MUSIC Node-to-node encryption using SSL



Preparing SSL certificates for development:

Step 1 : Creating SSL Certificates on all nodes:

We need to create SSL certificates on all the nodes that consists of keystore and truststore. Keystore contains private key and truststore contains SSL certificate of self and other nodes. Perform below steps in CASANDRA_HOME\conf folder.

 

Create node1 certificate

keytool -genkey -keyalg RSA -alias node1 -validity 36500 -keystore .keystore -storepass cassandra -keypass cassandra -dname "CN=vm-music-01, OU=None, O=None, L=None, C=None"


Export node1 cert to keystore

keytool -export -alias node1 -file node1.cer -keystore .keystore


Export node1 cert to truststore

keytool -import -v -trustcacerts -alias node1 -file node1.cer -keystore .truststore


Sameway create node2 cert using above 3 step and ftp node2.cer file to node1

scp -P 22 node2.cer <userid>@135.197.226.110:/tmp


Add node2.cer to truststore of node1

keytool -import -v -trustcacerts -alias node2 -file tmp/node2.cer -keystore .truststore

 

Step 2: Update Cassandra.yaml file:

On each node under server_encryption_options: change encryption to point to conf folder and with the password that was created used in Step 1.

For development 

server_encryption_options:              
  internode_encryption: all
  keystore: /conf/.keystore
  keystore_password: cassandra
  truststore: /conf/.truststore
  truststore_password: cassandra
  require_client_auth: true

Preparing SSL certificates with a self-signed CA:

 

Step 1 : Creating SSL Certificates on all nodes:

Create conf file in one of the node .

 

gen_rootCa_cert.conf

 

[ req ]
distinguished_name  = req_distinguished_name
prompt              = no
output_password     = cassandra
default_bits        = 2048
 
[ req_distinguished_name ]
C                   = US
O                   = AT&T
OU                  = Research
CN                  = rootCa



 

Create a root CA certificate and key using above created conf file.

sudo openssl req -config gen_rootCa_cert.conf -new -x509 -nodes -subj /CN=rootCa/OU=Research/O=AT&T/C=US/-keyout rootCa.key -out rootCa.crt
-days 365

 

Generate public/private key pair and keystore for each node (example is on node3):

 

 sudo keytool -genkeypair -keyalg RSA -alias node3 -keystore node3.jks -storepass cassandra -keypass cassandra -validity 365 -keysize 2048 -dname "CN=VM Node 03, OU=Research, O=ATT, C=US"



 

Export certificate signing request (CSR) for each node:

 sudo keytool -certreq -keystore node3.jks -alias node3 -file node3.csr -storepass cassandra -keypass cassandra -dname "CN=VM Node 03, OU=Research, O=ATT, C=US"



 

Sign node certificate with rootCa for each node

 sudo openssl x509 -req -CA rootCa.crt -CAkey rootCa.key -in node3.csr -out node3.crt_signed -days 365 -CAcreateserial -passin pass:cassandra



 

Import rootCa certificate to each node keystore

 sudo keytool -importcert -keystore node3.jks -alias rootCa -file rootCa.crt -noprompt -keypass cassandra -storepass cassandra



 

Import node's signed certificate into node keystore for each node

 sudo keytool -importcert -keystore node3.jks -alias node3 -file node3.crt_signed -noprompt -keypass cassandra -storepass cassandra



 

Create a server truststore. The truststore file must be copied to each node

 sudo keytool -importcert -keystore cluster-truststore.jks -alias rootCa -file rootCa.crt -noprompt -keypass cassandra -storepass cassandra



 

Copy the each node keystore file to each node. node3.jks was created and this jks should be copied to other nodes.



Step 2: Update Cassandra.yaml file:

On each node under server_encryption_options: change encryption to point to conf folder and with the password that was created used in Step 1.

server_encryption_options:              
  internode_encryption: all
  keystore: /conf/node3.jks
  keystore_password: cassandra
  truststore: /conf/cluster-truststore.jks
  truststore_password: cassandra
  require_client_auth: true
  protocol: TLS
  algorithm: SunX509
  store_type: JKS
  cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
  require_client_auth: true

 

restart cassandra and execute below command you should see message "Starting Encrypted Messaging Service on SSL port 7001"

grep SSL install_location/logs/system.log

 

Step 3 : To run cqlsh with SSL encryption:

create a .cassandra/cqlshrc file and update as below

 

[connection]
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
validate = false



Turning Off SSL communication

The default usage of MUSIC does not involve SSL. So Simply undo the configurations to the cassandra.yaml suggested above to revert to non-SSL usage.