tolbertam commented on code in PR #4293: URL: https://github.com/apache/cassandra/pull/4293#discussion_r2254830214
########## doc/modules/cassandra/pages/managing/tools/sstable/sstableloader.adoc: ########## @@ -142,11 +142,24 @@ Initial hosts must be specified (-d) == Use a Config File for SSL Clusters -If SSL encryption is enabled in the cluster, use the --conf-path option -with sstableloader to point the tool to the cassandra.yaml with the -relevant server_encryption_options (e.g., truststore location, -algorithm). This will work better than passing individual ssl options -shown above to sstableloader on the command line. +The sstableloader tool connects to the Cassandra server's native port to fetch cluster metadata and to the storage +(internode) port to stream SSTables. If SSL encryption is required only for the native port, you can provide the +necessary SSL options directly via the command line. However, if SSL encryption is required for both native and +internode (storage) ports, it is recommended to use the --conf-path option with sstableloader to specify a +cassandra.yaml file that includes the appropriate client_encryption_options for the native port and +server_encryption_options for the storage port. This approach is necessary because there are no command-line options to +configure internode SSL settings directly. In case, command line options are provided for the native port connection, +they will override the settings in the cassandra.yaml file for the native port, but the storage port will still use the +server_encryption_options from the cassandra.yaml file. + +Also, as the client to the Cassandra nodes, same key and/or trust stores must be configured for the sstableloader tool +for connecting to the native or the storage port. + +It is noteworthy that while the sstableloader tool is essentially a client to the Cassandra nodes, overloaded usage of +the server side encryption options mentioned above is a resonable compromise to avoid the need for additional +specific configuration options just for this tool. This also means that there is no significance of the +`require_client_auth` configuration option used in the client_encryption_options section of the cassandra.yaml file Review Comment: ```suggestion `require_client_auth` configuration option used in the `client_encryption_options` section of the cassandra.yaml file ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: pr-unsubscr...@cassandra.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: pr-unsubscr...@cassandra.apache.org For additional commands, e-mail: pr-h...@cassandra.apache.org
