Using cqlsh with ssl

问题

I have enabled ssl encryption in my cassandra node and I am trying to figure out how to connect to my node using cqlsh with ssl:

When I run ./cqlsh --ssl I get the following error:

Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /root/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.

I followed the link on https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html:

[authentication]
username = fred
password = !!bang!!$

I am keeping in the root folder so that any user can login and can access the common folder (rather than in my user directory). However what would be the password in this case? Do I need to put my password?!

certfile = ~/keys/node0.cer.pem

Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself?

I am using Cassandra 2.2.7.

回答1:

There are a few things needed to make this work:

However what would be the password in this case? Do I need to put my password?!

Inside your cqlshrc file, this refers to the username and password for authentication/authorization. You don't really need to add it here. If you do not, remember to specify the -u username -p password flags on the cqlsh command line.

Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself.

For client-to-node SSL, you don't really need to use the truststore.

If you followed the steps in that doc above, you should already have the private key part of the certificate in your keystore file. Then, you would have exported the public part of that cert to a file. You would have then converted that file to a PKCS12 file for use with cqlsh. Judging by the filenames you are using above, it looks like you have done that.

As an example, here is an example cqlshrc file that should connect to a 2.2.x clusters:

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/certs/dev-cluster1.cer.pem
validate = false

[authentication]
username = cassuser
password = 12345

Make sure that you are setting the ssl_transport_factory.

来源：https://stackoverflow.com/questions/40179429/using-cqlsh-with-ssl