[
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521459#comment-17521459
]
Maulin Vasavada edited comment on CASSANDRA-17513 at 4/13/22 5:36 AM:
----------------------------------------------------------------------
[~Jyothsnakonisa] The existing cassandra yaml configurations under
client_encryption_options must suffice for your needs. For the inbound traffic
(from client to the server nodes) when you want to authenticate client with
client certs, you would have to put the trusted CAs in the truststore
configuration under client_encryption_options.
For the outbound traffic (from server node to client) you need to configure
keystore with server key/cert under client_encryption_options.
Cassandra code looks at the client_encryption_options and uses the configured
truststore and keystore appropriately.
You have to remember that for validating client with client cert, you need
'truststore' and to be able to send server cert to client, you need 'keystore'.
Please let me know if this helps.
was (Author: maulin.vasavada):
[~Jyothsnakonisa] The existing cassandra yaml configurations under
client_encryption_options must suffice for your needs. For the inbound traffic
(from client to the server nodes) when you want to authenticate client with
client certs, you would have to put the trusted CAs in the truststore
configuration under client_encryption_options.
For the outbound traffic (from server node to client) you need to configure
keystore with server key/cert under client_encryption_options.
Cassandra code looks at the client_encryption_options and uses the configured
truststore and keystore appropriately.
Please let me know if this helps.
> Add new property to pass keystore for outbound connections
> ----------------------------------------------------------
>
> Key: CASSANDRA-17513
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
> Project: Cassandra
> Issue Type: Bug
> Reporter: Jyothsna Konisa
> Assignee: Jyothsna Konisa
> Priority: Normal
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we
> should use a keystore with server certificate for Inbound connections and a
> keystore with client certificates for outbound connections. So we should add
> a new property in Cassandra.yaml to pass outbound keystore and use it in
> SSLContextFactory for creating outbound SSL context.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
