Cassandra: how to setup node-to-node encryption?

3
votes

Cassandra supports both client-node encryption and node-node encryption. It seems like the client-node encryption is simple to setup.

Now that i have finished setting up client-node, i was trying out the node-node encryption and am curious about a couple of things.

  1. The example here (http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs) uses different certificates for different nodes. Is this compulsory?

  2. Can I use the sample SSL certificate for every node rather than generating a new certificate for each node?

1
sslencryptioncassandra

1 Answers

4
votes

The example here (http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs) uses different certificates for different nodes. Is this compulsory?

It is considered best practice to give each node it's own identifying certificate, but it is not required.

Can I use the sample SSL certificate for every node rather than generating a new certificate for each node?

Yes you could, but what I would do is create your own Certificate Authority and then generate all of your certificates signed by that Authority (see this for how to do it using keytool). This way you only have to trust the certificate authority on your cassandra nodes so you can add more nodes without having to update your trust stores on every cassandra node.