryption options, we need to configure cqlsh to use ssl and to me cqlsh is a client, no?

0 Likes 0 · ·

@scano_183208


In node-to-node SSL scenario, setting require_client_auth to true, simply means all DSE nodes need to have SSL cert, which they already have. However, it is optional to configure SSL for CQLSH when configuring node-to-node SSL.

In client-to-node SSL scenario, setting require_client_auth set to true requires any client(CQLSH as well) to be configured for SSL as this sets up a 2-way-SSL and requires the remote end to provide SSL cert as well.

0 Likes 0 · ·
scano_183208 avatar image scano_183208 liviraheja_160281 ·

@liviraheja_160281

Thank you! Some additional questions:

I enabled SSL node to node and client to node via the LCM for 2 nodes.

This created the following:

  • client.keyStore and client.trustStore
  • server.Keystore and server.trustStore
  • Each keystore contains two certs a "node1" cert and "clusterca" cert. The "clusterca" cert being the Cert created by the LCM which i download it.
  • Each TrustStore contains the "clusterca"

To clarify if i enable the require_client_auth at the client to node encryption level do i need to import the "node1" and "node2" certs into each TrustStore on each node?

0 Likes 0 · ·
Show more comments

@liviraheja_160281


Hi,

I am still having issues with the client to node encryption. I imported the node.crt that was created by LCM into the trustStores created by LCM and it still throwing errors.

0 Likes 0 · ·