incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Bromhead <...@instaclustr.com>
Subject Re: Managing truststores with inter-node encryption
Date Sat, 31 May 2014 02:06:09 GMT
Java ssl sockets need to be able to build a chain of trust. So having
either a nodes public cert or the root cert in the truststore works (as you
found out).

To get cassandra to use cypher suites > 128 bit you will need to install
the JCE unlimited strength jurisdiction policy files. You will know if you
aren't using it because there will be a bunch of warnings quickly filling
up your logs.

Note that javas ssl implementation does not check certificate revocation
lists by default, though as you are not using inter node for authentication
and identification its no big deal.

Ben
 On 31/05/2014 1:04 AM, "Jeremy Jongsma" <jeremy@barchart.com> wrote:

> It appears that only adding the CA certificate to the truststore is
> sufficient for this.
>
>
> On Thu, May 22, 2014 at 10:05 AM, Jeremy Jongsma <jeremy@barchart.com>
> wrote:
>
>> The docs say that each node needs every other node's certificate in its
>> local truststore:
>>
>>
>> http://www.datastax.com/documentation/cassandra/1.2/cassandra/security/secureSSLCertificates_t.html
>>
>> This seems like a bit of a headache for adding nodes to a cluster. How do
>> others deal with this?
>>
>> 1) If I am self-signing the client certificates (with puppetmaster), is
>> it enough that the truststore just contain the CA certificate used to sign
>> them? This is the typical PKI mechanism for verifying trust, so I am hoping
>> it works here.
>>
>> 2) If not, can I use the same certificate for every node? If so, what is
>> the downside? I'm mainly concerned with encryption over public internet
>> links, not node identity verification.
>>
>>
>>
>

Mime
View raw message