what exactly does the require client auth under client to node encryption options do? simple example would be appreciated.
Bringing together the Apache Cassandra experts from the community and DataStax.
Want to learn? Have a question? Want to share your expertise? You are in the right place!
Not sure where to begin? Getting Started
What do I need to configure after enabling require_client_auth on client to node encryption?
While encrypting connection between client to DSE node, the client must provide certificate for communication as setting require_client_auth to true means you require two-way host certificate validation (two-way SSL).
Here is a good explanation on one-way and two-way SSL: https://tutorialspedia.com/an-overview-of-one-way-ssl-and-two-way-ssl/
This setting only needs to set to true if you require two-way SSL. With two-way SSL, instead of the Cassandra client simply verifying the identity of the server, the server also verifies the certificate used by the client. But in One Way SSL the client only verifies the server's certificate.
To answer what you need to configure after enabling require_client_auth
First,
Before configuring the setting to true, you should generate the certificates that client will be presenting following the documentation :
https://docs.datastax.com/en/security/6.7/security/secSslCertificatesKeystores.html
And after you set it to true, you would need to configure the keystore and truststore as well. This is explained in the document here: https://docs.datastax.com/en/security/6.7/security/encryptClientNodeSSL.html
Hope this helps!
Thank you! I guess i am still a bit confused. When it comes to client to node encryption, what in DSE is considered a "client". Reason why i ask is because when require-client-auth is set to true in the node to node encryption options, we need to configure cqlsh to use ssl and to me cqlsh is a client, no?
In node-to-node SSL scenario, setting require_client_auth to true, simply means all DSE nodes need to have SSL cert, which they already have. However, it is optional to configure SSL for CQLSH when configuring node-to-node SSL.
In client-to-node SSL scenario, setting require_client_auth set to true requires any client(CQLSH as well) to be configured for SSL as this sets up a 2-way-SSL and requires the remote end to provide SSL cert as well.
Thank you! Some additional questions:
I enabled SSL node to node and client to node via the LCM for 2 nodes.
This created the following:
- client.keyStore and client.trustStore
- server.Keystore and server.trustStore
- Each keystore contains two certs a "node1" cert and "clusterca" cert. The "clusterca" cert being the Cert created by the LCM which i download it.
- Each TrustStore contains the "clusterca"
To clarify if i enable the require_client_auth at the client to node encryption level do i need to import the "node1" and "node2" certs into each TrustStore on each node?
Hi,
I am still having issues with the client to node encryption. I imported the node.crt that was created by LCM into the trustStores created by LCM and it still throwing errors.
6 People are following this question.
