Cassandra Hardening

The following steps ensure that the keys that secure Fabric and Cassandra are properly generated and configured.

  • The example password Q1w2e3r4t5 is used for TLS keys and can be replaced in all the following sections by a new password.
  • Do not forget to replace all $K2_HOME/ & $INSTALL_DIR values with the full and correct path location for both Fabric and Cassandra.

Step 1 - Keys Generation

  1. Connect as cassandra user

  2. Download and run the secure_cassandra.sh file that generate the keys. it can be downloaded from here.

  3. Stop Cassandra services before running the script.

    ## run: 
    stop-server
    
    echo "export K2_HOME=$INSLATT_DIR" >> .bash_profile
    echo "export INSTALL_DIR=$INSLATT_DIR" >> .bash_profile
    source ~/.bash_profile
    cd ~/
    rm -rf .cassandra .cassandra_ssl .oracle_jre_usage .ssl
    
    chmod +x secure_cassandra.sh
    

    `

    Note: run on single Cassandra node only. To change the password or the cluster name, edit the secure_cassandra.sh or execute using the password and cluster name parameters

    e.g.: ./secure_cassandra.sh {Password} {Cluster_Name}

    ./secure_cassandra.sh Q1w2e3r4t5 k2tls
    

    output example:

    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate stored in file </opt/apps/k2view/.cassandra_ssl/    CLUSTER_k2tls_PUBLIC.cer>
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate was added to keystore
    [Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate stored in file </opt/apps/k2view/.cassandra_ssl/    CLIENT_k2tls_PUBLIC.cer>
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate was added to keystore
    [Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
    Importing keystore /opt/apps/k2view/.cassandra_ssl/cassandra.keystore to    /opt/apps/k2view/.cassandra_ssl/cassandra.pks12.keystore...
    Entry for alias k2tls_client successfully imported.
    Entry for alias k2tls_cluster successfully imported.
    Import command completed:  2 entries successfully imported, 0 entries   failed or cancelled
    MAC verified OK
    MAC verified OK 
    

    The following 7 files will appear under the $INSTALL_DIR/. cassandra_ssl directory:

    • k2tls_CLIENT.key.pem
    • k2tls_CLIENT.cer.pem
    • cassandra.keystore
    • cassandra.pks12.keystore
    • cassandra.truststore
    • CLIENT_k2tls_PUBLIC.cer
    • CLUSTER_k2tls_PUBLIC.cer

Step 2 - Transfer Keys and Certificates to All Cassandra and Fabric Nodes

Tar and copy them to all Cassandra and Fabric nodes in the cluster.

See the example below:

tar -czvf keys.tar.gz -C $INSLATT_DIR/.cassandra_ssl .

# copy to other nodes in case more than one node is used
# 10.10.10.10 represents IP address of another node
scp keys.tar.gz cassandra@10.10.10.10:/opt/apps/cassandra/

# login to every node searately and run the following command
mkdir -p $INSLATT_DIR/.cassandra_ssl && tar -zxvf keys.tar.gz -C $INSLATT_DIR/.cassandra_ssl

Step 3 - Cassandra YAML

  1. Edit the cassandra.yaml file with the appropriate passwords and certification files.
  2. Execute this as a Cassandra user on all the Cassandra nodes.
sed -i "s@internode_encryption: none@internode_encryption: all@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@key_password: cassandra@key_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore: conf/.keystore*@keystore: $INSLATT_DIR/.cassandra_ssl/cassandra.keystore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore:@truststore:@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore: conf/.truststore*@truststore: $INSLATT_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore_password: cassandra@keystore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore: conf/.truststore*@truststore: $INSLATT_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# require_client_auth: .*@require_client_auth: false@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# store_type: JKS@store_type: JKS@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '0,/enabled: false/! {0,/enabled: false/ s/enabled: false/enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*cipher_suites.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '1,/cdc_enabled: false/ {0,/cdc_enabled: false/ s/cdc_enabled: false/cdc_enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@back_pressure_enabled: .*@back_pressure_enabled: true@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@native_transport_port: .*@native_transport_port: 9142@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
  1. Restart the Cassandra service on each node: cassandra

Step 4 - Cassandra CQLSHRC

  1. Edit the .cassandra/cqlshrc file using the appropriate passwords and certification files.

  2. Execute this as a Cassandra user on all Cassandra nodes.

    mkdir ~/.cassandra
    cp $INSTALL_DIR/cassandra/conf/cqlshrc.sample $INSTALL_DIR/.cassandra/cqlshrc
    
    sed -i "s@\;\[ssl\]@\[ssl\]@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i '/^\[csv]/i factory = cqlshlib.ssl.ssl_transport_factory' $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@; certfile = .*@certfile = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;validate = true@validate = true@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "105iversion = SSLv23" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;userkey = .*@userkey = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.key.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;usercert = .*@usercert = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@port = .*@port = 9142@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@hostname = .*@hostname = $(hostname -I |awk {'print $1'})@" $INSLATT_DIR/.cassandra/cqlshrc
    

Step 5 - Disable the default cassandra superuser

Cassandra default superuser is cassandra and it must be disabled before going to production. Before doing so, you need to create new superusers, one for SYSDBA, and one for Fabric connection use

  1. connect to one of the Cassandra nodes console, and create 2 new superuser's
   echo "create user k2admin with password 'Q1w2e3r4t5' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
   echo "create user k2sysdba with password '3ptBF9eMSsyLrXr3' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
  1. drop the cassandra user
   echo "drop role cassandra;" | cqlsh -u k2sysdba -p 3ptBF9eMSsyLrXr3 $(hostname -i) 9142 --ssl

Previous

Cassandra Hardening

The following steps ensure that the keys that secure Fabric and Cassandra are properly generated and configured.

