CQLSH with TLS / SSL enabled
How to set up SSL with cqlsh:
Set up the ~/.cassandra/cqlshrc file:
[authentication]
username = cassandra
password = cassandra
[connection]
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
certfile = /usr/share/dse/ssl-conf/public.pem
validate = false
The certfile is created from the client_encryption_options keystore:
First, convert the keystore into pkcs12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore user.p12 -deststoretype PKCS12
Second, pull out the certs:
openssl pkcs12 -in user.p12 -nokeys -out user.cer.pem -passin pass:cassandra
Use the above cert in your certfile parameter, which should contain the intermediates and root certificate, and should contain your public cert as well (not required though, just needs the trust chain).
Now, what if you have require_client_authentication: true? That means two way SSL. In that case, you’ll need the following:
userkey = ~/user.key.pem
usercert = ~/user.cer.pem
And here, you can use the same certificate as above, along with the keys:
openssl pkcs12 -in user.p12 -nodes -nocerts -out user.key.pem -passin pass:cassandra
Hope that helps.
By Steven Lacerda