Unable to Start Cassandra 2.0 with SSL

1
votes

I am trying to start Cassandra with SSL. My yam file has

server_encryption_options:
    internode_encryption: all
    keystore_password: changeme
    truststore_password: changeme
    truststore:  /opt/certs/cassandra.truststore
    keystore: /opt/certs/cassandra.keystore
    # protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]

When I try to start cassandra I get exception

ERROR [main] 2014-06-12 22:29:18,844 CassandraDaemon.java (line 513) Exception encountered during startup
java.lang.RuntimeException: Unable to create thrift socket to /0.0.0.0:9160
    at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:263)
    at org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46)
    at org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:130)
    at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:56)
    at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:449)
    at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:509)
    at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:585)
Caused by: org.apache.thrift.transport.TTransportException: Could not bind to port 9160
    at org.apache.thrift.transport.TSSLTransportFactory.createServer(TSSLTransportFactory.java:117)
    at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:103)
    at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:253)
    ... 6 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with currently installed providers
    at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:92)
    at sun.security.ssl.SSLServerSocketImpl.setEnabledCipherSuites(SSLServerSocketImpl.java:191)
    at org.apache.thrift.transport.TSSLTransportFactory.createServer(TSSLTransportFactory.java:113)
    ... 8 more

I am using OpenJDK

# rpm -qa|grep java
java-1.7.0-openjdk-1.7.0.55-2.4.7.1.el6_5.x86_64

I have copied the JCE security jar to /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.55.x86_64/jre/lib/security

Please help me understand what is going wrong here.

2
cassandracassandra-2.0
can you post cassandra/conf/cassandra.yaml fileGabber
Check the answer provided by dave_thompson_085 on this page: stackoverflow.com/questions/30640181/…user5776679

2 Answers

1
votes

I got the same error and this article helped me solve it.

Specifically this part:

I think you can get round it by overriding the cipher suites for both node-to-node and client-node properties e.g.

cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]