This is an automated email from the ASF dual-hosted git repository.

blerer pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-website.git


The following commit(s) were added to refs/heads/trunk by this push:
     new a0fb0de  CASSANDRA-17373: February 2022 blog "Tightening Security for 
Apache Cassandra Part: 3"
a0fb0de is described below

commit a0fb0de12c70b2a4b2b27ca1196ae9598aa45db0
Author: Diogenese Topper <diotop...@gmail.com>
AuthorDate: Thu Feb 10 19:00:05 2022 -0800

    CASSANDRA-17373: February 2022 blog "Tightening Security for Apache 
Cassandra Part: 3"
    
    patch by Maulin Vasavada, Diogenese Topper; review by Erick Ramirez
    
    Add blog post titled "Tightening Security for Apache Cassandra Part: 3"
    update blog index
    add 2 images for blog: "Cassandra-SslContextFactory.png" and 
"tightening-security-for-apache-cassandra-p3-unsplash-jennefer-zacarias.jpg"
---
 .../images/blog/Cassandra-SslContextFactory.png    | Bin 0 -> 33750 bytes
 ...che-cassandra-p3-unsplash-jennefer-zacarias.jpg | Bin 0 -> 1658871 bytes
 site-content/source/modules/ROOT/pages/blog.adoc   |  24 +++++
 ...ening-Security-for-Apache-Cassandra-Part-3.adoc |  97 +++++++++++++++++++++
 4 files changed, 121 insertions(+)

diff --git 
a/site-content/source/modules/ROOT/images/blog/Cassandra-SslContextFactory.png 
b/site-content/source/modules/ROOT/images/blog/Cassandra-SslContextFactory.png
new file mode 100644
index 0000000..872f0a4
Binary files /dev/null and 
b/site-content/source/modules/ROOT/images/blog/Cassandra-SslContextFactory.png 
differ
diff --git 
a/site-content/source/modules/ROOT/images/blog/tightening-security-for-apache-cassandra-p3-unsplash-jennefer-zacarias.jpg
 
b/site-content/source/modules/ROOT/images/blog/tightening-security-for-apache-cassandra-p3-unsplash-jennefer-zacarias.jpg
new file mode 100644
index 0000000..b708d58
Binary files /dev/null and 
b/site-content/source/modules/ROOT/images/blog/tightening-security-for-apache-cassandra-p3-unsplash-jennefer-zacarias.jpg
 differ
diff --git a/site-content/source/modules/ROOT/pages/blog.adoc 
b/site-content/source/modules/ROOT/pages/blog.adoc
index d039eff..2523451 100644
--- a/site-content/source/modules/ROOT/pages/blog.adoc
+++ b/site-content/source/modules/ROOT/pages/blog.adoc
@@ -14,6 +14,30 @@ NOTES FOR CONTENT CREATORS
 [openblock,card-header]
 ------
 [discrete]
+=== Tightening Security for Apache Cassandra: Part 3
+[discrete]
+==== February 14, 2022
+------
+[openblock,card-content]
+------
+In Part 3 of Maulin Vasavada’s mini-series on improving security, we detail 
how Cassandra 4.0 delivers ways to customize mTLS/TLS configuration while 
retaining the hot-reload functionality.
+
+[openblock,card-btn card-btn--blog]
+--------
+[.btn.btn--alt]
+xref:blog/Tightening-Security-for-Apache-Cassandra-Part-3.adoc[Read More]
+--------
+
+------
+----
+//end card
+
+//start card
+[openblock,card shadow relative test]
+----
+[openblock,card-header]
+------
+[discrete]
 === Apache Cassandra Changelog #12
 [discrete]
 ==== February 10, 2022
diff --git 
a/site-content/source/modules/ROOT/pages/blog/Tightening-Security-for-Apache-Cassandra-Part-3.adoc
 
