Setting Up SSL-Encrypted Cassandra with Docker Compose
This guide explains how to set up SSL/TLS encryption in Apache Cassandra using Docker Compose. You’ll secure client-server and inter-node communications with SSL/TLS.
Prerequisites
- Docker & Docker Compose installed on your machine.
- Java 11 or later for TLS 1.3 support.
- Knowledge of SSL certificates (keystore, truststore).
- A basic Cassandra environment set up.
Step 1: Generate SSL Certificates
To secure Cassandra using SSL/TLS, you need to create a keystore and truststore. For simplicity, you can generate self-signed certificates.
1.1 Generate Server Certificate (Keystore)
keytool -genkeypair \
-keyalg RSA \
-alias cassandra \
-keystore cassandra.keystore \
-storepass cassandra \
-validity 365 \
-keysize 2048 \
-dname "CN=cassandra"
1.2 Generate Client Certificate (Optional, for Mutual TLS)
If you plan to use mutual TLS authentication (mTLS), also create a client keystore. If not, skip this step.
keytool -genkeypair \
-keyalg RSA \
-alias client \
-keystore client.keystore \
-storepass clientpass \
-validity 365 \
-keysize 2048 \
-dname "CN=client"
1.3 Export Certificates and Create Truststore
Export the certificates and create a truststore to allow Cassandra nodes and clients to trust each other.
# Export server certificate
keytool -export -alias cassandra -keystore cassandra.keystore -file cassandra.crt -storepass cassandra
# Create a truststore
keytool -import -file cassandra.crt -alias cassandra -keystore cassandra.truststore -storepass cassandra -noprompt
Step 2: Configure Docker Compose for Cassandra
2.1 Docker Compose File
Create a docker-compose.yml
file to run Cassandra with SSL encryption. It will mount the keystore and truststore files into the container.
version: '3.8'
services:
cassandra:
image: cassandra:latest
container_name: cassandra
environment:
- CASSANDRA_CLUSTER_NAME=ssl-cluster
volumes:
- ./ssl:/etc/cassandra/ssl
ports:
- "9042:9042"
command: cassandra -f
2.2 Mounting SSL Files
Ensure the SSL certificates (keystore and truststore) are stored in the ssl
directory next to your docker-compose.yml
file:
./ssl/cassandra.keystore
./ssl/cassandra.truststore
Step 3: Configure Cassandra for SSL/TLS
You need to modify Cassandra’s cassandra.yaml
configuration to enable SSL encryption for both client-server and internode communication.
3.1 Enable Client-Side Encryption
Open cassandra.yaml
(located in /etc/cassandra/cassandra.yaml
inside the container) and add the following configuration to enable SSL encryption between clients and the Cassandra server.
client_encryption_options:
enabled: true
optional: false
keystore: /etc/cassandra/ssl/cassandra.keystore
keystore_password: cassandra
truststore: /etc/cassandra/ssl/cassandra.truststore
truststore_password: cassandra
require_client_auth: false
cipher_suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
enabled_protocols: [TLSv1.3]
enabled: true
: Enables client-server SSL encryption.require_client_auth: false
: Only the server is required to present an SSL certificate (one-way SSL). If you need mutual authentication, set this totrue
.
3.2 Enable Internode Encryption
Similarly, modify server_encryption_options
for SSL encryption between Cassandra nodes (internode communication).
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/ssl/cassandra.keystore
keystore_password: cassandra
truststore: /etc/cassandra/ssl/cassandra.truststore
truststore_password: cassandra
require_client_auth: false
cipher_suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
enabled_protocols: [TLSv1.3]
internode_encryption: all
: Forces SSL encryption for all internode communications.
Step 4: Running Cassandra with SSL
After configuring SSL, you can start Cassandra using Docker Compose:
docker-compose up
Step 5: Configure cqlsh
for SSL Connection
To connect to your SSL-encrypted Cassandra cluster using cqlsh
, you need to configure it to use SSL.
5.1 Configure cqlshrc
Create or modify the ~/.cassandra/cqlshrc
file on your local machine to use SSL for connecting to Cassandra.
[ssl]
certfile = /path/to/cassandra.crt
validate = true
version = TLSv1.3
certfile
: The path to the server certificate (must match the one used in Cassandra).validate: true
: Ensures the client verifies the server certificate.version: TLSv1.3
: Forces the use of TLS 1.3.
5.2 Connect to Cassandra Using cqlsh
Now, connect to Cassandra using the following command:
cqlsh <cassandra_host> --ssl -u <username> -p <password>
Step 6: Verify TLS Connections
You can use tools like openssl
to verify that TLS 1.3 is being used for encrypted connections.
openssl s_client -connect <cassandra_host>:9042 -tls1_3
This should show a successful handshake with TLS 1.3 and the certificate details.
Summary
By following the steps in this guide, you’ve configured a secure, SSL-encrypted Cassandra setup with Docker Compose. SSL ensures encrypted communication for both client-server and internode traffic, safeguarding your Cassandra cluster from unauthorized access or data interception.
Key points:
- Certificates: Generated using Java
keytool
. - SSL/TLS: Configured via
cassandra.yaml
. - Docker Compose: Used to deploy Cassandra with SSL.