Inter-node encryption uses standard TLS/SSL to authenticate and encrypt messages between nodes, to preotect data in transit between nodes, and to prevent unauthorized access to/control of nodes.
Encryption can be applied to all inter-node messages, just messages crossing from one rack to another, or just messages crossing from one datacenter to another.
This page needs fleshing out... skeleton instructions from https://issues.apache.org/jira/browse/CASSANDRA-3051 are:
- follow the steps for generating a keystore and a trust store here: http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore 2. plug those files into
encryption_options
incassandra.yaml
3. make sureencryption_options.internode_encryption = all
in the yaml.
See the section at the bottom of conf/cassandra.yaml
:
# Enable or disable inter-node encryption # Default settings are TLS v1, RSA 1024-bit keys (it is imperative that # users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher # suite for authentication, key exchange and encryption of the actual data transfers. # NOTE: No custom encryption options are enabled at the moment # The available internode options are : all, none, dc, rack # # If set to dc cassandra will encrypt the traffic between the DCs # If set to rack cassandra will encrypt the traffic between the racks # # The passwords used in these options must match the passwords used when generating # the keystore and truststore. For instructions on generating these files, see: # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore encryption_options: internode_encryption: none keystore: conf/.keystore keystore_password: cassandra truststore: conf/.truststore truststore_password: cassandra
See also SimpleAuthenticator for details of the authentication of Thrift clients (rather than between nodes).