[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523805#comment-17523805 ] Maulin Vasavada commented on CASSANDRA-17513: - [~Jyothsnakonisa] and [~djoshi] - would it be possible to put both private keys - server and client in the same keystore? I've never tried it so not sure but would Java be able to use correct certificate based on whether it requires Server certificate or a Client certificate? > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 50m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522942#comment-17522942 ] Maulin Vasavada commented on CASSANDRA-17513: - Does it make sense to change the title of this ticket to reflect it clearly - "Adding support for TLS client authentication for internode communication"? > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 50m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522900#comment-17522900 ] Maulin Vasavada commented on CASSANDRA-17513: - Btw, [this|https://www.ssl2buy.com/wiki/what-is-the-difference-between-client-and-server-certificates#:~:text=Client%20certificates%20are%20utilized%20for,certificates%20are%20being%20thoroughly%20used.] was useful for me to clearly understand the difference between client and server certs. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522894#comment-17522894 ] Maulin Vasavada commented on CASSANDRA-17513: - Thanks [~djoshi] that clarifies it for me. Also I agree with your operational overhead comment. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522642#comment-17522642 ] Dinesh Joshi commented on CASSANDRA-17513: -- For internode communication, currently it is not possible for the server to identify itself using a client certificate. By adding this option we will be able to present a client identity to other nodes. The nodes can use this client certificate to authenticate the node. This makes it possible to implement mutual TLS which is currently not possible. {quote}The way I think is - A node has an identity that it uses to-be trusted- be it a client or server mode with the same peer. {quote} You cannot use the same certificate as a client certificate and a server certificate. They are distinct. You cannot use a client certificate as a server certificate and vice-versa. As far as operational overhead is concerned, this is not a required configuration item. It is optional and won't cause "overhead" unless it is actually used by the operator. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522461#comment-17522461 ] Maulin Vasavada commented on CASSANDRA-17513: - Hi [~Jyothsnakonisa] Based on what you are saying, you seem to clearly understand client/server encryption options. However I fail to understand your challenge. Do you want to be able to configure different keystores for each server node? > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522401#comment-17522401 ] Brandon Williams commented on CASSANDRA-17513: -- bq. Currently we are setting same keystore for inbound and outbound connections but we should use a keystore with server certificate to inbound connection and a keystore with client certificate to an outbound connection. What is the motivation for this? > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522399#comment-17522399 ] Jyothsna Konisa commented on CASSANDRA-17513: - [~maulin.vasavada] Thank you very much for your insights, We are trying to implement mTLS internode authentication and server_encryption_options is used for configuring SSL/TLS configurations for an internode authentication. In an internode connection, the node that creates an inbound connection acts like a server and needs server certificate where as the node that creates outbound connection is like a client and it needs a client certificate. Currently we are setting same keystore for inbound and outbound connections but we should use a keystore with server certificate to inbound connection and a keystore with client certificate to an outbound connection. There are two configurations for setting up encryption options in Cassandra.yaml file # client_encryption_options (Between Cassandra cluster to clients) # server_encryption_options (for internode connections between Cassandra nodes) *client_encryption_options* is used to set encryption configuration for communication between Cassandra cluster and clients. The server certificate (the identity of the server) is put inside *client_encryption_options.keystore* For example if I am a user of a Cassandra cluster and I want to perform a CQLSH query using Java driver, during SSL handshake server certificate({*}client_encryption_options.keystore{*}) is presented to the client as server identity and *client_encryption_options.truststore* should have roots that trust client certificates. *server_encryption_options* is used to set encryption configuration for communication between Cassandra nodes (internode authentication). Even in this case the server certificate of a node (node's identity) is put inside *server_encryption_options.keystore* and is presented to the other node. Also the {*}server{*}{*}_encryption_options.truststore{*} includes trusted roots of other node's certificates. So, we cannot use client_encryption_options for configuring TLS/SSL options for internode authentication. Let me know if this addressed your concern. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17521459#comment-17521459 ] Maulin Vasavada commented on CASSANDRA-17513: - [~Jyothsnakonisa] The existing cassandra yaml configurations under client_encryption_options must suffice for your needs. For the inbound traffic (from client to the server nodes) when you want to authenticate client with client certs, you would have to put the trusted CAs in the truststore configuration under client_encryption_options. For the outbound traffic (from server node to client) you need to configure keystore with server key/cert under client_encryption_options. Cassandra code looks at the client_encryption_options and uses the configured truststore and keystore appropriately. Please let me know if this helps. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections
[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17521330#comment-17521330 ] Stefan Miklosovic commented on CASSANDRA-17513: --- [~maulin.vasavada] your insight is welcome. > Add new property to pass keystore for outbound connections > -- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org