[
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522399#comment-17522399
]
Jyothsna Konisa commented on CASSANDRA-17513:
---------------------------------------------
[~maulin.vasavada] Thank you very much for your insights, We are trying to
implement mTLS internode authentication and server_encryption_options is used
for configuring SSL/TLS configurations for an internode authentication.
In an internode connection, the node that creates an inbound connection acts
like a server and needs server certificate where as the node that creates
outbound connection is like a client and it needs a client certificate.
Currently we are setting same keystore for inbound and outbound connections but
we should use a keystore with server certificate to inbound connection and a
keystore with client certificate to an outbound connection.
There are two configurations for setting up encryption options in
Cassandra.yaml file
# client_encryption_options (Between Cassandra cluster to clients)
# server_encryption_options (for internode connections between Cassandra nodes)
*client_encryption_options* is used to set encryption configuration for
communication between Cassandra cluster and clients. The server certificate
(the identity of the server) is put inside *client_encryption_options.keystore*
For example if I am a user of a Cassandra cluster and I want to perform a
CQLSH query using Java driver, during SSL handshake server
certificate({*}client_encryption_options.keystore{*}) is presented to the
client as server identity and *client_encryption_options.truststore* should
have roots that trust client certificates.
*server_encryption_options* is used to set encryption configuration for
communication between Cassandra nodes (internode authentication). Even in this
case the server certificate of a node (node's identity) is put inside
*server_encryption_options.keystore* and is presented to the other node. Also
the {*}server{*}{*}_encryption_options.truststore{*} includes trusted roots of
other node's certificates.
So, we cannot use client_encryption_options for configuring TLS/SSL options for
internode authentication. Let me know if this addressed your concern.
> Add new property to pass keystore for outbound connections
> ----------------------------------------------------------
>
> Key: CASSANDRA-17513
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
> Project: Cassandra
> Issue Type: Bug
> Reporter: Jyothsna Konisa
> Assignee: Jyothsna Konisa
> Priority: Normal
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we
> should use a keystore with server certificate for Inbound connections and a
> keystore with client certificates for outbound connections. So we should add
> a new property in Cassandra.yaml to pass outbound keystore and use it in
> SSLContextFactory for creating outbound SSL context.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
