TLS communication between the Cassandra datastore and runtime plane clients that talk to Cassandra is enabled by default. As part of the required TLS setup, you must do the following:
- Provide TLS and authentication credentials in the
- Change the default Cassandra password and provide the authentication credentials to allow clients in the runtime plane to connect with Cassandra
To set up TLS for Cassandra:
- Open the
overrides.yamlfor edit if it is not already open.
- Provide authentication credentials for the following users:
User Type Configuration Property Description Adminstrator
Used for any administrative activities performed on the Cassandra cluster. Default
Cassandra creates a default user when authentication is enabled; the username is
cassandra. You can set the value of the password but not the username for this user.
DDL (Data Definition Language)
Used by MART for any of the data definition tasks like keyspace creation, update, and deletion. DML (Data Manipulation Language)
Used by the client communication to read and write data to Cassandra (KMS, KVM, Cache, and Quota).
If you used one of the example templates to get started, you must provide values for each of these properties.
- Set the locations of the Cassandra TLS files in
- Save your
The following example shows configuration properties that
should already be in your
overrides.yamlfile if you used one of the
example templates to get started.
For the auth credentials, you can provide any values that you want. To learn more, see
Configure TLS for Cassandra.
namespace: MyNamespace config: base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM= envs: - orgName: MyOrganization envName: MyEnvironment cassandra: storage: type: gcepd capacity: 50Gi gcepd: replicationType: regional-pd sslRootCAPath: path_to_root_ca_file sslCertPath: path_to_ssl_cert_file sslKeyPath: path_to_ssl_key_file auth: default: password: your_cassandra_password admin: user: admin_username password: admin_password ddl: user: ddl_username password: ddl_password dml: user: dml_username password: dml_password ...
... cassandra: storage: type: gcepd capacity: 50Gi gcepd: replicationType: regional-pd sslRootCAPath: "/Users/myhome/ssh/cassandra.crt" sslCertPath: "/Users/myhome/ssh/cassandra.crt" sslKeyPath: "/Users/myhome/ssh/cassandra.key" auth: default: password: "abc123" admin: user: "my_admin_username" password: "abc234" ddl: user: "my_ddl_username" password: "abc345" dml: user: "my_dml_username" password: "abc456" nodeSelector: key: cloud.google.com/gke-nodepool value: apigee-data ...
Create a self-signed certificate/key pair
For testing purposes, you can use a self-signed certificate/key pair for the MART endpoint configuration.
To generate a self-signed certificate pair for the Cassandra configuration:
- Create a directory to contain the key and certificate for the MP.
- Execute the following commands to generate the key and certificate:
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out cassandra.key
openssl req -nodes -new -key cassandra.key -out cassandra.csr
openssl x509 -req -sha256 -days 365 -in cassandra.csr -signkey cassandra.key -out cassandra.crt
- In the
overrides.yamlconfiguration, provide the paths to the following files:
.crtfile instead of a root CA for a self-signed configuration.)