Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C7DF26B7F for ; Wed, 18 May 2011 15:10:57 +0000 (UTC) Received: (qmail 72346 invoked by uid 500); 18 May 2011 15:10:55 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 72246 invoked by uid 500); 18 May 2011 15:10:55 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 72238 invoked by uid 99); 18 May 2011 15:10:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 15:10:55 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jeremy.hanna1234@gmail.com designates 209.85.213.44 as permitted sender) Received: from [209.85.213.44] (HELO mail-yw0-f44.google.com) (209.85.213.44) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 15:10:48 +0000 Received: by ywp31 with SMTP id 31so675751ywp.31 for ; Wed, 18 May 2011 08:10:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=JawHvkkZfvgD5Xr56wsrQLstTBFHdcDwiKZi6KC0168=; b=mb42sWneIg/9sIOTTE0eu0pMJ9uNgk+DNniFaQ0W8sLmaQhxABOAMqjz6x1rAawo5s 3xI+Ku86WPlAshv1N/QxkmOJJ9/qKj9HXGAmjd1CeZcJoy2Fshun0ylUEUaNBMARTD7S RSCbzT+hjZH8Y5bH4HwQCfXxmnCxJExcL3dvo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=iAV4ZmmkJQ3N2I4PkFFOpj0YsbPpkeVagpYF+YDzz1V2hKK6pzii9yiQFXcIAP5FWb 6CxI0wW146m4Kltl2RgvwZRIAJW0ZqiHKe/AvOQ1SPqXD44Pq/PAmz7zta7TwOKbYkeD HI1LGfZX6oJ8G9XeCQy/3uV3da2lJOpDcul4A= Received: by 10.150.50.17 with SMTP id x17mr1547934ybx.162.1305731426652; Wed, 18 May 2011 08:10:26 -0700 (PDT) Received: from [192.168.1.110] (99-99-154-139.lightspeed.austtx.sbcglobal.net [99.99.154.139]) by mx.google.com with ESMTPS id q6sm228934yba.27.2011.05.18.08.10.23 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 18 May 2011 08:10:25 -0700 (PDT) Subject: Re: How to configure internode encryption in 0.8.0? Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Jeremy Hanna In-Reply-To: Date: Wed, 18 May 2011 10:10:21 -0500 Cc: Nirmal Ranganathan Content-Transfer-Encoding: quoted-printable Message-Id: <6F7FEE32-8CAD-48C2-A234-55185F817FF6@gmail.com> References: <5E01F647-AB1B-4231-9C28-95B97C6A3168@gmail.com> To: user@cassandra.apache.org X-Mailer: Apple Mail (2.1084) X-Virus-Checked: Checked by ClamAV on apache.org I'll CC Nirmal Ranganathan who implemented the internode encryption who = might be able to give you some advice on this. On May 17, 2011, at 7:47 PM, Sameer Farooqui wrote: > Thanks for the link, Jeremy. >=20 > I generated the keystore and truststore for inter-node communication = using the link in the YAML file: > = http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JS= SERefGuide.html#CreateKeystore >=20 > Unfortunately, the default instructions in the above link used = TLS_RSA_WITH_AES_256_CBC_SHA. So, when I start Cassandra now, I get this = error: >=20 > ERROR 00:10:38,734 Exception encountered during startup. > java.lang.IllegalArgumentException: Cannot support = TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers > at = com.sun.net.ssl.internal.ssl.CipherSuiteList.(CipherSuiteList.j = ava:79) > at = com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuit = es(SSLServerSocketImpl.java:166) > at = org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.j = ava:55) >=20 >=20 > The YAML file states that the cipher suite for authentication should = be: TLS_RSA_WITH_AES_128_CBC_SHA. >=20 > This is my first time using keytool and I've searched the web to see = how I can change the cipher from AES_256 to AES_128, but haven't found = the answer. >=20 > Anyone know how to change the cipher to AES_128? >=20 > Here are the commands I used to generate the non-working keystore and = truststore: >=20 > 1) keytool -genkeypair -alias jdoe -keyalg RSA -validity 7 -keystore = .keystore > 2) keytool -list -v -keystore .keystore > 3) keytool -export -alias jdoe -keystore .keystore -rfc -file jdoe.cer > 4) cat jdoe.cer > 5) keytool -import -alias jdoecert -file jdoe.cer -keystore = .truststore > 6) keytool -list -v -keystore .truststore >=20 >=20 > - Sameer >=20 > On Mon, May 16, 2011 at 5:35 PM, Jeremy Hanna = wrote: > Take a look at cassandra.yaml in your 0.8 download at the very bottom. = There are docs and examples there. > e.g. = http://svn.apache.org/repos/asf/cassandra/tags/cassandra-0.8.0-beta2/conf/= cassandra.yaml >=20 > On May 16, 2011, at 6:36 PM, Sameer Farooqui wrote: >=20 > > I understand that 0.8.0 has configurable internode encryption = (CASSANDRA-1567, 2152). > > > > I haven't been able to find any info on how to configure it though = on this mailing list or the Datastax website. > > > > Can somebody point me towards how to set this up? > > > > - Sameer >=20 >=20