b/site-content/source/modules/ROOT/pages/blog/Tightening-Security-for-Apache-Cassandra-Part-3.adoc
new file mode 100644
index 0000000..c8ac3fb
--- /dev/null
+++ 
b/site-content/source/modules/ROOT/pages/blog/Tightening-Security-for-Apache-Cassandra-Part-3.adoc
@@ -0,0 +1,97 @@
+= Tightening security for Apache Cassandra: Part 3
+:page-layout: single-post
+:page-role: blog-post
+:page-post-date: February, 14 2022
+:page-post-author: Maulin Vasavada
+:description: The Apache Cassandra Community
+:keywords:
+
+:!figure-caption:
+
+.Image credit: https://unsplash.com/@zenchic[Jennefer Zacarias^]
+image::blog/tightening-security-for-apache-cassandra-p3-unsplash-jennefer-zacarias.jpg[3-4]
+
+In xref:blog/Tightening-Security-for-Apache-Cassandra-Part-2.adoc[Part-2] of 
this series, we explored avenues for securing data in transit and described how 
to configure TLS/mTLS with Apache Cassandra 4.0. In Part 3, we’ll look at how 
you can customize TLS/mTLS for Apache Cassandra 4.0+ to overcome the challenges 
with a TLS configuration.
+
+=== How We Made TLS Configuration Better With 4.0
+
+With Apache Cassandra 4.0, 
https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable[we
 enhanced^] the TLS/mTLS configuration to allow for specifying custom ways to 
build SSLContext and we provided a default implementation for backward 
compatibility. We introduced a new configuration, `ssl_context_factory`, where 
you can specify your custom class to build SSLContext objects required by 
Java/Netty SSL libraries. You can also add custom properties to [...]
+
+To demonstrate this customization, let’s use the example of Kubernetes, the 
popular cloud-native solution. Kubernetes allows configuring 
https://kubernetes.io/docs/concepts/configuration/secret/[Secrets^] to store 
sensitive data. We could potentially use K8s Secrets to store the keystore and 
truststore artifacts along with their respective passwords. We will assume 
Apache Cassandra is already running in a K8s environment.
+
+=== Integration with Kubernetes Secrets
+
+We have passwords for keystore and truststore as K8s environment variables 
loaded from the K8s Secrets. The keystore and truststore files are loaded by 
the K8s Secrets. The YAML file, below, for the pod reflects these settings. 
This example also keeps the hot-reloading capability of security credentials by 
allowing the secret named `keystore/truststore-last-updatedtime`. You can 
update the timestamp value for those secrets via a `kubectl` command and the 
implementation will hot-reload th [...]
+
+==== Example K8s Pod Configuration
+
+```
+apiVersion: v1
+ kind: Pod
+ metadata:
+   name: my-cassandra-pod
+   labels:
+     app: my-cassandra-app
+ spec:
+   containers:
+   - name: my-cassandra-app
+     image: my-cassandrda-app:latest
+     imagePullPolicy: Always
+     env:
+       - name: KEYSTORE_PASSWORD
+         valueFrom:
+           secretKeyRef:
+             name: my-ssl-store
+             key: keystore-password
+       - name: TRUSTSTORE_PASSWORD
+         valueFrom:
+           secretKeyRef:
+             name: my-ssl-store
+             key: truststore-password
+     volumeMounts:
+     - name: my-ssl-store
+       mountPath: "/etc/my-ssl-store"
+       readOnly: true
+   volumes:
+   - name: my-ssl-store
+     secret:
+       secretName: my-ssl-store
+       items:
+         - key: cassandra_ssl_keystore
+           path: keystore
+         - key: keystore-last-updatedtime
+           path: keystore-last-updatedtime
+         - key: cassandra_ssl_truststore
+           path: truststore
+         - key: truststore-last-updatedtime
+           path: truststore-last-updatedtime
+```
+
+We will use the 
https://github.com/apache/cassandra/blob/trunk/examples/ssl-factory/src/org/apache/cassandra/security/KubernetesSecretsSslContextFactory.java[‘KubernetesSecretsSslContextFactory’^]
 class from Apache Cassandra 4.0 as an example for how to customize the TLS 
configuration via Kubernetes Secrets as loaded by the pod definition (above). 
+
+==== Example Custom TLS Configuration for K8s Secrets
+
+Here we have used the configuration for `server_encryption_options`, but, 
similarly, you can use it for the `client_encryption_options`:
+
+```
+     server_encryption_options:
+       internode_encryption: none
+       ssl_context_factory:
+         class_name: 
`org.apache.cassandra.security.KubernetesSecretsSslContextFactory
+         parameters:
+           KEYSTORE_PASSWORD_ENV_VAR: KEYSTORE_PASSWORD
+           KEYSTORE_UPDATED_TIMESTAMP_PATH: 
/etc/my-ssl-store/keystore-last-updatedtime
+           TRUSTSTORE_PASSWORD_ENV_VAR: TRUSTSTORE_PASSWORD
+           TRUSTSTORE_UPDATED_TIMESTAMP_PATH: 
/etc/my-ssl-store/truststore-last-updatedtime
+       keystore: /etc/my-ssl-store/keystore
+       truststore: /etc/my-ssl-store/truststore
+```
+
+And Voila! Congratulations, your Apache Cassandra server is now integrated 
with the Kubernetes Secrets for the TLS configuration. The example above is 
built on the extensible class hierarchy shown, below. You can build extensions 
at three different levels and use composition to offer hybrid solutions you 
might need.
+
+image::blog/Cassandra-SslContextFactory.png[A diagram of Apache Cassandra’s 
extensible class hierarchy]
+
+=== Future work
+On top of having the ability to customize TLS configuration, the community is 
https://issues.apache.org/jira/browse/CASSANDRA-17031[working on^] supporting 
other popular formats for security credentials, such as 
https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/[PEM^]
 (originally “**P**rivacy **E**nhanced **M**ail”).
+
+As the Apache Cassandra community, our goal is to provide best-in-class 
software and keep enhancing it as the use-cases and requirements grow and 
evolve over time. I hope this particular enhancement makes Cassandra operators’ 
life easier while supporting industry standards for data security.
\ No newline at end of file

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to