问题描述
我在Cassandra群集上设置了节点到节点加密。现在我想设置客户端到节点。根据,它应该像获取SSL证书一样简单我的客户端并将其导入到每个节点的信任库。我没有这样的证书,但这不是我的问题。
由于我的客户端使用DataStax Java驱动程序,似乎为了启用SSL客户端,当我建立群集
时,我应该使用方法启用SSL。好吧,但我还需要做什么?我不熟悉JSSE,所以我不知道什么是必要的。是SSL通信双向的,即驱动程序是否需要访问集群中每个节点的SSL证书?
-
在cassandra.yaml设置中启用客户端 - 节点加密[2]
-
为客户端添加SSL支持。有一个优秀的datastax博客上的示例代码在您的客户端设置SSL连接[3]。
-
您的客户的证书。从我可以告诉,似乎你应该能够使用相同的密钥库和信任从[1]为java客户端使用。 Per [4],我知道你需要一个pcks12风格的PEM文件来使用cqlsh。
此外,[4]提供客户端通过SSL连接到Cassandra集群的准系统示例。 [5]是一个好的读取集群节点和客户端的证书创建示例。
- 我发现创建证书的最好的例子。
N.B。如果您希望使用企业级加密,则需要启用Java加密扩展。出于法律原因,所运送的Java仅支持相对较弱的加密。 Cassandra和您的客户端可能会抱怨,如果您尝试使用256位加密没有启用JCE。为客户端和服务器机器执行此操作:
- 下载
- 解压缩包
- 将这两个策略jar复制到JAVA_HOME,覆盖已经存在的两个jar :
[user @ host UnlimitedJCEPolicy] $ ls
local_policy.jar README.txt US_export_policy.jar
[user @ host UnlimitedJCEPolicy] $ export JAVA_HOME =$(readlink -f$(which java)| seds:bin /.*$ ::)
[use @ host UnlimitedJCEPolicy] $ echo $ JAVA_HOME
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/
[user @ host UnlimitedJCEPolicy] $ cp -v * .jar $ JAVA_HOME / lib / security / -
重新启动cassandra和客户端
[1]
[2]
[3]
[4]
[5]
[6]
I've set up node-to-node encryption on my Cassandra cluster. Now I want to set up client-to-node. According to this documentation, it should be as easy as taking the SSL certificate of my client and importing it into every node's truststore. I don't have such a certificate yet but this is not my question.
Since my client is using the DataStax Java driver, it seems that in order to enable SSL from the client side, when I am building the Cluster
I should use the withSSL()
method to enable SSL. Okay, but what else do I need to do? I am not familiar with JSSE so I don't know what else is necessary. Is the SSL communication two-way, i.e. does the driver need to have access to the SSL certificates of each node in the cluster?
Create the certificates [1].
Enable client-node encryption in cassandra.yaml settings [2].
Add SSL support to your client. There is an excellent datastax blog on with sample code for setting up the SSL connection in your client [3].
A cert for your client. From what I can tell, it seems like you should be able to use the same keystore and trusture from [1] for the java client to use. Per [4], I know you need a pcks12 style PEM file to use cqlsh.
Also, [4] provides a barebones example of a client connecting to a cassandra cluster over SSL. [5] is an okay read for examples of cert creation for the cluster nodes and client.
- [6] is the best example I've found of creating the certificates.
N.B. If you wish to use enterprise strength encryption, you'll need to enable the Java Cryptography Extension. For legal reasons, only relatively weak encryption is supported by the java that is shipped. Cassandra and your client will likely complain if you try to use 256 bit encryption without the JCE enabled. Do this for both the client and server machines:
- Download http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
- Unzip the package
Copy the two policy jars into your JAVA_HOME, overwriting the two jars that are already there:
[user@host UnlimitedJCEPolicy]$ lslocal_policy.jar README.txt US_export_policy.jar[user@host UnlimitedJCEPolicy]$ export JAVA_HOME="$( readlink -f "$( which java )" | sed "s:bin/.*$::" )"[use@host UnlimitedJCEPolicy]$ echo $JAVA_HOME/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/[user@host UnlimitedJCEPolicy]$ cp -v *.jar $JAVA_HOME/lib/security/
Restart cassandra and the client
[1] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html
[2] http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureSSLClientToNode_t.html
[3] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[4] https://github.com/PatrickCallaghan/datastax-ssl-example
[5] http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol
[6] http://techdocs.acunu.com.s3.amazonaws.com/v5.0/admin/security/ssl.html
这篇关于如何使用DataStax Java驱动程序设置Cassandra客户端到节点加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!