top of page
download (3).png

Cqlsh with SSL: Securing Cassandra Cqlsh

At Data-Aces, we provide managed services running Cassandra for our customers. With more and more attention being given to data security these days, end-to-end encryption of ALL communication is becoming a mandatory requirement. This includes traffic between the Cassandra nodes or from client to the Cassandra cluster. This means, cqlsh with SSL is also a requirement. The default config file (Cassandra.yaml) is configured for normal, unencrypted communication between clients and Cassandra on port 9042. It is fairly easy to setup client to cluster encryption by creating certificates and adding them to Java keystore/truststore. This process is documented here: As described in the link above, this involves changing ‘enabled’ to ‘true’ in the following section of the Cassandra.yaml file: client_encryption_options:

enabled: true # If enabled and optional is set to true encrypted and unencrypted connections are handled. optional: false This will ensure that ALL client connections will be encrypted even if still using port 9042. Note that after the above changes, you will no longer be able to connect to the database using the CQL command line tool cqlsh! The Cassandra documentation provides basic information as to how to setup cqlsh with SSL. However, following these steps, I couldn’t get cqlsh with SSL to work in our cluster. This is because, it refers to certfile without giving us an important caveat: cqlsh is a python application and does not use the Java keystore/truststore setup for normal Cassandra and Java clients. Instead, I had to convert the certificate in ‘keystore.jks’ to PKCS12 format. Luckily, keytool has an inbuilt facility to convert to PKCS12 format.

keytool -importkeystore -srckeystore keystore -destkeystore pkcs12ks -deststoretype PKCS12 -srcstorepass keystorepassword -deststorepass keystorepassword

This will create a keystore file named ‘pkcs12ks’ in the current directory. The next step is to create a PEM file from this keystore as follows:

openssl pkcs12 -in pkcs12ks -nokeys -out cqlsh.pem -passin pass:keystorepassword 

Setting up .cqlshrc file Now that we have our PEM file, we can point to it in the cqlshrc file

[connection]   factory = cqlshlib.ssl.ssl_transport_factory  [ssl]  certfile = /home/user/cqlsh.pem validate = false
Note that setting ‘validate=true’ implies that the certificate needs to be validated at connection time.

We are now all set to run cqlsh with SSL using the option –ssl as below:

$ cqlsh <host_ip> --ssl

For more information, please contact us.

Recent Posts

See All

Generative AI for Drug Information

The weekend of October 20th marked the kickoff of Data Aces’ inaugural hackathon. The company’s attitude of adapting and innovating at every turn drove the theme of the hackathon to be around Generati

Automate Compliance Reporting

In today's ever-changing business landscape, compliance has become an integral part of the operations taking place in an organization. As businesses enter the digital era and start leveraging data for


bottom of page