Internode (or node-to-node) encryption protects data traveling between nodes in a cluster using TLS. This page explains how to enable Cassandra internode encryption using TLS on Edge for Private Cloud. To perform these steps, you must be familiar with the details of your Cassandra ring.
Enable Cassandra internode encryption
To enable Cassandra internode encryption, follow the procedure below on all nodes in the
cluster. You need to distribute public certificates of each node to all nodes.
After doing so, each node will contain certificates
node0.cer
, node1.cer
etc. in its truststore. Each node will only
contain its own private key in its
keystore. For example, node0
will only contain node0.pem
in its
keystore. You need to enable encryption on each node, one at a time.
Follow these steps to enable Cassandra internode encryption:
Generate server certificates by following the steps in the Appendix to create a self-signed key and certificate.
The following steps assume you have created
keystore.node0
andtruststore.node0
, as well as the keystore and truststore passwords, as explained in the Appendix. The keystore and truststore should be created as preliminary steps on each node before proceeding with next steps.- Add the following properties to the
/opt/apigee/customer/application/cassandra.properties
file. If the file does not exist, create it.conf_cassandra_internode_encryption=all conf_cassandra_keystore=/opt/apigee/data/apigee-cassandra/keystore.node0 conf_cassandra_keystore_password=keypass conf_cassandra_truststore=/opt/apigee/data/apigee-cassandra/truststore.node0 conf_cassandra_truststore_password=trustpass # Optionally set the following to enable 2-way TLS or mutual TLS # conf_cassandra_require_client_auth=true
- Ensure that the file
cassandra.properties
is owned by the apigee user:chown apigee:apigee \ /opt/apigee/customer/application/cassandra.properties
Execute the following steps on each Cassandra node, one at a time, so the changes take effect without causing any downtime for users:
- Stop the Cassandra service:
/opt/apigee/apigee-service/bin/apigee-service \ apigee-cassandra stop
- Restart the Cassandra service:
/opt/apigee/apigee-service/bin/apigee-service \ apigee-cassandra start
- To determine if the TLS encryption service has started, check the system logs for the following message:
Starting Encrypted Messaging Service on TLS port
Perform certificate rotation
To rotate certificates, follow these steps:
- Add the certificate for each unique generated key pair (see Appendix)
to an existing Cassandra
node's truststore, such that both the old certificates and new certificates exist in the same
truststore:
keytool -import -v -trustcacerts -alias NEW_ALIAS \ -file CERT -keystore EXISTING_TRUSTSTORE
where
NEW_ALIAS
is a unique string to identify the entry,CERT
is the name of the certificate file to add, andEXISTING_TRUSTSTORE
is the name of the existing truststore on the Cassandra node. - Use a copy utility, such as scp, to distribute the truststore to all Cassandra nodes in the cluster replacing the existing truststore in use by each node.
- Perform a rolling restart of the cluster to load the new truststore and establish trust for the
new keys before they are in place:
/opt/apigee/apigee-service/bin/apigee-service \ apigee-cassandra restart
- On each Cassandra node in the cluster, update the properties shown below to the new keystore
values in the cassandra.properties file:
conf_cassandra_keystore=NEW_KEYSTORE_PATH conf_cassandra_keystore_password=NEW_KEYSTORE_PASSOWRD
where
NEW_KEYSTORE_PATH
is the path to the directory where the keystore file is located andNEW_KEYSTORE_PASSWORD
is the keystore password set when the certificates were created, as explained in the Appendix. - Stop the Cassandra service:
/opt/apigee/apigee-service/bin/apigee-service \ apigee-cassandra stop
- Restart the Cassandra service:
/opt/apigee/apigee-service/bin/apigee-service \ apigee-cassandra start
- When communication is successfully established between all nodes, proceed to the next Cassandra node. Note: Only proceed to the next node if communication is successfully established between all nodes.
Appendix
The following example explains how to prepare server certificates needed to perform the internode encryption steps. The commands shown in the example use the following parameters:
Parameter | Description |
---|---|
node0 |
Any unique string to identify the node. |
keystore.node0 |
A keystore name. The commands assume this file is in the current directory. |
keypass |
The keypass must be the same for both the keystore and the key. |
dname |
Identifies the IP address of node0 as 10.128.0.39 . |
-validity |
The value set on this flag makes the generated key pair valid for 10 years. |
- Go to the following directory:
cd /opt/apigee/data/apigee-cassandra
- Run the following command to generate a file named
keystore.node0
in the current directory:keytool -genkey -keyalg RSA -alias node0 -validity 3650 \ -keystore keystore.node0 -storepass keypass \ -keypass keypass -dname "CN=10.128.0.39, OU=None, \ O=None, L=None, C=None"
Important: Make sure that the key password is the same as the keystore password.
- Export the certificate to a separate file:
keytool -export -alias node0 -file node0.cer \ -keystore keystore.node0
- Ensure the file is readable by the apigee user only and by no one else:
$ chown apigee:apigee \ /opt/apigee/data/apigee-cassandra/keystore.node0 $ chmod 400 /opt/apigee/data/apigee-cassandra/keystore.node0
- Import the generated certificate
node0.cer
to the truststore of the node:keytool -import -v -trustcacerts -alias node0 \ -file node0.cer -keystore truststore.node0
The command above asks you to set a password. This is the truststore password and can be different from the keystore password you set earlier. If prompted to trust the certificate, enter
yes
. - Use openssl to generate a PEM file of the certificate with no keys. Note that
cqlsh
does not work with the certificate in the format generated.$ keytool -importkeystore -srckeystore keystore.node0 \ -destkeystore node0.p12 -deststoretype PKCS12 -srcstorepass \ keypass -deststorepass keypass $ openssl pkcs12 -in node0.p12 -nokeys -out node0.cer.pem \ -passin pass:keypass $ openssl pkcs12 -in node0.p12 -nodes -nocerts -out node0.key.pem -passin pass:keypass
- For node-to-node encryption, copy the
node0.cer
file to each node and import it to the truststore of each node.keytool -import -v -trustcacerts -alias node0 \ -file node0.cer -keystore truststore.node1
- Use
keytool -list
to check for certificates in the keystore and truststore files:$ keytool -list -keystore keystore.node0 $ keytool -list -keystore truststore.node0