I recently attempted to get our cassandra instances talking securely to one another with ssl opscenter communication. We are using DSE 4.6, opscenter 5.1. While a lot of the datastax documentation is fairly good, when it comes to advanced configuration topics or security configuration, I find the docs very lacking.
I setup a 3 node cluster with SSL encryption between nodes and PasswordAuthentication turned on. As it being obvious, you need to setup the user/pass in the agent configuration as well. These used to be thrift_user and thrift_pass (or something along those lines) and the ssl was thrift_keystore / thrift_truststore, etc..
In Opscenter 5.1, the system changed from using thrift to the native interface. However there is nothing in the docs about what agent properties do you need to set for the ssl security and authentication.
After my dealings with Datastax Support, I thought I would post this here until they update their documentation.
Agent configuration (address.yaml)
C* connection options
Before 5.1, we were using either thrift_rpc_interface (when storing metrics/settings in the same cluster) or storage_thrift_hosts (separate cluster) to determine what IP to use to connect to C*. In 5.1, both options were replaced with hosts, that accepts an array of strings (including an array w/ a single string for the same cluster case) instead of a single string:
hosts: ["220.127.116.11", "10.1.1.1"]
storage_thrift_port was removed, thrift_port was supplemented by cassandra_port
autodiscovery_enabled, autodiscovery_interval, and storage_dc were removed, autodiscovery can’t really be disabled for our java-driver, but we never connect to hosts that are not specified in the agent’s config.
thrift_socket_timeout and thrift_conn_timeout were removed.
thrift_user, storage_thrift_user, thift_pass, and storage_thrift_pass were replaced by cassandra_user & cassandra_pass
thrift_ssl_truststore and thrift_ssl_truststore_password were replaced by ssl_keystore and ssl_keystore_password, respectively. thrift_ssl_truststore_type, thrift_max_frame_size were removed.
We completely changed the way we setup kerberos (I thought it was doc’d but apparently it wasn’t). We removed everything kerberos-related from the config except for a single option, kerberos_service. When it’s set (to the Kerberos service name) we’re using kerberos. All the configuration takes place in the kerberos.config file.
opscenterd cluster configs
send_thrift_rpc was renamed to be thrift_rpc
thrift_ssl_truststore and thrift_ssl_truststore_password were renamed to ssl_keystore and ssl_keystore_password, respectively. thrift_ssl_truststore_type was removed.
Hopefully this will be helpful for those running the latest opscenter and want a secure setup.
Thanks to datastax for the help in this matter.