Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15038

Provide an option to Disable Truststore CA check for internode_encryption

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • Feature/Encryption
    • None
    • Normal

    Description

      Hello,

      The current internode encryption between cassandra nodes uses a keystore and truststore. However there are some use-case where users are okay to allow any one to trust as long as they have a keystore. This is requirement is only for encryption but not trusting the identity.

      It would be good to have an option to disable the Truststore CA check for the internode_encryption.

       

      In the current cassandra.yaml, there is no way to comment/disable the truststore and truststore password and allow anyone to connect with a certificate. 

       

      though the require_client_auth: is set to false, cassandra fails to startup if we disable truststore and truststore_password as it look for default truststore under `conf/.truststore`

       

      server_encryption_options:
 internode_encryption: all
 keystore: /etc/cassandra/keystore.jks
 keystore_password: mykeypass
 truststore: /etc/cassandra/truststore.jks
 truststore_password: truststorepass
 # More advanced defaults below:
 # protocol: TLS
 # algorithm: SunX509
 # store_type: JKS
 # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
 # require_client_auth: false
 # require_endpoint_verification: false
      Caused by: java.io.IOException: Error creating the initializing the SSL Context
 at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
 at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
 at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708) ~[apache-cassandra-3.11.3.jar:3.11.3]
 ... 8 common frames omitted
Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
 at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
 at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
 at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
 at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
 at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
 ... 10 common frames omitted

       

       Cassandra Version: 3.11.3

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            jaid Jai Bheemsen Rao Dhanwada
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: