CQLSH with TLS / SSL enabled

How to set up SSL with cqlsh:

Set up the ~/.cassandra/cqlshrc file:

[authentication]
username = cassandra
password = cassandra
[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = /usr/share/dse/ssl-conf/public.pem
validate = false

The certfile is created from the client_encryption_options keystore:

First, convert the keystore into pkcs12:

keytool -importkeystore -srckeystore keystore.jks -destkeystore user.p12 -deststoretype PKCS12

Second, pull out the certs:

openssl pkcs12 -in user.p12 -nokeys -out user.cer.pem -passin pass:cassandra

Use the above cert in your certfile parameter, which should contain the intermediates and root certificate, and should contain your public cert as well (not required though, just needs the trust chain).

Now, what if you have require_client_authentication: true? That means two way SSL. In that case, you’ll need the following:

userkey = ~/user.key.pem 
usercert = ~/user.cer.pem

And here, you can use the same certificate as above, along with the keys:

openssl pkcs12 -in user.p12 -nodes -nocerts -out user.key.pem -passin pass:cassandra

Hope that helps.

By Steven Lacerda