Page MenuHomePhabricator

cassandra - enable Inter-node encryption
Closed, DuplicatePublic

Description

I noticed on cassandra test hosts that we use port 7000 and not 7001 and that indicates we don't encrypt internode communication. How about enabling that?


"Inter-node encryption uses standard TLS/SSL to authenticate and encrypt messages between nodes, to preotect data in transit between nodes, and to prevent unauthorized access to/control of nodes."

"Encryption can be applied to all inter-node messages, just messages crossing from one rack to another, or just messages crossing from one datacenter to another."

from: https://wiki.apache.org/cassandra/InternodeEncryption


7000 - Internode communication (not used if TLS enabled)
7001 - TLS Internode communication (used if TLS enabled)

from: http://stackoverflow.com/questions/2359159/cassandra-port-usage-how-are-the-ports-used


in puppet/modules/cassandra/templates/cassandra.yaml.erb:

718 # Enable or disable inter-node encryption
719 # Default settings are TLS v1, RSA 1024-bit keys (it is imperative that
720 # users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher
721 # suite for authentication, key exchange and encryption of the actual data transfers.
722 # Use the DHE/ECDHE ciphers if running in FIPS 140 compliant mode.
723 # NOTE: No custom encryption options are enabled at the moment
724 # The available internode options are : all, none, dc, rack
725 #
726 # If set to dc cassandra will encrypt the traffic between the DCs
727 # If set to rack cassandra will encrypt the traffic between the racks
728 #
729 # The passwords used in these options must match the passwords used when generating
730 # the keystore and truststore.  For instructions on generating these files, see:
731 # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
732 #
733 server_encryption_options:
734     internode_encryption: none
735     keystore: conf/.keystore
736     keystore_password: cassandra
737     truststore: conf/.truststore
738     truststore_password: cassandra
739     # More advanced defaults below:
740     # protocol: TLS
741     # algorithm: SunX509
742     # store_type: JKS
743     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WI    TH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
744     # require_client_auth: false