Setting Up SSL-Encrypted Cassandra with Docker Compose

03 Oct, 2024

This guide explains how to set up SSL/TLS encryption in Apache Cassandra using Docker Compose. You’ll secure client-server and inter-node communications with SSL/TLS.

Prerequisites

• Docker & Docker Compose installed on your machine.
• Java 11 or later for TLS 1.3 support.
• Knowledge of SSL certificates (keystore, truststore).
• A basic Cassandra environment set up.

Step 1: Generate SSL Certificates

To secure Cassandra using SSL/TLS, you need to create a keystore and truststore. For simplicity, you can generate self-signed certificates.

1.1 Generate Server Certificate (Keystore)

keytool -genkeypair \
    -keyalg RSA \
    -alias cassandra \
    -keystore cassandra.keystore \
    -storepass cassandra \
    -validity 365 \
    -keysize 2048 \
    -dname "CN=cassandra"

1.2 Generate Client Certificate (Optional, for Mutual TLS)

If you plan to use mutual TLS authentication (mTLS), also create a client keystore. If not, skip this step.

keytool -genkeypair \
    -keyalg RSA \
    -alias client \
    -keystore client.keystore \
    -storepass clientpass \
    -validity 365 \
    -keysize 2048 \
    -dname "CN=client"

1.3 Export Certificates and Create Truststore

Export the certificates and create a truststore to allow Cassandra nodes and clients to trust each other.

# Export server certificate
keytool -export -alias cassandra -keystore cassandra.keystore -file cassandra.crt -storepass cassandra

# Create a truststore
keytool -import -file cassandra.crt -alias cassandra -keystore cassandra.truststore -storepass cassandra -noprompt

Step 2: Configure Docker Compose for Cassandra

2.1 Docker Compose File

Create a docker-compose.yml file to run Cassandra with SSL encryption. It will mount the keystore and truststore files into the container.

version: '3.8'
services:
  cassandra:
    image: cassandra:latest
    container_name: cassandra
    environment:
      - CASSANDRA_CLUSTER_NAME=ssl-cluster
    volumes:
      - ./ssl:/etc/cassandra/ssl
    ports:
      - "9042:9042"
    command: cassandra -f

2.2 Mounting SSL Files

Ensure the SSL certificates (keystore and truststore) are stored in the ssl directory next to your docker-compose.yml file:

./ssl/cassandra.keystore
./ssl/cassandra.truststore

Step 3: Configure Cassandra for SSL/TLS

You need to modify Cassandra’s cassandra.yaml configuration to enable SSL encryption for both client-server and internode communication.

3.1 Enable Client-Side Encryption

Open cassandra.yaml (located in /etc/cassandra/cassandra.yaml inside the container) and add the following configuration to enable SSL encryption between clients and the Cassandra server.

client_encryption_options:
    enabled: true
    optional: false
    keystore: /etc/cassandra/ssl/cassandra.keystore
    keystore_password: cassandra
    truststore: /etc/cassandra/ssl/cassandra.truststore
    truststore_password: cassandra
    require_client_auth: false
    cipher_suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
    enabled_protocols: [TLSv1.3]

• enabled: true: Enables client-server SSL encryption.
• require_client_auth: false: Only the server is required to present an SSL certificate (one-way SSL). If you need mutual authentication, set this to true.

3.2 Enable Internode Encryption

Similarly, modify server_encryption_options for SSL encryption between Cassandra nodes (internode communication).

server_encryption_options:
    internode_encryption: all
    keystore: /etc/cassandra/ssl/cassandra.keystore
    keystore_password: cassandra
    truststore: /etc/cassandra/ssl/cassandra.truststore
    truststore_password: cassandra
    require_client_auth: false
    cipher_suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
    enabled_protocols: [TLSv1.3]

• internode_encryption: all: Forces SSL encryption for all internode communications.

Step 4: Running Cassandra with SSL

After configuring SSL, you can start Cassandra using Docker Compose:

docker-compose up

Step 5: Configure cqlsh for SSL Connection

To connect to your SSL-encrypted Cassandra cluster using cqlsh, you need to configure it to use SSL.

5.1 Configure cqlshrc

Create or modify the ~/.cassandra/cqlshrc file on your local machine to use SSL for connecting to Cassandra.

[ssl]
certfile = /path/to/cassandra.crt
validate = true
version = TLSv1.3

• certfile: The path to the server certificate (must match the one used in Cassandra).
• validate: true: Ensures the client verifies the server certificate.
• version: TLSv1.3: Forces the use of TLS 1.3.

5.2 Connect to Cassandra Using cqlsh

Now, connect to Cassandra using the following command:

cqlsh <cassandra_host> --ssl -u <username> -p <password>

Step 6: Verify TLS Connections

You can use tools like openssl to verify that TLS 1.3 is being used for encrypted connections.

openssl s_client -connect <cassandra_host>:9042 -tls1_3

This should show a successful handshake with TLS 1.3 and the certificate details.

Summary

By following the steps in this guide, you’ve configured a secure, SSL-encrypted Cassandra setup with Docker Compose. SSL ensures encrypted communication for both client-server and internode traffic, safeguarding your Cassandra cluster from unauthorized access or data interception.

Key points:

• Certificates: Generated using Java keytool.
• SSL/TLS: Configured via cassandra.yaml.
• Docker Compose: Used to deploy Cassandra with SSL.