OpsCenter 6.0+ Only
When creating a new cluster with OpsCenter Lifecycle Manager, enabling client-to-node encryption with client_encryption_options.require_client_auth=true will cause the install job to fail. If a user attempts to do this they will see one of two errors:
- If password authentication is enabled on the DSE cluster the user will see a NoHostAvailable exception shown when LCM attempts to change the default password.
- If authentication is not enabled the user will see an error when LCM attempts to register the cluster for OpsCenter monitoring. Note: In this case the cluster will typically be created successfully but will not be monitored by OpsCenter.
The workaround for this issue is to create the cluster with client-to-node encryption enabled, but require_client_auth=false. Once the cluster is successfully created, it is possible enable require_client_auth through the following manual steps:
- Create a certificate for each client. While LCM can create certificates for DSE servers, it cannot create them for clients and you must do so manually. For details on how to create client certificates, refer to the user guide for your driver, which typically has an "SSL" or "Security" section. For example, the Java driver has an SSL section which details the procedure for creating client certificates. It is highly recommended to use a Certificate Authority (either a private self-signed CA or a commercial CA) to sign your client certificates rather than making each client-certificate self-signed. Using a CA makes trust-store administration much simpler as new client nodes are added and removed.
- Add the client's CA (or certificates if you're not using a CA) to the trust-store for each DSE server. If you previously allowed LCM to create truststores for your DSE nodes (which happens by default when client-to-node or node-to-node encryption is enabled), this involves SSH'ing to each DSE node and running the appropriate keytool import command as described in the DSE documentation. If you have deployed your own DSE truststores, you must ensure that they trusts your client certificates.
- Add the DSE server CA to the trust store for each client. If you previously allowed LCM to create certificates for your DSE servers (which happens by default when client-to-node or node-to-node encryption are enabled), you may manually download the LCM CA cert and add it to the truststore used by your driver as documented in the appropriate driver user-guide. If you prepared your own certificates, ensure that the client-truststores trusts the DSE server certificates.
- Edit the Config Profile and set the following properties in cassandra.yaml#client_encryption_options
- require_client_auth = true
- truststore = path to the truststore deployed in Step #1
- truststore_password = password to the truststore, if one exists
- Run a Configure job on the cluster through LCM.
- Edit the OpsCenter Connection Settings for the cluster via the Settings menu, supplying valid values for the client keystore.
Client to node encryption enables encryption of CQL queries issued from Cassandra clients (and the corresponding responses from Cassandra servers), and instructs Cassandra clients to verify that the identity of any Cassandra server they talk to matches its certificate. LCM automatically creates and installs certificates for Cassandra servers if necessary using a self-signed private Certificate Authority. In order for Cassandra clients to be able to verify identity of the Cassandra server, they must be manually configured to "trust" the private certificate authority.
If require_client_auth=true, the DSE servers must additionally be configured to trust the client CA or certificates. There is no mechanism to do this automatically, and it must be done manually which prevents LCM from connecting to new clusters with require_client_auth enabled during the initial install job. Once the necessary modifications are made to the DSE server truststores, LCM will not modify them further and subsequent jobs will complete as expected.