  • The example password Q1w2e3r4t5 is used for TLS keys and can be replaced in all the following sections by a new password.
  • Do not forget to replace all $K2_HOME/ & $INSTALL_DIR values with the full and correct path location for both Fabric and Cassandra.

Step 1 - Keys Generation

  1. Connect as cassandra user

  2. Download and run the secure_cassandra.sh file that generate the keys. it can be downloaded from here.

  3. Stop Cassandra services before running the script.

    ## run: 
    stop-server
    
    echo "export K2_HOME=$INSLATT_DIR" >> .bash_profile
    echo "export INSTALL_DIR=$INSLATT_DIR" >> .bash_profile
    source ~/.bash_profile
    cd ~/
    rm -rf .cassandra .cassandra_ssl .oracle_jre_usage .ssl
    
    chmod +x secure_cassandra.sh
    

    `

    Note: run on single Cassandra node only. To change the password or the cluster name, edit the secure_cassandra.sh or execute using the password and cluster name parameters

    e.g.: ./secure_cassandra.sh {Password} {Cluster_Name}

    ./secure_cassandra.sh Q1w2e3r4t5 k2tls
    

    output example:

    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate stored in file </opt/apps/k2view/.cassandra_ssl/    CLUSTER_k2tls_PUBLIC.cer>
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate was added to keystore
    [Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate stored in file </opt/apps/k2view/.cassandra_ssl/    CLIENT_k2tls_PUBLIC.cer>
    
    Warning:
    The JKS Keystore uses a proprietary format. It is recommended to migrate    to PKCS12 which is an industry standard format using "keytool  -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra.  keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
    Certificate was added to keystore
    [Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
    Importing keystore /opt/apps/k2view/.cassandra_ssl/cassandra.keystore to    /opt/apps/k2view/.cassandra_ssl/cassandra.pks12.keystore...
    Entry for alias k2tls_client successfully imported.
    Entry for alias k2tls_cluster successfully imported.
    Import command completed:  2 entries successfully imported, 0 entries   failed or cancelled
    MAC verified OK
    MAC verified OK 
    

    The following 7 files will appear under the $INSTALL_DIR/. cassandra_ssl directory:

    • k2tls_CLIENT.key.pem
    • k2tls_CLIENT.cer.pem
    • cassandra.keystore
    • cassandra.pks12.keystore
    • cassandra.truststore
    • CLIENT_k2tls_PUBLIC.cer
    • CLUSTER_k2tls_PUBLIC.cer

Step 2 - Transfer Keys and Certificates to All Cassandra and Fabric Nodes

Tar and copy them to all Cassandra and Fabric nodes in the cluster.

See the example below:

tar -czvf keys.tar.gz -C $INSLATT_DIR/.cassandra_ssl .

# copy to other nodes in case more than one node is used
# 10.10.10.10 represents IP address of another node
scp keys.tar.gz cassandra@10.10.10.10:/opt/apps/cassandra/

# login to every node searately and run the following command
mkdir -p $INSLATT_DIR/.cassandra_ssl && tar -zxvf keys.tar.gz -C $INSLATT_DIR/.cassandra_ssl

Step 3 - Cassandra YAML

  1. Edit the cassandra.yaml file with the appropriate passwords and certification files.
  2. Execute this as a Cassandra user on all the Cassandra nodes.
sed -i "s@internode_encryption: none@internode_encryption: all@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@key_password: cassandra@key_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore: conf/.keystore*@keystore: $INSLATT_DIR/.cassandra_ssl/cassandra.keystore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore:@truststore:@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore: conf/.truststore*@truststore: $INSLATT_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore_password: cassandra@keystore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore: conf/.truststore*@truststore: $INSLATT_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# require_client_auth: .*@require_client_auth: false@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# store_type: JKS@store_type: JKS@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '0,/enabled: false/! {0,/enabled: false/ s/enabled: false/enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*cipher_suites.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '1,/cdc_enabled: false/ {0,/cdc_enabled: false/ s/cdc_enabled: false/cdc_enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@back_pressure_enabled: .*@back_pressure_enabled: true@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@native_transport_port: .*@native_transport_port: 9142@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
  1. Restart the Cassandra service on each node: cassandra

Step 4 - Cassandra CQLSHRC

  1. Edit the .cassandra/cqlshrc file using the appropriate passwords and certification files.

  2. Execute this as a Cassandra user on all Cassandra nodes.

    mkdir ~/.cassandra
    cp $INSTALL_DIR/cassandra/conf/cqlshrc.sample $INSTALL_DIR/.cassandra/cqlshrc
    
    sed -i "s@\;\[ssl\]@\[ssl\]@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i '/^\[csv]/i factory = cqlshlib.ssl.ssl_transport_factory' $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@; certfile = .*@certfile = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;validate = true@validate = true@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "105iversion = SSLv23" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;userkey = .*@userkey = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.key.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@;usercert = .*@usercert = $INSLATT_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@port = .*@port = 9142@" $INSLATT_DIR/.cassandra/cqlshrc
    sed -i "s@hostname = .*@hostname = $(hostname -I |awk {'print $1'})@" $INSLATT_DIR/.cassandra/cqlshrc
    

Step 5 - Disable the default cassandra superuser

Cassandra default superuser is cassandra and it must be disabled before going to production. Before doing so, you need to create new superusers, one for SYSDBA, and one for Fabric connection use

  1. connect to one of the Cassandra nodes console, and create 2 new superuser's
   echo "create user k2admin with password 'Q1w2e3r4t5' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
   echo "create user k2sysdba with password '3ptBF9eMSsyLrXr3' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
  1. drop the cassandra user
   echo "drop role cassandra;" | cqlsh -u k2sysdba -p 3ptBF9eMSsyLrXr3 $(hostname -i) 9142 --ssl

Previous