Configure Cassandra TLS

TLS communication between the Cassandra datastore and runtime plane clients that talk to Cassandra is enabled by default. As part of the required TLS setup, you must do the following:

  • Provide TLS and authentication credentials in the overrides.yaml file
  • Change the default Cassandra password and provide the authentication credentials to allow clients in the runtime plane to connect with Cassandra

To set up TLS for Cassandra:

  1. Open the overrides.yaml for edit if it is not already open.
  2. Provide authentication credentials for the following users:
    User Type Configuration Property Description
    Adminstrator cassandra.auth.admin Used for any administrative activities performed on the Cassandra cluster.
    Default cassandra.auth.default Cassandra creates a default user when authentication is enabled; the username is cassandra. You can set the value of the password but not the username for this user.
    DDL (Data Definition Language) cassandra.auth.ddl Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.
    DML (Data Manipulation Language) cassandra.auth.dml Used by the client communication to read and write data to Cassandra (KMS, KVM, Cache, and Quota).

    If you used one of the example templates to get started, you must provide values for each of these properties.

  3. Set the locations of the Cassandra TLS files in overrides.yaml:
    • cassandra.key
    • cassandra.crt
  4. Save your overrides.yaml file.

The following example shows configuration properties that should already be in your overrides.yamlfile if you used one of the example templates to get started. For the auth credentials, you can provide any values that you want. To learn more, see Configure TLS for Cassandra.

namespace: MyNamespace
config:
  base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM=
  envs:
    - orgName: MyOrganization
      envName: MyEnvironment

cassandra:
  storage:
    type: gcepd
    capacity: 50Gi
    gcepd:
      replicationType: regional-pd
  sslRootCAPath: path_to_root_ca_file
  sslCertPath: path_to_ssl_cert_file
  sslKeyPath: path_to_ssl_key_file
  auth:
    default:
      password: your_cassandra_password
    admin:
      user: admin_username
      password: admin_password
    ddl:
      user: ddl_username
      password: ddl_password
    dml:
      user: dml_username
      password: dml_password
...

For example:

...
cassandra:
  storage:
    type: gcepd
    capacity: 50Gi
    gcepd:
      replicationType: regional-pd
  sslRootCAPath: "/Users/myhome/ssh/cassandra.crt"
  sslCertPath: "/Users/myhome/ssh/cassandra.crt"
  sslKeyPath: "/Users/myhome/ssh/cassandra.key"
  auth:
    default:
      password: "abc123"
    admin:
      user: "my_admin_username"
      password: "abc234"
    ddl:
      user: "my_ddl_username"
      password: "abc345"
    dml:
      user: "my_dml_username"
      password: "abc456"
  nodeSelector:
    key: cloud.google.com/gke-nodepool
    value: apigee-data
...

Create a self-signed certificate/key pair

For testing purposes, you can use a self-signed certificate/key pair for the MART endpoint configuration.

To generate a self-signed certificate pair for the Cassandra configuration:

  1. Create a directory to contain the key and certificate for the MP.
  2. Execute the following commands to generate the key and certificate:
    openssl genrsa -des3 -out server.pass.key 2048
    openssl rsa -in server.pass.key -out cassandra.key
    openssl req -nodes -new -key cassandra.key -out cassandra.csr
    openssl x509 -req -sha256 -days 365 -in cassandra.csr -signkey cassandra.key -out cassandra.crt
  3. In the overrides.yaml configuration, provide the paths to the following files:
    • cassandra.key
    • cassandra.crt (Use the .crt file instead of a root CA for a self-signed configuration.)

Next step

1 2 3 4 Next: Expose MART 6 7 8 9 10 11