1

Before explaining the issue which I'm facing, I will let you know the verified points from my local machine.

  • I have all the Cassandra related configuration and I have the required privileges (access) to my machine .

  • I'm able to connect the Cassandra node which is SSL disabled or the node which is TLS disabled through cqlsh.

    • E.g I'm able to connect to below C* node with the below command
    • cqlsh -u xxxxx -p xxxxxx 123.abc.com
    • But at the same time I'm not able to connect to the below node with option SSL
    • cqlsh --ssl -u xxxxx -p xxxxxx 123.xyz.com

  • Below is my content of cqlshrc file:

    [Authentication] Usename = xxxx password = xxxx [connection] hostname = 123.xyz.com port = 9042 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile=~/certfiles/xyz.pem validate = false

  • Even I tried setting the certFile path as an environment variable.

I'm getting the below exception:

Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /XXXX/XXXXX/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.

halfer
  • 19,824
  • 17
  • 99
  • 186
Tanveer
  • 97
  • 1
  • 16

1 Answers1

1

I'm going to guess that your path is probably valid, but that your certfile may not be. Here are some quick steps that will generate a valid certfile from the keystore of one of your nodes:

1 - Check your cassandra.yaml for the keystore location and password:

client_encryption_options:
  enabled: true
  keystore: /etc/cassandra/.keystore
  keystore_password: flynnLives

2 - Convert your keystore to a PKCS12 keystore:

$ keytool -importkeystore -srckeystore /etc/cassandra/.keystore 
    -destkeystore ~/.cassandra/p12.keystore -deststoretype PKCS12 
    -srcstorepass flynnLives -deststorepass flynnLives

3 - Generate a certfile from the PKCS12 keystore:

$ openssl pkcs12 -in ~/.cassandra/p12.keystore -nokeys -out ~/.cassandra/xyz.pem
    -passin pass:flynnLives

4 - Specify the connection and ssl sections in your cqlshrc, as well as the default transport factory and the name of your certificate. And unless you're using two-way SSL, set validate to false.

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/.cassandra/xyz.pem
validate = false

5 - Connect via cqlsh:

$ bin/cqlsh 192.168.0.100 -u flynn -p reindeerFlotilla --ssl
Connected to MasterControl at 192.168.0.100:9042.
[cqlsh 5.0.1 | Cassandra 2.2.5 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
flynn@cqlsh>
Aaron
  • 55,518
  • 11
  • 116
  • 132