cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hendrik van Huyssteen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7848) Additional keystore configurations for SSL with HSMs
Date Fri, 29 Aug 2014 14:32:52 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14115283#comment-14115283
] 

Hendrik van Huyssteen commented on CASSANDRA-7848:
--------------------------------------------------

Patch to be submitted soon. Comments are welcome in the meantime.

> Additional keystore configurations for SSL with HSMs
> ----------------------------------------------------
>
>                 Key: CASSANDRA-7848
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7848
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Config
>            Reporter: Hendrik van Huyssteen
>            Priority: Minor
>
> In order to use Cassandra with a Hardware Security Module (HSM) for encrypted communications,
additional configuration options are required in terms of keystore configurations. 
> A user configuring Cassandra must be able to:
> # Specify the truststore and keystore type independently (eg. keystore would be in hardware
and truststore in software)
> # Specify the desired certificate and private key entry that should be used, by setting
an alias
> # Specify the keystore and keypair passwords independently
>  
> At the moment Cassandra only allows:
> # A global keystore type
> # Expects one keypair per keystore and
> # Uses the same password for the keystore and keypair
>  
> The appropriate changes have been made to Cassandra 1.2 to support the above mentioned
configuration.
> The proposed cassandra.yaml would then look as follows, with the new changes marked with
*:
> {noformat}
> server_encryption_options:
>     internode_encryption: all
>     keystore: <path to keystore>
>     keystore_password: <password of keystore>
>     store_type: <hsm storetype>
>     *keystore_entry_alias: <alias of key entry in keystore to use>*
>     *keystore_entry_password: <password of key entry in keystore to use>*
>  
>     truststore: <path to truststore>
>     truststore_password: <password of truststore>
>     # More advanced defaults below:
>     # protocol: TLS
>     *truststore_type: JKS*
>     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
> {noformat}
>  
> In terms of backwards compatibility, the following defaults should be used for the newly
proposed settings:
> * truststore_type = store_type;
> * keystore_entry_password = keystore_password;
> * keystore_entry_alias = autoselect
> Example use case with HSM:
> * Keystore is stored in HSM.
> * store_type is set to the HSM store type.
> * keystore_password is set to the slot password of the HSM.
> * keystore_entry_password set to the keypair password.
> * Truststore is stored on disk, with type set to JKS. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message