The following steps ensure that the keys that secure Fabric and Cassandra are properly generated and configured.
Q1w2e3r4t5
is used for TLS keys and can be replaced in all the following sections by a new password.$K2_HOME/
& $INSTALL_DIR
values with the full and correct path location for both Fabric and Cassandra.Connect as cassandra user
Run the secure_cassandra.sh
file that generate the keys. It included with our supplied psackage or can be downloaded from here.
Stop Cassandra services before running the script.
## run:
stop-server
echo "export K2_HOME=$INSTALL_DIR" >> .bash_profile
source ~/.bash_profile
cd ~/
rm -rf .cassandra .cassandra_ssl .oracle_jre_usage .ssl
`
Note: run on single Cassandra node only. To change the password or the cluster name, edit the secure_cassandra.sh or execute using the password and cluster name parameters
./secure_cassandra.sh {Password} {Cluster_Name}
for example:
./secure_cassandra.sh Q1w2e3r4t5 k2tls
output example:
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate stored in file </opt/apps/k2view/.cassandra_ssl/ CLUSTER_k2tls_PUBLIC.cer>
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate was added to keystore
[Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate stored in file </opt/apps/k2view/.cassandra_ssl/ CLIENT_k2tls_PUBLIC.cer>
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate was added to keystore
[Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
Importing keystore /opt/apps/k2view/.cassandra_ssl/cassandra.keystore to /opt/apps/k2view/.cassandra_ssl/cassandra.pks12.keystore...
Entry for alias k2tls_client successfully imported.
Entry for alias k2tls_cluster successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
MAC verified OK
MAC verified OK
The following 7 files will be created under the $INSTALL_DIR/.cassandra_ssl
directory:
And a cassandra_keys.tar.gz file containing all files,will be created, to be transfered to the other nodes
Note the certificate and key file name contain the cluster name you have set.
Copy the priveously created file cassandra_keys.tar.gz to all cassandra noe in the cluster
See the example below:
# copy to other nodes in case more than one node is used
# 10.10.10.10 represents IP address of another node
scp cassandra_keys.tar.gz cassandra@10.10.10.10:/opt/apps/cassandra/
# login to every node searately and run the following command
mkdir -p $INSTALL_DIR/.cassandra_ssl && tar -zxvf cassandra_keys.tar.gz -C $INSTALL_DIR/.cassandra_ssl
cassandra.yaml
file with the appropriate passwords and certification files.Replace the password in the following command with the one you set before.
sed -i "s@internode_encryption: none@internode_encryption: all@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@key_password: cassandra@key_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore: conf/.keystore*@keystore: $INSTALL_DIR/.cassandra_ssl/cassandra.keystore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore:@truststore:@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore: conf/.truststore*@truststore: $INSTALL_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore_password: cassandra@keystore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore: conf/.truststore*@truststore: $INSTALL_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# require_client_auth: .*@require_client_auth: false@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# store_type: JKS@store_type: JKS@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '0,/enabled: false/! {0,/enabled: false/ s/enabled: false/enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*cipher_suites.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '1,/cdc_enabled: false/ {0,/cdc_enabled: false/ s/cdc_enabled: false/cdc_enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@back_pressure_enabled: .*@back_pressure_enabled: true@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@native_transport_port: .*@native_transport_port: 9142@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
cassandra
.cassandra/cqlshrc
file using the appropriate passwords and certification files created earlier.replace the key and certificate file name with the files created before.
```bash
mkdir -p ~/.cassandra
cp $INSTALL_DIR/cassandra/conf/cqlshrc.sample $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@\;\[ssl\]@\[ssl\]@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i '/^\[csv]/i factory = cqlshlib.ssl.ssl_transport_factory' $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@; certfile = .*@certfile = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;validate = true@validate = true@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "105iversion = SSLv23" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;userkey = .*@userkey = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.key.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;usercert = .*@usercert = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@port = .*@port = 9142@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@hostname = .*@hostname = $(hostname -I |awk {'print $1'})@" $INSTALL_DIR/.cassandra/cqlshrc
```
cqlsh -u k2admin -p Q1w2e3r4t5 --ssl
Cassandra default superuser is cassandra
and it must be disabled before going to production. Before doing so, you need to create new superusers, one for SYSDBA, and one for Fabric connection use
echo "create user k2admin with password 'Q1w2e3r4t5' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
echo "create user k2sysdba with password '3ptBF9eMSsyLrXr3' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
cassandra
user echo "drop role cassandra;" | cqlsh -u k2sysdba -p 3ptBF9eMSsyLrXr3 $(hostname -i) 9142 --ssl
The following steps ensure that the keys that secure Fabric and Cassandra are properly generated and configured.
Q1w2e3r4t5
is used for TLS keys and can be replaced in all the following sections by a new password.$K2_HOME/
& $INSTALL_DIR
values with the full and correct path location for both Fabric and Cassandra.Connect as cassandra user
Run the secure_cassandra.sh
file that generate the keys. It included with our supplied psackage or can be downloaded from here.
Stop Cassandra services before running the script.
