cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ajay Garg <ajaygargn...@gmail.com>
Subject Re: Basic query in setting up secure inter-dc cluster
Date Mon, 18 Apr 2016 04:25:34 GMT
Also, wondering what is the difference between "all" and "dc" in
"internode_encryption".
Perhaps my answer lies in this?

On Mon, Apr 18, 2016 at 9:51 AM, Ajay Garg <ajaygargnsit@gmail.com> wrote:

> Ok, trying to wake up this thread again.
>
> I went through the following links ::
>
>
> https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLNodeToNode_t.html
>
> https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html
>
>
> and I am wondering *if it is possible to setup secure inter-communication
> only between some nodes*.
>
> In particular, if I have a 2*2 cluster, is it possible to setup secure
> communication ONLY between the nodes of DC2?
> Once it works well, we would then setup secure-communication everywhere.
>
> We are wanting this, because DC2 is the backup centre, while DC1 is the
> primary-centre connected directly to the application-server. We don't want
> to screw things if something goes bad in DC1.
>
>
> Will be grateful for pointers.
>
>
> Thanks and Regards,
> Ajay
>
> On Sun, Jan 17, 2016 at 9:09 PM, Ajay Garg <ajaygargnsit@gmail.com> wrote:
>
>> Hi All.
>>
>> A gentle query-reminder.
>>
>> I will be grateful if I could be given a brief technical overview, as to
>> how secure-communication occurs between two nodes in a cluster.
>>
>> Please note that I wish for some information on the "how it works below
>> the hood", and NOT "how to set it up".
>>
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Wed, Jan 6, 2016 at 4:16 PM, Ajay Garg <ajaygargnsit@gmail.com> wrote:
>>
>>> Thanks everyone for the reply.
>>>
>>> I actually have a fair bit of questions, but it will be nice if someone
>>> could please tell me the flow (implementation-wise), as to how node-to-node
>>> encryption works in a cluster.
>>>
>>> Let's say node1 from DC1, wishes to talk securely to node 2 from DC2
>>> (with *"require_client_auth: false*").
>>> I presume it would be like below (please correct me if am wrong) ::
>>>
>>> a)
>>> node1 tries to connect to node2, using the certificate *as defined on
>>> node1* in cassandra.yaml.
>>>
>>> b)
>>> node2 will confirm if the certificate being offered by node1 is in the
>>> truststore *as defined on node2* in cassandra.yaml.
>>> if it is, secure-communication is allowed.
>>>
>>>
>>> Is my thinking right?
>>> I
>>>
>>> On Wed, Jan 6, 2016 at 1:55 PM, Neha Dave <nehajtrivedi@gmail.com>
>>> wrote:
>>>
>>>> Hi Ajay,
>>>> Have a look here :
>>>> https://docs.datastax.com/en/cassandra/1.2/cassandra/security/secureSSLNodeToNode_t.html
>>>>
>>>> You can configure for DC level Security:
>>>>
>>>> Procedure
>>>>
>>>> On each node under sever_encryption_options:
>>>>
>>>>    - Enable internode_encryption.
>>>>    The available options are:
>>>>       - all
>>>>       - none
>>>>       - dc: Cassandra encrypts the traffic between the data centers.
>>>>       - rack: Cassandra encrypts the traffic between the racks.
>>>>
>>>> regards
>>>>
>>>> Neha
>>>>
>>>>
>>>>
>>>> On Wed, Jan 6, 2016 at 12:48 PM, Singh, Abhijeet <
>>>> absingh@informatica.com> wrote:
>>>>
>>>>> Security is a very wide concept. What exactly do you want to achieve
?
>>>>>
>>>>>
>>>>>
>>>>> *From:* Ajay Garg [mailto:ajaygargnsit@gmail.com]
>>>>> *Sent:* Wednesday, January 06, 2016 11:27 AM
>>>>> *To:* user@cassandra.apache.org
>>>>> *Subject:* Basic query in setting up secure inter-dc cluster
>>>>>
>>>>>
>>>>>
>>>>> Hi All.
>>>>>
>>>>> We have a 2*2 cluster deployed, but no security as of now.
>>>>>
>>>>> As a first stage, we wish to implement inter-dc security.
>>>>>
>>>>> Is it possible to enable security one machine at a time?
>>>>>
>>>>> For example, let's say the machines are DC1M1, DC1M2, DC2M1, DC2M2.
>>>>>
>>>>> If I make the changes JUST IN DC2M2 and restart it, will the traffic
>>>>> between DC1M1/DC1M2 and DC2M2 be secure? Or security will kick in ONLY
>>>>> AFTER the changes are made in all the 4 machines?
>>>>>
>>>>> Asking here, because I don't want to screw up a live cluster due to my
>>>>> lack of experience.
>>>>>
>>>>> Looking forward to some pointers.
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Regards,
>>>>> Ajay
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Ajay
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay

Mime
View raw message