## run:
stop-server
echo "export K2_HOME=$INSTALL_DIR" >> .bash_profile
source ~/.bash_profile
cd ~/
rm -rf .cassandra .cassandra_ssl .oracle_jre_usage .ssl
`
Note: run on single Cassandra node only. To change the password or the cluster name, edit the secure_cassandra.sh or execute using the password and cluster name parameters
./secure_cassandra.sh {Password} {Cluster_Name}
for example:
./secure_cassandra.sh Q1w2e3r4t5 k2tls
output example:
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate stored in file </opt/apps/k2view/.cassandra_ssl/ CLUSTER_k2tls_PUBLIC.cer>
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate was added to keystore
[Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate stored in file </opt/apps/k2view/.cassandra_ssl/ CLIENT_k2tls_PUBLIC.cer>
Warning:
The JKS Keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -destkeystore /opt/apps/k2view/.cassandra_ssl/cassandra. keystore -deststoretype pkcs12".
Certificate was added to keystore
[Storing /opt/apps/k2view/.cassandra_ssl/cassandra.truststore]
Importing keystore /opt/apps/k2view/.cassandra_ssl/cassandra.keystore to /opt/apps/k2view/.cassandra_ssl/cassandra.pks12.keystore...
Entry for alias k2tls_client successfully imported.
Entry for alias k2tls_cluster successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
MAC verified OK
MAC verified OK
The following 7 files will be created under the $INSTALL_DIR/.cassandra_ssl
directory:
And a cassandra_keys.tar.gz file containing all files,will be created, to be transfered to the other nodes
Note the certificate and key file name contain the cluster name you have set.
Copy the priveously created file cassandra_keys.tar.gz to all cassandra noe in the cluster
See the example below:
# copy to other nodes in case more than one node is used
# 10.10.10.10 represents IP address of another node
scp cassandra_keys.tar.gz cassandra@10.10.10.10:/opt/apps/cassandra/
# login to every node searately and run the following command
mkdir -p $INSTALL_DIR/.cassandra_ssl && tar -zxvf cassandra_keys.tar.gz -C $INSTALL_DIR/.cassandra_ssl
cassandra.yaml
file with the appropriate passwords and certification files.Replace the password in the following command with the one you set before.
sed -i "s@internode_encryption: none@internode_encryption: all@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@key_password: cassandra@key_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore: conf/.keystore*@keystore: $INSTALL_DIR/.cassandra_ssl/cassandra.keystore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore:@truststore:@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore: conf/.truststore*@truststore: $INSTALL_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@keystore_password: cassandra@keystore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore: conf/.truststore*@truststore: $INSTALL_DIR/.cassandra_ssl/cassandra.truststore@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@truststore_password: cassandra*@truststore_password: Q1w2e3r4t5@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# protocol: TLS*@protocol: TLS@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# require_client_auth: .*@require_client_auth: false@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@# store_type: JKS@store_type: JKS@g" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '0,/enabled: false/! {0,/enabled: false/ s/enabled: false/enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*cipher_suites.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i '1,/cdc_enabled: false/ {0,/cdc_enabled: false/ s/cdc_enabled: false/cdc_enabled: true/}' $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@back_pressure_enabled: .*@back_pressure_enabled: true@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i "s@native_transport_port: .*@native_transport_port: 9142@" $CASSANDRA_HOME/conf/cassandra.yaml
sed -i -e 's/# \(.*native_transport_port_ssl:.*\)/\1/g' $CASSANDRA_HOME/conf/cassandra.yaml
cassandra
.cassandra/cqlshrc
file using the appropriate passwords and certification files created earlier.replace the key and certificate file name with the files created before.
```bash
mkdir -p ~/.cassandra
cp $INSTALL_DIR/cassandra/conf/cqlshrc.sample $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@\;\[ssl\]@\[ssl\]@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i '/^\[csv]/i factory = cqlshlib.ssl.ssl_transport_factory' $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@; certfile = .*@certfile = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;validate = true@validate = true@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "105iversion = SSLv23" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;userkey = .*@userkey = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.key.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@;usercert = .*@usercert = $INSTALL_DIR/.cassandra_ssl/k2tls_CLIENT.cer.pem@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@port = .*@port = 9142@" $INSTALL_DIR/.cassandra/cqlshrc
sed -i "s@hostname = .*@hostname = $(hostname -I |awk {'print $1'})@" $INSTALL_DIR/.cassandra/cqlshrc
```
cqlsh -u k2admin -p Q1w2e3r4t5 --ssl
Cassandra default superuser is cassandra
and it must be disabled before going to production. Before doing so, you need to create new superusers, one for SYSDBA, and one for Fabric connection use
echo "create user k2admin with password 'Q1w2e3r4t5' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
echo "create user k2sysdba with password '3ptBF9eMSsyLrXr3' superuser;" | cqlsh -u cassandra -p cassandra $(hostname -i) 9142 --ssl
cassandra
user echo "drop role cassandra;" | cqlsh -u k2sysdba -p 3ptBF9eMSsyLrXr3 $(hostname -i) 9142 --ssl